Private Nodes are viewable by users who have not yet confirmed their e-mail

XFuser

XFuser

Active member
Hello,

If a user registers and upon registration is automatically assigned a User Group that gives them permission to view a Private Node, then they are able to view the Private Node before confirming their e-mail.

Users who are not "valid" with a confirmed e-mail should not be considered "full members" and should therefore not be able to view Private Nodes until they confirm their e-mail.

Please fix this issue.

Thank you.
 
Sort by date Sort by votes
Digital Doctor said:
You probably have to set the settings to do what you want.
Click to expand...
What do you mean? We require e-mail confirmation, yet users who haven't confirmed their e-mails are granted viewing permissions (based on a secondary usergroup they are automatically assigned to upon registration) that they shouldn't have until they have confirmed their e-mail. What setting other than "Enable Email Confirmation" are you referring to?
 
Upvote 0 Downvote
Digital Doctor said:
Assign the permissions when they confirm their email ?
Click to expand...
The permission is assigned automatically when they register. The point is, a member should not be granted any kind of permission from primary or secondary usergroups until they confirm their e-mail whenever e-mail confirmation is enabled. Otherwise, what is the point of e-mail confirmations?
 
Upvote 0 Downvote
Digital Doctor said:
B/c you set it up that way.
This isn't a bug, it's your settings.
Click to expand...
I think we are discussing two different things. On the one hand, there are the Usergroup Permissions that determine what an entire usergroup can see and/or do. On the other hand, there is the individual User State that determines whether an individual user is valid or not. The individual User State should trump all when e-mail confirmations are enabled. Otherwise, again, what is the point of e-mail confirmations?

In other words, it doesn't matter if a user is a member of every user group, if they are not valid, then they are not valid. Period. Validity is not ambiguous, either a user is valid or they are not. If they are not valid, then they should not be able to do anything on the Forum until they are granted validity.

This seems like common sense, what am I missing?
 
Upvote 0 Downvote
Not a bug - the validate email address stops people from adding content to the site, that's all and that's all it should do

I suggest that if you want to grant permissions only to those that have validated their email, then make the relevant usergroup part of a usergroup promotion that is activated upon a user's state becoming valid. Note that unless you change the cron job timing, it will run hourly.
 
Upvote 0 Downvote
Jim Boy said:
Not a bug - the validate email address stops people from adding content to the site, that's all and that's all it should do
Click to expand...
If that's the case, then the phrasing of "Valid" in the User State should be changed to "Valid E-mail".

Jim Boy said:
I suggest that if you want to grant permissions only to those that have validated their email, then make the relevant usergroup part of a usergroup promotion that is activated upon a user's state becoming valid. Note that unless you change the cron job timing, it will run hourly.
Click to expand...
Although I appreciate your solution and agree that it would work, such a convoluted solution to this problem is precisely why the User State of "Valid" should trump all Usergroup Permissions as it's a much easier, elegant, and more intuitive solution.

I've provided an example of why users should not be granted any access by XF until they become valid by confirming their e-mails. For the opposite perspective, could someone please give me an example of why users should be granted any access at all before validating their account when e-mail confirmation is enabled? I'm trying to understand in what kind of scenario that would be useful. Thanks.
 
Upvote 0 Downvote
XFuser said:
For the opposite perspective, could someone please give me an example of why users should be granted any access at all before validating their account when e-mail confirmation is enabled? I'm trying to understand in what kind of scenario that would be useful. Thanks.
Click to expand...
Being invalid isn't just something that happens at registration, it also happens when people fail to update their email address and they get disabled through email bounce handling, sometimes its just a quirk that causes the user to be invalid. Now if I was running a forum where I was giving out stockmarket tips on a private board - one that the user has paid to get access to, then if they were to suddenly to lose access on the basis of a dodgy email, then they would rightly be peeved.

The only reason why this functionality exists is to try and show that user account is a real person, it's not a permissions tool, XF comes with a permissions system that is powerful and does the job.
 
Upvote 0 Downvote
Jim Boy said:
Being invalid isn't just something that happens at registration, it also happens when people fail to update their email address and they get disabled through email bounce handling, sometimes its just a quirk that causes the user to be invalid. Now if I was running a forum where I was giving out stockmarket tips on a private board - one that the user has paid to get access to, then if they were to suddenly to lose access on the basis of a dodgy email, then they would rightly be peeved.
Click to expand...
Thanks for providing this scenario.

In that case, it really should be renamed to "Valid E-mail" instead of "Valid" as the latter suggests a very different thing to a newcomer to XF, particularly when it falls under the "User State" label. Thanks again.
 
Upvote 0 Downvote
XFuser said:
Hello,

If a user registers and upon registration is automatically assigned a User Group that gives them permission to view a Private Node, then they are able to view the Private Node before confirming their e-mail.

Users who are not "valid" with a confirmed e-mail should not be considered "full members" and should therefore not be able to view Private Nodes until they confirm their e-mail.

