1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Unconfirmed users can enter "Personal Details" and "Follow"

Discussion in 'Resolved Bug Reports' started by erich37, Aug 17, 2011.

  1. erich37

    erich37 Well-Known Member

    user which is not confirmed (user awaiting e-mail confirmation) is able to:

    - post text into the "About You" editor box at his "Personal Details".
    - "follow other members"
    - enter geographic "location"

    IMHO, this should not be allowed for users which are just "Guests" and did not confirm their registration yet.

    So currently (XF version 1.0.4) users are able to do quite a lot of things without even confirming their e-mail-address via confirmation e-mail.

    As per my understanding, unconfirmed users should not be allowed to do anything on my forum until they confirm their registration.
  2. mikoo

    mikoo Active Member

    I have just tested that... it seems that unregistered users can even post a thread; and what´s more: it seems new registered members do not even get a second email to confirm their email account... weird...
  3. Jeremy P

    Jeremy P Well-Known Member

    That's up to your individual permission settings. The above mentioned items there are no permissions for, and apparently no permission checks.
  4. mikoo

    mikoo Active Member

    I am afraid, that´s just what I have done...
  5. erich37

    erich37 Well-Known Member

    which permissions do I need to set in order to avoid "unconfirmed users" to enter text into the "About You box" and to avoid "following" other members ?

  6. Jeremy P

    Jeremy P Well-Known Member

    I was talking to/quoted mikoo. He was talking about creating threads and email confirmation. Then I went on to mention there are no permissions for the things you've mentioned.
    erich37 likes this.
  7. Alien

    Alien Well-Known Member

    I would certainly prefer not to have unconfirmed users enter text in "About You" or be permitted to follow other members.
  8. erich37

    erich37 Well-Known Member


    unconfirmed user is also able to:
    - enter geographic "location" (field: Location)
  9. Dean

    Dean Well-Known Member

    Which would include live links in the About You box to anywhere on the internet.

    I've been manually checking those things for new members, and it is getting extremely tedious.
  10. Ingenious

    Ingenious Well-Known Member

    I've just done a test account on my forum and can edit the following as unconfirmed user:

    Screen shot 2011-08-18 at 10.42.11.png
    Couple of comments about this:

    Are there any other options I need to set to restrict this type of access for unconfirmed user (apart from the things which cannot be stopped as mentioned above)?

    Also, although the user can do this, I cannot find any route to the profile from the forum itself. What I mean is the username does not show up as the latest member, or in the member list, so if users cannot find the profile, does it matter anyway?
  11. erich37

    erich37 Well-Known Member

    it definitely shows up in "Members > Recent Activities"
    CapnLuffy and Ingenious like this.
  12. Ingenious

    Ingenious Well-Known Member

    Edit - Yes I see the screen you mean now - A logged in "normal" user can see the unconfirmed account on recent activity. Actually it is really bad - there are seven separate entries each linking to a spam URL.
  13. Ingenious

    Ingenious Well-Known Member

    Here's a screen shot, there's quite a lot of scope to spam here, from adding a URL to the status update (be great to remove the ability to add links to status updates!!), to the user profile fields:

    Screen shot 2011-08-18 at 12.45.43.png

    I'm sorry to say this as I have been enjoying XenForo thus far, but this is depressing. Preventing guests and unconfirmed accounts from doing anything is a fundamental part of the registration and security process of a community.
    Alien, CapnLuffy and erich37 like this.
  14. jwiechers

    jwiechers Member

    Absolutely, I, too, noticed that an unconfirmed user posted in a thread, although this should not have been possible given the permissions of unconfirmed users.

    Those things seriously undermine the requirements for privacy of a lot of projects -- and that's a big no. :-(
    erich37 likes this.
  15. Blue

    Blue Well-Known Member

    Hopefully this will be fixed in 1.1
    HydraulicJack and erich37 like this.
  16. Mike

    Mike XenForo Developer Staff Member

    If an unconfirmed user posted, that's definitely a permission issue (unless they of course changed their email after posting).

    I don't totally follow the restrictions on setting up a profile for an unconfirmed user. If you're suggesting in from an anti-spam perspective, know that email confirmation is really a solved problem for spam bots - they will automatically confirm the account. I do agree with not pushing profile changes to the news feed while they're unconfirmed though, just to keep them less publicized. Following I could go either way on, as it's a fairly "advanced" feature.
  17. James

    James Well-Known Member

    Unconfirmed users shouldn't be able to follow. As an unconfirmed user the profiles aren't publicised as they don't appear anywhere, but if they have permission to follow they can just follow everyone and get their profile publicised pretty quickly.
    Renada, ankurs, erich37 and 1 other person like this.
  18. Blue

    Blue Well-Known Member

    IMO, Unregistered / Unconfirmed users shouldn't be allowed to do anything other than read.
  19. erich37

    erich37 Well-Known Member

    when spam-user is banned, his entries (location, occupation, etc.) still show up in recent activities.
    How to delete "Recent Activities" of a banned user ?
  20. Dean

    Dean Well-Known Member

    Personally I am concerned with highly intelligent people who are unhappy with me, or with my site.

Share This Page