• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Unconfirmed users can enter "Personal Details" and "Follow"

erich37

Well-known member
#1
user which is not confirmed (user awaiting e-mail confirmation) is able to:

- post text into the "About You" editor box at his "Personal Details".
- "follow other members"
- enter geographic "location"

IMHO, this should not be allowed for users which are just "Guests" and did not confirm their registration yet.

So currently (XF version 1.0.4) users are able to do quite a lot of things without even confirming their e-mail-address via confirmation e-mail.

As per my understanding, unconfirmed users should not be allowed to do anything on my forum until they confirm their registration.
 

mikoo

Active member
#2
I have just tested that... it seems that unregistered users can even post a thread; and what´s more: it seems new registered members do not even get a second email to confirm their email account... weird...
 

Jeremy P

Well-known member
#3
I have just tested that... it seems that unregistered users can even post a thread; and what´s more: it seems new registered members do not even get a second email to confirm their email account... weird...
That's up to your individual permission settings. The above mentioned items there are no permissions for, and apparently no permission checks.
 

erich37

Well-known member
#5
That's up to your individual permission settings. The above mentioned items there are no permissions for, and apparently no permission checks.
which permissions do I need to set in order to avoid "unconfirmed users" to enter text into the "About You box" and to avoid "following" other members ?

Thanks!
 

Jeremy P

Well-known member
#6
which permissions do I need to set in order to avoid "unconfirmed users" to enter text into the "About You box" and to avoid "following" other members ?

Thanks!
I was talking to/quoted mikoo. He was talking about creating threads and email confirmation. Then I went on to mention there are no permissions for the things you've mentioned.
 

erich37

Well-known member
#8
user which is not confirmed (user awaiting e-mail confirmation) is able to:

- post text into the "About You" editor box at his "Personal Details".
- "follow other members"
- enter geographic "location"

IMHO, this should not be allowed for users which are just "Guests" and did not confirm their registration yet.

So currently (XF version 1.0.4) users are able to do quite a lot of things without even confirming their e-mail-address via confirmation e-mail.

As per my understanding, unconfirmed users should not be allowed to do anything on my forum until they confirm their registration.
EDIT:

unconfirmed user is also able to:
- enter geographic "location" (field: Location)
 

Dean

Well-known member
#9
user which is not confirmed (user awaiting e-mail confirmation) is able to:

- post text into the "About You" editor box at his "Personal Details".
Which would include live links in the About You box to anywhere on the internet.

I've been manually checking those things for new members, and it is getting extremely tedious.
 

Ingenious

Well-known member
#10
I've just done a test account on my forum and can edit the following as unconfirmed user:

Screen shot 2011-08-18 at 10.42.11.png
Couple of comments about this:

Are there any other options I need to set to restrict this type of access for unconfirmed user (apart from the things which cannot be stopped as mentioned above)?

Also, although the user can do this, I cannot find any route to the profile from the forum itself. What I mean is the username does not show up as the latest member, or in the member list, so if users cannot find the profile, does it matter anyway?
 

Ingenious

Well-known member
#12
it definitely shows up in "Members > Recent Activities"
Edit - Yes I see the screen you mean now - A logged in "normal" user can see the unconfirmed account on recent activity. Actually it is really bad - there are seven separate entries each linking to a spam URL.
 

Ingenious

Well-known member
#13
Here's a screen shot, there's quite a lot of scope to spam here, from adding a URL to the status update (be great to remove the ability to add links to status updates!!), to the user profile fields:

Screen shot 2011-08-18 at 12.45.43.png

I'm sorry to say this as I have been enjoying XenForo thus far, but this is depressing. Preventing guests and unconfirmed accounts from doing anything is a fundamental part of the registration and security process of a community.
 
#14
Absolutely, I, too, noticed that an unconfirmed user posted in a thread, although this should not have been possible given the permissions of unconfirmed users.

Those things seriously undermine the requirements for privacy of a lot of projects -- and that's a big no. :-(
 

Mike

XenForo developer
Staff member
#16
If an unconfirmed user posted, that's definitely a permission issue (unless they of course changed their email after posting).

I don't totally follow the restrictions on setting up a profile for an unconfirmed user. If you're suggesting in from an anti-spam perspective, know that email confirmation is really a solved problem for spam bots - they will automatically confirm the account. I do agree with not pushing profile changes to the news feed while they're unconfirmed though, just to keep them less publicized. Following I could go either way on, as it's a fairly "advanced" feature.
 

erich37

Well-known member
#19
when spam-user is banned, his entries (location, occupation, etc.) still show up in recent activities.
How to delete "Recent Activities" of a banned user ?