This feature is implemented as far as bug modifications is concerned. There is no logging of other activities. Also if a bug is deleted, you lose its history!. This is implemented in 0.18.0a2.

BTW, you did not specify which version of Mantis you are using.

What about if we just send confirmation mails to the new address, and require the user to confirm?

Sorry - forgot the specify the version. it's 0.17.5

Well, yes. a confirmation mail to the new address would be nice, or a new generated password.

Is it 0.18.0a2 OK for a production environment? Any drawbacks? However, a little bit more logging (quite simple stuff like user did this or that) would be nice.

BTW, is there a option to disable the ability to change the user-name?

0.18.0a2 is pretty stable, but the official stable release is still 0.17.5. Of course, that's also because we still need to update documentation.

Change username? Or email?

IMO the user-name should stay stable (option?).

You used to be able to change the username which I thought was odd too.

User's can no longer do this in the CVS code, only administrators.

I'm a little reluctant to force the user's password to be reset every time they change their email. But I do see the possibility for abuse there.

sigh why are people so lame?

Don't reset the password, just let them confirm the email address by clicking on some link.

We can also implement a 'forgot password' in much the same way, only you'd change the password and not the email address.

So, if you just require the user to click on a link in the email, to confirm a new email address, I guess that means account would need to be disabled. How would the confirmation work?

-Change email addy in my account
-my account is locked. I'm told that I'll recieve an email with a link that I must use to confirm the new address.
-In the background, a random key is generated, inserted into a table, with my user_id, type of key (password reset, account change, etc) and a experation date (what if I fat finger the new email address. it would be nice if the system would 'expire' my unconfirmed changes, and reset my account automagically to my old email). That key is sent to me, it the email, as part of a link.
-As the user, I click a link of: http://mantis.domain.com/confirm_change.php?key=1a2b3c4d5e6f7g8h9. My account is unlocked, and the key entry is removed from the table.

In this way, the code would be fairly generic, I think. Does this sound about right?

I believe that this is fixed in 0.19rc1 with the addition of the send_reset_password feature.

having a send reset password page, doesn't alter whether or not we should have a log of when someone logged in, how often they log in, whether they added a bug, when they logged out etc.

Therefore, while we've addressed getting locked out of an account it doesn't address the original question imo.

I.e. if someone were to hack into an acconut and log in, it might be nice to be able to see what bugs the 'hacker' resolved/deleted etc, so that they could be recovered.