Open
Description
Is your feature request related to a problem? Please describe.
- changing admin email sends the confirmation email to new email instead of current email. effectively not notifying the original email of this change
- additional security features like 2FA/etc might be good as attendee details / etc are all sensitive
Describe the solution you'd like
- Should send the confirmation to the email that is currently saved to the database instead
Describe alternatives you've considered
- Login 2FA?
- I could see adding auth on the reverse proxy level could help but that would be sitewide
Additional context
Won't go as far as saying this is a bug or vulnerability as Stripe details can only be accessed through deployment. However without additional security like 2FA, someone could try to bruteforce passwords or try a leaked password and change the email without the user even knowing. Additional security could help here :)