XF 1.4 Is this a way to bypass registration system?

[flowerpot132]

Every member has to be manually checked on our forum. So awaiting approval then we check their details are ok and let them in.

Someone got in but we didn't let them in as they didn't pass our checks.

I remember seeing this user in awaiting to moderated and left them there.

I also remember seeing them listed in the forum as members online which is technically ok right? But they can't see any of the forums. They can just login and out and change account details. Avatar, email address etc.

They did change their email address.

Now they are set as "valid" in the backend.

Is that possible?

 

[Mike]

Can you show the user change log history for this user?

 

[flowerpot132]

Sorry where is that again? I have searched for it. https://xenforo.com/community/search/8434276/?q=change+log+history&o=relevance

 

[Mike]

When editing the user, look at the "change log" tab.

 

[flowerpot132]

As you can see he has changed email address from a gmail version to an icloud one. Today admin edited the state from valid.

 

[Mike]

Did someone manually edit the account to email bounced? The system will only put users into that state from the valid state, so it's a post-approval state only, which is why it went back to one of the other post-approval states (email confirmation from edit) and then to valid.

Aside from the message displayed, going to the email bounced state doesn't differ from awaiting approval (we don't send most emails in either case), so there isn't generally an expectation of that as a change. If you really do want to change the state there, you should probably go back to awaiting email confirmation.

 

[flowerpot132]

We do that on purpose. It's the one option that keeps the user details (opposed to reject and delete) and removed them from the list of awaiting to approve. We want that clear.

So any idea of a user could become valid by doing that email change thing? Or was it a human error on our part and we approved them by mistake.

 

[Liam W]

We do that on purpose. It's the one option that keeps the user details (opposed to reject and delete) and removed them from the list of awaiting to approve. We want that clear.

So any idea of a user could become valid by doing that email change thing? Or was it a human error on our part and we approved them by mistake.

If a user is placed into the email invalid state, they will be placed into the valid state when they confirm their email, as the email invalid state will only be applied to valid users by the system.

If you're using the email invalid state, you're basically approving them but making them change their email address.