Hi,
I was considering using this rule to cut out a step in my user creation flow. It works as intended the first time user is created, but I think it can create problems with later email verification if the email associated with the user is changed.
-
User is created, password is reset (so last_password_reset is set)
-
Suppose the user updates his email after creation (email_verified = false, email is changed)
-
Email verification ticket/email is sent
-
User ignores the email from step 2 and logs in
→ Rule marks the email as verified (since last_password_reset is set and email_verified is false) but it it not
If I am correct, I am looking for a simple way to fix this or at least this case should be cited in the documentation.