• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Duplicate  Unconfirmed user can update status

erich37

Well-known member
#1
I have a user which signed-up today and also posted a "profile message" onto his own profile and also entered his "locaton" and his "occupation".

The strange thing is:
this user still did not confirm his e-mail-address. When I go into my ACP, then it says for this user:
User state: "awaiting e-mail confirmation"

Question:
why and how can a user enter a profile-message onto his profile-page when he even did not confirm his e-mail-address ???

Are you guys sure this should be like it is ?

IMO this is a potential leak for spammers.
 

erich37

Well-known member
#2
the user is not showing up in the "Members List", but the user and his profile-post is showing up within "Members > Recent Activity".
 
F

Floris

Guest
#3
admin.php?user-groups/system-unregistered-unconfirmed.1/edit

profile settings > can post profile post : is this set to inherit, yes, no ?
 

Brogan

XenForo moderator
Staff member
#7
I have just tested this and I am unable to post on the profile of an unconfirmed account.

Other profile information is able to be entered such as status message, location, occupation, home page, etc.

This is by design.
 

erich37

Well-known member
#8
I have just tested this and I am unable to post on the profile of an unconfirmed account.

Other profile information is able to be entered such as status message, location, occupation, home page, etc.

This is by design.
no idea, but a user has done so on my forum.
the user has posted onto his own Profile-page.
 

erich37

Well-known member
#13
Indeed that would be the spot. :)
the strange thing I see in my left screenshot is the time:

- the post was made at 5:52 A.M
- user was last seen at 5:48 A.M

not sure if the issue is coming from there, but the timing looks a bit strange....?
 

Jeremy P

Well-known member
#14
Ajax actions (like posting statuses) don't update the session activity. They clicked onto the page to post the status at 5:48, and clicked post 4 minutes later without leaving that page.
 

erich37

Well-known member
#15
I have just tested this and I am unable to post on the profile of an unconfirmed account.

Other profile information is able to be entered such as status message, location, occupation, home page, etc.

This is by design.
Homepage as well ?

Not great design if an unconfirmed user is allowed to enter a Homepage-link.....