Description
Issue Description
There's a problem in the current way parse handles email changes for users. The problem is that when an user changes his email, parse sends a verification email, but changes the user email in the database, this can lead to a malicious access block from an user to another.
If a user changes his email to one not being used yet (which he can know by trying to change the email and not receiving the 'Email address already in use') then, without needing to verify the new one, the email address is changed, preventing the person that really owns that address from registering because would get the 'Email address already in use' error.
This error is prevented easily by making the email address change along with the verification accept. At the same time the emailVerified value is set to true so will be for the new email address. If the person that changed the email, owns the new address, then the verification can be performed successfully, if not, then the email wont be changed and the user owning the email address can register without problem.
Steps to reproduce
With a registered account perform an user email change to an email that's not registered yet. Then, try to register with that email.
Expected Results
That the registration succeeds as the other email change is not verified.
Actual Outcome
The registration fails with 'Email address already in use'
Environment Setup
-
Server
- parse-server version (Be specific! Don't say 'latest'.) : 3.1.3
- Operating System: Linux Ubuntu 18.10
- Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): both
-
Database
- MongoDB version: 3.4.4
- Storage engine: default
- Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): both