1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug Password when creating new acct

Discussion in 'Resolved Bug Reports' started by creativepart, Jul 29, 2010.

  1. creativepart

    creativepart Active Member

    On the log in page I clicked Create New and entered my email address but the password box was unavailable. I changed the radio button back to existing account and the password box became available. So, I entered my password and then changed it to Create New and it accepted both the username and the password.

    I was using FireFox 3.X
  2. Brandon

    Brandon Active Member

    so you're saying the password should be cleared on submit when creating a new user account.

    the rest of what you described I would expect as normal behavior.
  3. Nick

    Nick Well-Known Member

    When you say "login page" are you referring to the login area that appears at the top of the screen, or the actual registration page?
  4. creativepart

    creativepart Active Member

    I didn't see a registration page.

    I saw a login with username and password box. Between them were two radio buttons. One said Create New Acct (or similar) the other said "Existing Account" (or similar). It seemed obvious that I could put in a username and password and click "Create New Acct" to register. But when the "Create New Acct" radio button was checked I could enter a username but not a password.

    By clicking "Existing Acct" I could fill in both a username AND a password -- and then click Create New Acct and when submitted that registered my new acct.

    It seems, that "Create New Acct" should either take me to a dedicated registration screen, OR it should let me pick a username and a password to begin the registration process.

    Maybe, it shouldn't have worked at all -- but it worked in a totally unexpected way.
  5. Erik

    Erik Well-Known Member

    The intended behavior is that you enter a username, check the "Create New Account" radio button, and then click Sign Up without entering a password. You'll then be taken to a new registration page:

    It seems like you've found a hole whereby you can create a new account directly from the login form by doing some trickery with the radio buttons and password field. In other words, it should not have registered a new account for you. :)

    I would actually classify this as a semi-serious security hole that needs to be fixed ASAP, as it allows anyone to register accounts without any email address entered, DOB, or any sort of anti-spam measures.
  6. Mike

    Mike XenForo Developer Staff Member

    I don't think it would/could actually create an account directly from there...
  7. Erik

    Erik Well-Known Member

    I don't think it could either, but that's what it sounds like from the OP's description, although I could have misinterpreted. At the very least I would test it out. :)

    EDIT: I can confirm, I just tested this (tried to create a new account), and it does not work as the OP described. It just brings me to the new registration page as expected. So, doesn't look like there's a bug at all. :)
  8. Mike

    Mike XenForo Developer Staff Member

    I think he may have just been confused by the interface, thinking that the password had to be specified as well, while the password is actually depending on having an existing account.
  9. Reeve of Shinra

    Reeve of Shinra Well-Known Member

    nevermind, I was mistaken...
  10. creativepart

    creativepart Active Member

    I sure "think" I created an account there -- but probably all it did was take me to the Create account page and I thought it was a second part of the process.

    Either way -- it wasn't 100% clear. It would be better to have a create account submit type button, rather than have it be part of the Login like that.
  11. Eric

    Eric Active Member

    Speaking of passwords & registration, will there be an Admin option to choose how strong a user's password must be?

Share This Page