Duplicate User approve queue can sometimes not require email confirmation


Well-known member
Affected version
2.1.10 Patch 2
The XF registration flows from registering to valid/moderated are;
  • register => spam checker says moderate => approval queue => user_state set to valid. No email confirmation.
  • register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == true) => approval queue.
  • register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == false) => user_state set to valid
  • register ("Enable email confirmation" == false) => user_state set to valid
  • register ("Enable email confirmation" == false, "Enable manual approval" == true) => approval queue
If the spam checker pushes as user into the moderation queue, email confirmation hasn't been done and the "approve" option skips email confirmation.

This is rather unexpected behaviour and can cause 'Enable email confirmation' to be bypassed until a hard-bounce comes along and disables the account.
This is not actually unexpected. It has been reported in various guises in the past.

This is one where it is mentioned (see Mike’s reply)

And there’s a lack of interest suggestion for change:

In practice this shouldn’t be a common or a significant issue. As Mike says in the suggestion thread, an email can become invalid at any time so even if you’re given an invalid email it should get noticed fairly quickly.

At this stage this is a valid suggestion but not a bug we’re aiming to make changes to at this time.
The issue is that if spam triggers from core or from addons bring the account to moderation, and the staff member decides that its (probably) not spam or abusive, then there still is a chance that the account is abusive. An invalid email address is another signal that there may be something wrong.

This issue flies completely under the radar because no admin is going to check if approved accounts don't have valid email addresses. At least until any outgoing email bounces.

I think this is completely unexpected behaviour and that there are several bug reports should demonstrate this.

Various addon developers felt compelled to develop a solution for this for XF1 and XF2: A function in the registration process that admins can select to force email validation.

It would be nice if this issue would be resolved in xenforo core, so that it no longer requires addon functionality that clutters up the new user moderation page needlessly.
Top Bottom