Duplicate User approve queue can sometimes not require email confirmation

[Xon]

Affected version

2.1.10 Patch 2

The XF registration flows from registering to valid/moderated are;

• register => spam checker says moderate => approval queue => user_state set to valid. No email confirmation.
• register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == true) => approval queue.
• register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == false) => user_state set to valid
• register ("Enable email confirmation" == false) => user_state set to valid
• register ("Enable email confirmation" == false, "Enable manual approval" == true) => approval queue

If the spam checker pushes as user into the moderation queue, email confirmation hasn't been done and the "approve" option skips email confirmation.

This is rather unexpected behaviour and can cause 'Enable email confirmation' to be bypassed until a hard-bounce comes along and disables the account.

 

[Chris D]

This is not actually unexpected. It has been reported in various guises in the past.

This is one where it is mentioned (see Mike’s reply)

As designed - No email confirmation for registered users if manual approval enabled!!!

Hello, In XF1.5 when the email confiramation for new users registration enabled & the manual approval enabled too, any new registered user will be requested to confirm his account email before that user appears on the approval queue for manual approval "2nd step". In XF2.0 the confirmation of...

xenforo.com

And there’s a lack of interest suggestion for change:

Lack of interest - Users in approval queue should still require email confirmation

When you have email confirmation required as an option for registrations, and a newly registering user goes into the user approval queue due to the spam filter, then you only have the option to approve or reject. But if you approve then that user no longer needs to confirm via email. If you...

xenforo.com

In practice this shouldn’t be a common or a significant issue. As Mike says in the suggestion thread, an email can become invalid at any time so even if you’re given an invalid email it should get noticed fairly quickly.

At this stage this is a valid suggestion but not a bug we’re aiming to make changes to at this time.

 

[Alpha1]

The issue is that if spam triggers from core or from addons bring the account to moderation, and the staff member decides that its (probably) not spam or abusive, then there still is a chance that the account is abusive. An invalid email address is another signal that there may be something wrong.

This issue flies completely under the radar because no admin is going to check if approved accounts don't have valid email addresses. At least until any outgoing email bounces.

I think this is completely unexpected behaviour and that there are several bug reports should demonstrate this.

Various addon developers felt compelled to develop a solution for this for XF1 and XF2: A function in the registration process that admins can select to force email validation.

Lack of interest - Users in approval queue should still require email confirmation

When you have email confirmation required as an option for registrations, and a newly registering user goes into the user approval queue due to the spam filter, then you only have the option to approve or reject. But if you approve then that user no longer needs to confirm via email. If you...

xenforo.com

It would be nice if this issue would be resolved in xenforo core, so that it no longer requires addon functionality that clutters up the new user moderation page needlessly.