Not a bug  Password when creating new acct

creativepart

creativepart

Active member
On the log in page I clicked Create New and entered my email address but the password box was unavailable. I changed the radio button back to existing account and the password box became available. So, I entered my password and then changed it to Create New and it accepted both the username and the password.

I was using FireFox 3.X
 
so you're saying the password should be cleared on submit when creating a new user account.

the rest of what you described I would expect as normal behavior.
 
When you say "login page" are you referring to the login area that appears at the top of the screen, or the actual registration page?
 
I didn't see a registration page.

I saw a login with username and password box. Between them were two radio buttons. One said Create New Acct (or similar) the other said "Existing Account" (or similar). It seemed obvious that I could put in a username and password and click "Create New Acct" to register. But when the "Create New Acct" radio button was checked I could enter a username but not a password.

By clicking "Existing Acct" I could fill in both a username AND a password -- and then click Create New Acct and when submitted that registered my new acct.

It seems, that "Create New Acct" should either take me to a dedicated registration screen, OR it should let me pick a username and a password to begin the registration process.

Maybe, it shouldn't have worked at all -- but it worked in a totally unexpected way.
 
The intended behavior is that you enter a username, check the "Create New Account" radio button, and then click Sign Up without entering a password. You'll then be taken to a new registration page:
hcUsw.png


It seems like you've found a hole whereby you can create a new account directly from the login form by doing some trickery with the radio buttons and password field. In other words, it should not have registered a new account for you. :)

I would actually classify this as a semi-serious security hole that needs to be fixed ASAP, as it allows anyone to register accounts without any email address entered, DOB, or any sort of anti-spam measures.
 
Mike said:
I don't think it would/could actually create an account directly from there...
Click to expand...

I don't think it could either, but that's what it sounds like from the OP's description, although I could have misinterpreted. At the very least I would test it out. :)

EDIT: I can confirm, I just tested this (tried to create a new account), and it does not work as the OP described. It just brings me to the new registration page as expected. So, doesn't look like there's a bug at all. :)
 
I think he may have just been confused by the interface, thinking that the password had to be specified as well, while the password is actually depending on having an existing account.
 
I sure "think" I created an account there -- but probably all it did was take me to the Create account page and I thought it was a second part of the process.

Either way -- it wasn't 100% clear. It would be better to have a create account submit type button, rather than have it be part of the Login like that.
 
Speaking of passwords & registration, will there be an Admin option to choose how strong a user's password must be?
 

Similar threads

L
XF 2.2 Xenforo Login Issues
Replies
0
Views
258
leebo
L
Mr Lucky
Phrase on button to submit or post DM
Replies
0
Views
146
Mr Lucky
Mr Lucky
Rengobli
Add-on Custom Login Add-On
Replies
0
Views
640
Rengobli
Rengobli
S
  • Question Question
Problem with free demo signup.
Replies
5
Views
526
FTL
FTL
AndyB
Fixed Password reset allowed using email of banned user
Replies
4
Views
1K
Chris D
Chris D
Top Bottom