[Security] Email and password changing

6 Apr Edited
https://community.mybb.com/post-1114226.html This is a massive security vulnerability, the change email page is directly accessible.

- Permission setting to change password and email for usergroups.
- Username changes are moderator approvable, this functionality should be provided with password and email changes.
- Enforce email verification for password and email changes.
- Previous email, date and IP logging for email and password changes.
- Failed login attempts logging between password and email changes.
- IP and date logging for password reset requests.
- Lookup accounts with password/email changed from IP range.

Secondary plugin:
- Message and title filter for thread creation in sub-forums that prevents posting and responds with customizable instructions.
- Message and title filter for PM's and contact page which would disable(IP and cookie block) PM'ing and contacting through the contact page until further notice. This should be a flag in the database that can be modified externally and it would eventually update in the Task Manager.
Shade 6 Apr
I can work on the first one. I have to do some brainstorming but it might be a Basic to Advanced-tier plugin. Don’t expect it before end of July/August.

Please open a thread per each plugin request.

PS: there is no security vulnerability. Both pages are only accessible if logged in.
Kalju 6 Apr Edited
The point is to stop users from being able to change email and password and the info provided in that thread just hides the buttons without removing the functionality.

I have it implemented by just copying the permission code from "can change username".
Shade 6 Apr
So you don't need it anymore?
Kalju 7 Apr
Still need the logging data.
Shade 7 Apr Edited
Alright, will add to my to-do list.