Unverified users can still post??

Edward Alexander

New member
I signed up a tester account to see how things work when not logged in as admin. I noticed that I can post even though email has NOT been confirmed - why is that?? This is a major security issue, and I dont understand what the point of confirming the email is if you can still post unconfirmed?

It clearly says on top of forum when logging in:
"Your account is currently awaiting confirmation. Confirmation was sent to xxx@xxx.com. Resend Confirmation Email"

How come the account has access to posting when not confirmed? It didnt even ask for a captcha when posting, even though I have it enabled and if not logging in I can post anonymously if I enter a correct captcha. So in other words, anyone can type in any email to register and then post directly without any confirmation or any captcha which is very bad since it opens up completely for automatic spam bots.


Well-known member
When things are set up right, you cannot post until confirmed.

It may be something with the demo setup.

Edward Alexander

New member
I have been thinking over it to try figure out what it could be. The best I can think of is that I may have screwed up something with permissions. My intention is to let unregistered users post anonymously without logging in - this part works fine. The problem may be that BOTH unregistered and unconfirmed users are in one and the same User Group in Admin settings.. I just noticed that now when looking over settings.. Is there a way to split these two into each their own separate group, so that modifying permissions and settings for one will not automatically be the same for the other? I am not sure why they put both in the same, since these are two completely different groups technically, which it should be pretty obvious would need different permissions..

Edward Alexander

New member
Or, at least make sure the Unregistered users can post, while the Unverified ones can NOT.. The whole point of my forum is to let anonymous users post without registering, but obviously people that want to register should NOT be able to post directly until their account is confirmed - at least not without solving a captcha just as the unregistered users have to do. Getting rid of Captcha should be a privilege for registered confirmed users.

Edward Alexander

New member
Adam: Thanks, I will do that if I end up buying it. For the moment I am still test driving it to see if this is what I am looking for. And before I can decide whether I should buy it, I need to figure out if it will work the way I need it to. :)

Jake: Yes, I understand that now from checking through settings more. But, there must be a way to split the two groups from each other since they are very different? An unregistered user, in my forum, equals Anonymous - he still have posting access. Unconfirmed user means one that have registered for username, but still have not confirmed the email - and in this case he should NOT be able to post until email is confirmed.

Anonymous part works fine, they have to solve a keyCaptcha to post. However, the unconfirmed ones can post directly without having to solve a Captcha. This has already given me some spam on the test.

An unregistered user have NO account or settings saved in the forum, while an unconfirmed user DO have a username ready and settings saved. I am not sure why they are put into one and the same usergroup with such differences, its complicating things.

Jake Bunce

XenForo moderator
Staff member
They are given the same permissions because a pending registration is not yet valid so they might as well be a guest.

There is no option in the software to assign different permissions to guests and pending registrations. An addon is required.

Edward Alexander

New member
Ok that's a shame. Do you work for Xenforo, if so will it remain this way or could you split the two groups in future updates?

Also if anyone know about an addon that can solve my issue I would appreciate to hear about it.