Vulnerability in EPiServer.Forms
By default, EPiServer doesn't allow changing of email addresses. This is because email addresses are used as usernames.
We're planning to add a functionality to let users change their email address. In the background, we'll also change their usernames so it will be sync'd.
My question is this, would there be any complications if we change a user's username? (e.g. records referencing usernames?)
For the CMS, username and email are two separate entities that does not have to be connected. It might be that your solution happens to use an email as a username. The username field is used as the key for many tables to connect data to a specific user and if the username field changes all these tables needs to be synced. I don't know all tables that has these references so I would check for any dependencies to the username field in the database, hopefully all dependancies as set up as foreign keys. Some data that I know are connected:
Personalized data (probably the asp.NET tables)ACL data for pages and fileS/folders (if you have defined access rights per user)