Disable password reset for suspended user

peopleinside

A suspended user should be not able to reset his password.
Admin can so change the password if for same reason the user should be not able to login.

I think this implementation will be just an additional good function to add.
Why a banned user should be able to reset his password? Maybe can generate a lot of email, password request generating spam and issues to domain email.

Admins in this case doesn't have any tools to stop and to manage this.
A suspended, banned user should not generate any email from the community.

Once the suspension will be ended for manual unlock or for the time expiration, user should return able to request a password reset.

Can I ask to add this feature in GitHub?

clarkwinkelmann

peopleinside I'm not exactly sure how we ended up here and whether this was intentional from the start, but the current implementation is clearly made with no restrictions around login, logout or password resets for suspended users. We will soon make some changes to the permissions during which we might make it easier for extensions to customize this.

At the moment there's also no mechanism designed to stop email sending for some groups of users. We would first need to design something before extension could start interacting with the email ability.

This would need to be split across many issues, so it would probably be best we have an internal discussion about this stuff and create appropriate issues based on that.

A related issue I have noticed is that the current system doesn't prevent sending emails to users who have not yet confirmed their address. If they register and follow a discussion, they will start receiving notifications even if they have not validated their email yet. This needs to be handled in a broader email control system.

peopleinside

clarkwinkelmann Great, I hope to don't need an extension for disable email for a suspended user. If a GitHub issue is created about that can you post here so I can follow?

The fact a suspend user can generate email is something not good on my opinion and good point, of curse also a not verified user should maybe not get email but should still get password reset email even if the account is not verified or maybe need to receive the verification email and be able to request again if doesn't received. Maybe also an email anti-flood can help to prevent a generation of too much password reset or verification emails.