As designed user without permission can edit profile info if awaiting email confirmation

[Mr Lucky]

I have set registered user group to not be able to edit profile. If I test this it behave as I would expect, the user cannot edit personal details.

However if they are awaiting email confirmation, they can edit personal details.

In either case the analyze permission show that they cannot edit profile.

 

[Mike]

There could be a better indication of this, but when a users in a non-valid user state, they effectively have the permissions from the unregistered / unconfirmed group. You should remove the edit profile permission there.

So this would be as designed, but there might be some clearer indication we can add of this.

 

[Mr Lucky]

, but when a users in a non-valid user state, they effectively have the permissions from the unregistered / unconfirmed group.

In which case this should show in analyze permissions.

So this would be as designed, but there might be some clearer indication we can add of this.

I certainly agree with that.

I can't see how it isn't a bug, if they have permissions from one group but show in their ACP info as being in another, ie thety actually show as being in registered even though they are still unconfirmed.

 

[Mr Lucky]

I've been thinking more about this and it does seem to be more of a bug in Analyze Permissions. I use that work out why a certain permission isn't working the way I want/expect. In this case if the allow in unconfirmed is (correctly) overriding the no/not set in registered, then it must show in Analyze permissions.

 

[Mike]

I'm calling this as designed because the behavior in the original report is what is intended. However, I have added indications to a couple places (user edit and permission analysis) to make what's going on clearer (when it's happening).