1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Duplicate Unconfirmed user can update status

Discussion in 'Resolved Bug Reports' started by erich37, Aug 1, 2011.

  1. erich37

    erich37 Well-Known Member

    I have a user which signed-up today and also posted a "profile message" onto his own profile and also entered his "locaton" and his "occupation".

    The strange thing is:
    this user still did not confirm his e-mail-address. When I go into my ACP, then it says for this user:
    User state: "awaiting e-mail confirmation"

    Question:
    why and how can a user enter a profile-message onto his profile-page when he even did not confirm his e-mail-address ???

    Are you guys sure this should be like it is ?

    IMO this is a potential leak for spammers.
     
  2. erich37

    erich37 Well-Known Member

    the user is not showing up in the "Members List", but the user and his profile-post is showing up within "Members > Recent Activity".
     
  3. Floris

    Floris Guest

    admin.php?user-groups/system-unregistered-unconfirmed.1/edit

    profile settings > can post profile post : is this set to inherit, yes, no ?
     
  4. erich37

    erich37 Well-Known Member

    I have:

    Profile Post Permissions > Post new profile posts: Not Set (No)
     
  5. Floris

    Floris Guest

    Then I can't imagine what it might be, good luck with it though.
     
  6. erich37

    erich37 Well-Known Member

    please move to "bug reports"
     
  7. Brogan

    Brogan XenForo Moderator Staff Member

    I have just tested this and I am unable to post on the profile of an unconfirmed account.

    Other profile information is able to be entered such as status message, location, occupation, home page, etc.

    This is by design.
     
  8. erich37

    erich37 Well-Known Member

    no idea, but a user has done so on my forum.
    the user has posted onto his own Profile-page.
     
  9. erich37

    erich37 Well-Known Member

    see screenshot attached:

    profile_post.jpg acp_unconfirmed.jpg
     
  10. Mike

    Mike XenForo Developer Staff Member

    Looks like there's a place that doesn't check that you can update your status.
     
  11. Jeremy P

    Jeremy P Well-Known Member

    erich37 and Floris like this.
  12. Mike

    Mike XenForo Developer Staff Member

    Indeed that would be the spot. :)
     
    Floris likes this.
  13. erich37

    erich37 Well-Known Member

    the strange thing I see in my left screenshot is the time:

    - the post was made at 5:52 A.M
    - user was last seen at 5:48 A.M

    not sure if the issue is coming from there, but the timing looks a bit strange....?
     
  14. Jeremy P

    Jeremy P Well-Known Member

    Ajax actions (like posting statuses) don't update the session activity. They clicked onto the page to post the status at 5:48, and clicked post 4 minutes later without leaving that page.
     
    Mike likes this.
  15. erich37

    erich37 Well-Known Member

    Homepage as well ?

    Not great design if an unconfirmed user is allowed to enter a Homepage-link.....
     
  16. Digital Doctor

    Digital Doctor Well-Known Member

    Do unconfirmed users show up in Members ?
     
  17. erich37

    erich37 Well-Known Member

    nope.
     
  18. Digital Doctor

    Digital Doctor Well-Known Member

    Where do they show up then ?
     

Share This Page