Please fix this issue.

Thank you.
Click to expand...

How are you setting this node to private? Did you check the "Private Node" checkbox or did you revoke permissions and have them granted via secondary user groups (without ticking the box?). Are you granting permissions / promotions that can be matched by them before they confirm their account? What do you see by analyzing permissions for an unconfirmed user on the node?

XFuser said:
In other words, it doesn't matter if a user is a member of every user group, if they are not valid, then they are not valid. Period. Validity is not ambiguous, either a user is valid or they are not. If they are not valid, then they should not be able to do anything on the Forum until they are granted validity.

This seems like common sense, what am I missing?
Click to expand...

Validity is nothing more than a user state, of which you have several related to emails and registering. All validity means is that they confirmed their email (if you require it) or you've manually approved one that was caught by various spam filters to send them to moderation queue. It's also the step before "registration" finishes.

Jim Boy said:
Not a bug - the validate email address stops people from adding content to the site, that's all and that's all it should do

I suggest that if you want to grant permissions only to those that have validated their email, then make the relevant usergroup part of a usergroup promotion that is activated upon a user's state becoming valid. Note that unless you change the cron job timing, it will run hourly.
Click to expand...

This is not true. If you allow guest posting, they will be allowed to add content. Access and abilities are controlled by permission, even in this state.
 
Upvote 0 Downvote
A user in a non-valid state always receives the permissions of the unregistered / unconfirmed group. How have you confirmed the issue? Are you running any add-ons ?
 
Upvote 0 Downvote
Jeremy said:
How are you setting this node to private? Did you check the "Private Node" checkbox or did you revoke permissions and have them granted via secondary user groups (without ticking the box?). Are you granting permissions / promotions that can be matched by them before they confirm their account? What do you see by analyzing permissions for an unconfirmed user on the node?
Click to expand...
I checked the "Private Node" checkbox.

Mike said:
A user in a non-valid state always receives the permissions of the unregistered / unconfirmed group. How have you confirmed the issue? Are you running any add-ons ?
Click to expand...
I think I found the problem, then. These particular users, despite not having confirmed their e-mails yet and therefore not being "Valid" yet, are in the "Registered" primary usergroup instead of the "Unregistered / Unconfirmed" usergroup. So that must mean that the bug is with the add-on we are using. That add-on is incorrectly assigning those new users the "Registered" usergroup before they confirm their e-mail despite having the "Skip Email Confirmation" option of that add-on disabled.

Thanks for your clarifications Jeremy and Mike, it wasn't making sense to me how non-Valid users were having permissions they weren't supposed to have despite being assigned a secondary Usergroup that gave them those permissions, and the replies from the first 2 gentleman above confused me even further as they were suggesting that the problem was with the secondary usergroup when in reality the problem was with the primary usergroup as Mike pointed out. Being assigned the "Unregistered / Unconfirmed" primary usergroup until users confirm their e-mails is exactly how XF should work when E-mail Confirmation is enabled and makes perfect sense as that primary usergroup will trump any secondary ones with regards to the "Never" permissions.

I'm going to bring this to the attention of the add-on authors so that they can fix it ASAP.

Thanks again to everyone for their help.
 
Upvote 0 Downvote
The groups aren't changed. The user just receives the permissions from the unregistered / unconfirmed group. That's why I was asking how you confirmed it. You should be able to verify it by just changing your own user's state in the ACP.

There is also no priority distinction between primary and secondary groups.
 
Upvote 0 Downvote
Mike said:
The groups aren't changed. The user just receives the permissions from the unregistered / unconfirmed group.
Click to expand...
And that's how it should work, but this add-on is giving users the "Registered" usergroup before they actually confirm their e-mail and become "Valid".

Mike said:
That's why I was asking how you confirmed it. You should be able to verify it by just changing your own user's state in the ACP.
Click to expand...
The users who have registered but have not yet confirmed their e-mail have the "Registered" usergroup assigned yet their User State shows as non-Valid, so they are incorrectly receiving the "Registered" permissions before actually confirming their e-mail.

Mike said:
There is also no priority distinction between primary and secondary groups.
Click to expand...
True, but the "Never" permissions of the "unregistered / unconfirmed" usergroup would trump all other permissions, correct?
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

DaveM
  • Question Question
XF 2.2 New Member Cannot See Forum Nodes
Replies
11
Views
410
AndrewSimm
AndrewSimm
Vercingetorix
Activity Summary emails are the digital equivalent of junk mail.
Replies
3
Views
1K
Vercingetorix
Vercingetorix
RobinHood
Sax Bandits - Case study using XenForo to create a private membership only community
2
Replies
23
Views
4K
RobinHood
RobinHood
XFuser
  • Question Question
Do New Users who are awaiting Approval of their account not have to confirm their e-mail?
Replies
3
Views
649
Mike
Mike
fionix
Problem bounce rate e-mails. SMTP.COM howis because of it!
Replies
6
Views
937
whynot
whynot
Top Bottom