This is the security I need.
How do I make SURE I can make this the case in 1.0.4?
And HUGE thanks for y'all DOCUMENTING this hole!
Fixed Unconfirmed users can enter "Personal Details" and "Follow"
- Thread starter erich37
- Start date
How do I make SURE I can make this the case in 1.0.4?
And HUGE thanks for y'all DOCUMENTING this hole!
if an unconfirmed user can fill in all his stuff, then there is no need for any kind of registration-process at all.
An unconfirmed user should be limited to be able to enter data into the fields which are listed at the "Registration-page" (domain.com/register) only.
Spam is on the rise and having unconfirmed users posting some crap into various fields, etc. is increasing the workload for webmasters in order to keep a site clean.
I share and understand your concern. I believe what Mike is saying is that most spam bots actually can confirm their memberships and will do so. After that is done, they can just as easily fill in the profile information with spam. What we need, are the tools to make cleaning it up much easier. Also, we should be able to restrict by usergroup, who can enter what details. Some of us would like to give users the ability to enter that data only after they have participated a certain amount. This can also be used as a spam trap. Before they can enter that data, they might try to spam in the forums, in which, we can just ban them before they have permission to edit their profile data.
While that may be true, that is not the point of this thread. This thread is to inform them of our concerns.
no doubt about that,which is the reason we are giving feedback and reporting bugs and are brainstorming ideas, etc.
Reporting bugs show that we care about XF and want to have it become an even better product.
Personally until someone has confirmed their email address, whether a spambot, human, alien I do not want to know anything about them on my forums. IOW, they cannot do anything apart from a) confirm their email and activate their account and b) browse as a guest.
Once confirmed they can then start to enter information. The whole point of captchas/Q&A is to make it harder for the spammer to sign up and post crap, if you can bypass this fundamental check and post stuff which is visible to searchbots/existing members then the registration system has failed.
Once confirmed they can then start to enter information. The whole point of captchas/Q&A is to make it harder for the spammer to sign up and post crap, if you can bypass this fundamental check and post stuff which is visible to searchbots/existing members then the registration system has failed.
That might not be so bad being it could be used to pass along info such as your email bounced etc. As long as they can't send, I could live with that. Regardless, I am eagerly awaiting 1.1.
Yeah, I agree... that's a useful admin function... I'm less comfortable with the other situations enumerated here and I'd prefer to be able to switch them off ideally DEFAULTED to off and CHOOSE to enable if desired.
Thanks Mike!