Opened 5 years ago
Closed 6 hours ago
#48879 closed enhancement (fixed)
Changing Site Admin Email Assumes Username and Who Took the Action (which may be incorrect)
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 6.8 | Priority: | normal |
Severity: | minor | Version: | 5.3 |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description
(Note that this is on MultiSite and I don't know exactly how it functions on a single site install.)
I think the email message that is sent when someone updates a Site Admin Email Address should be modified as to NOT be addressed: Dear CURRENT_USER_NAME, and shouldn't say that "YOU" have recently requested to update the email.
If I want to change the site admin email for a site, the confirmation email goes to the new email address (say, a client), but the email says "Dear MadtownLems,". We have had a few cases now where these emails alarmed users and thought they were phishing attempts or had been hacked.
This is very confusing for our users, as they have received an email addressed to someone else, and it tells them that they tried to do something that they may not have tried to do. Rather, I believe the text would be much cleaner if it said something like:
"Someone ('MadtownLems') has requested to update the email address for the site..."
Attachments (3)
Change History (24)
#2
@
4 years ago
- Keywords good-first-bug added; 2nd-opinion removed
- Milestone changed from Awaiting Review to Future Release
#3
@
4 years ago
I took a look at this ticket and wasn't able to reproduce this issue. The message I'm getting when changing a site admin email is:
'Hi ###USERNAME###, This notice confirms that your email address on ###SITENAME### was changed to ###NEW_EMAIL###. If you did not change your email, please contact the Site Administrator at ###ADMIN_EMAIL### This email has been sent to ###EMAIL### Regards, All at ###SITENAME### ###SITEURL###'
It appears that this was fixed in a recent update in WordPress. If not, can you please explain how to reproduce this bug?
Is there anything else needed to be done on this ticket?
#4
@
4 years ago
The email message you have quoted is changing the email address of your user account. This ticket is about changing the Site Administration email address.
I confirmed this issue still exists on 5.8-RC-2
To reproduce:
1) Have a multisite environment.
2) Go to a subsite, Settings->General, and attempt to change the site administration email address.
The newly entered site administration email address will get a message that states:
"Howdy (USERNAME OF SOMEONE THAT MIGHT NOT BE THE ONE GETTING THIS EMAIL),
You recently requested to have..."
But again, this makes a huge assumption that the recipient of this email took the action. When they didn't, this is a very concerning email, as it makes people think that security has been compromised.
To summarize, the two issues with the email:
1) It is addressed to the username of the currently logged in user, even when that user is changing the site administration email address to someone else.
2) It says "YOU recently..." when there's no reason to believe that the owner of the new site administration email address actually took the action to trigger this email.
#5
@
4 years ago
- Keywords has-patch dev-feedback added; needs-patch removed
@MadtownLems thanks for the clarification. I submitted a patch with proposed changes.
#6
@
4 years ago
I like those changes, thanks!
I was hesitant to do a patch for this because I'm not sure what's all involved in changing text (if you have to factor in translations, etc)
#7
@
4 years ago
You're welcome. Now that you mention it, I'm not sure about that either. Maybe someone with more experience will chime in on this :)
This ticket was mentioned in Slack in #forums by jan_dembowski. View the logs.
11 months ago
This ticket was mentioned in PR #6789 on WordPress/wordpress-develop by @thehercules.
8 months ago
#9
Trac Ticket : Ticket #48879
This PR addresses and resolves the confusion caused by the current email notification sent when the site admin email address is updated.
Issues Fixed:
- Incorrect Addressing: The email was previously addressed to the current user's username, causing confusion for the recipient.
- Misleading Language: The email stated “Howdy, ###USERNAME### ” which was misleading for recipients who did not perform the action.
Changes Made:
- The email is now addressed generically without using the current user's username. i.e “Howdy,”
- The language has been updated to indicate that someone (specified by the username of the requester) has requested the email change, rather than implying the recipient performed the action.
These changes aim to reduce confusion and prevent users from thinking the email is a phishing attempt.
#10
@
8 months ago
@MadtownLems I have created a Patch for this in PR https://github.com/WordPress/wordpress-develop/pull/6789. Can you review it and suggest changes if any.
@MadtownLems commented on PR #6789:
8 months ago
#11
Thanks for doing this!
This language feels a bit clunky to me:
"User ###USERNAME### with administrator capabilities recently requested"
Perhaps something more like:
"A site Administrator (###USERNAME###) recently requested"
This ticket was mentioned in PR #7109 on WordPress/wordpress-develop by iflair.
7 months ago
#13
#48879 Changing Site Admin Email Assumes Username and Who Took the Action
#15
@
7 days ago
- Milestone changed from Future Release to 6.8
- Owner set to johnbillion
- Status changed from new to reviewing
#17
follow-up:
↓ 18
@
31 hours ago
- Resolution set to fixed
- Status changed from reviewing to closed
In 59799:
#18
in reply to:
↑ 17
@
31 hours ago
- Resolution fixed deleted
- Status changed from closed to reopened
Replying to johnbillion:
There seems to be a typo in "site Administrator". This should either read "Site Administrator" or to be consistent with existing strings "site administrator".
#19
@
30 hours ago
- Keywords good-first-bug has-patch dev-feedback removed
Thanks Dominik, yeah let's go with the lowercase.
This ticket was mentioned in PR #8288 on WordPress/wordpress-develop by @sukhendu2002.
30 hours ago
#20
- Keywords has-patch added
Trac ticket: https://core.trac.wordpress.org/ticket/48879
Agreed this needs improving. There are other email notifications that work like this too, eg. the "Delete My Site" one is worded the same.