1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed User x can activate user y's registration

Discussion in 'Resolved Bug Reports' started by MGSteve, Oct 12, 2011.

  1. MGSteve

    MGSteve Well-Known Member

    Just noticed this, I setup a new account using IE, whilst logged into Chrome as admin. I then copy & pasted the activation code from the email & pasted it into Chrome by mistake and even though I was logged in as admin, it activated the new user's account.

    Is this intended behaviour, or if you're logged in as one user, you shouldn't be able to affect another user's activation?
  2. Floris

    Floris Guest

    How likely it is that user a gets the activation code of user b is one discussion. But yeah, I think one user shouldn't have an affect in any shape or form on another users' account.
  3. Floris

    Floris Guest

    I can confirm this.

    Created a new user dondop, got the email with confirmation code.
    I log out. And I register another user. Pending verification still.
    I take the verification code from dondop, and it won't activate 'anotheruser' it's account. BUT
    It does activate the dondop account.

    Attached Files:

  4. rEd86

    rEd86 Active Member

    This sounds like the expected behavior to me. The activation link is for the account it was emailed to, not the account your logged into. It's just to verify that email is making it to the account you registered with, that's all. It doesn't sign you in or do anything else does it?

  5. ENF

    ENF Well-Known Member

    I really don't see this as an issue...

    If you confirm another account while logged into another account, it just pushes you out of the system.

    Logged in as user 'A' - copy and paste activation code from email from user 'B'
    Option 1: Confirms the email - click on go to forum home and I'm logged out from User 'A'. (but not logged into user 'B')
    Option 2: Confirms the email - click 'edit account details' - takes you to user 'A' settings page.
    Option 3: [Not logged in at all] - Confirm email - click on 'Edit account details' - goes to the log-in page.

    So, I don't really see a concern here.
  6. MGSteve

    MGSteve Well-Known Member

    I only raised it because I know VB doesn't allow this as its popped up an error message before, I just wanted to check whether it was expected behaviour in XF or not. Personally, if the user was logged into XF I wouldn't expect them to be able to have any effect, no matter how slight on someone else's account.

    I appreciate its not exactly likely to occur in the field, but just wanted to check.
  7. CyclingTribe

    CyclingTribe Well-Known Member

    Yes. The link is simply a process of confirmation. A validation that the email address for the new account has properly received the registration details.

    It validates the account and it should do that irrespective of whether someone is logged in at the board or not.

    Shaun :D
  8. Mike

    Mike XenForo Developer Staff Member

    Yup, as designed. It's primarily to validate that the email is valid.
  9. MGSteve

    MGSteve Well-Known Member

    Okie dokie, no problem just wanted to check it wasn't unintended :)

Share This Page