Allow password reset email to be sent to any verified email address
Currently the password reset email is only sent to the primary email address. If a user loses access to their primary email address, they should still be able to receive the password reset email if they have a secondary email address in their profile.
Send the password reset email to whichever email address the user has requested as long as it is verified
This is somewhat tricky because we're overriding Devise behavior. Devise uses the
Recoverable#send_reset_password_instructions_notification method to send the notification. Inside that method it uses
send_devise_notification. By default it sends empty opts, but the opts hash should accept a
I think we can override the method by creating
User#send_reset_password_instructions_notification and calling the same
send_devise_notification method with our own
to values. We should only send to confirmed email addresses.
For details, see:
Please update the description as refinement occurs.
This feature should be configurable at the instance level. Admins should have the ability to keep the existing behaviour of only allowing password resets to be sent to the primary email address.