As designed User x can activate user y's registration

MGSteve

Well-known member
Just noticed this, I setup a new account using IE, whilst logged into Chrome as admin. I then copy & pasted the activation code from the email & pasted it into Chrome by mistake and even though I was logged in as admin, it activated the new user's account.

Is this intended behaviour, or if you're logged in as one user, you shouldn't be able to affect another user's activation?
 
How likely it is that user a gets the activation code of user b is one discussion. But yeah, I think one user shouldn't have an affect in any shape or form on another users' account.
 
I can confirm this.

Created a new user dondop, got the email with confirmation code.
I log out. And I register another user. Pending verification still.
I take the verification code from dondop, and it won't activate 'anotheruser' it's account. BUT
It does activate the dondop account.
 

Attachments

  • Screen shot 2011-10-12 at 3.24.28 AM.webp
    Screen shot 2011-10-12 at 3.24.28 AM.webp
    70.7 KB · Views: 7
  • Screen shot 2011-10-12 at 3.23.32 AM.webp
    Screen shot 2011-10-12 at 3.23.32 AM.webp
    46.5 KB · Views: 7
  • Screen shot 2011-10-12 at 3.23.07 AM.webp
    Screen shot 2011-10-12 at 3.23.07 AM.webp
    60.1 KB · Views: 7
  • Screen shot 2011-10-12 at 3.22.14 AM.webp
    Screen shot 2011-10-12 at 3.22.14 AM.webp
    23.6 KB · Views: 7
  • Screen shot 2011-10-12 at 3.21.39 AM.webp
    Screen shot 2011-10-12 at 3.21.39 AM.webp
    59.4 KB · Views: 7
This sounds like the expected behavior to me. The activation link is for the account it was emailed to, not the account your logged into. It's just to verify that email is making it to the account you registered with, that's all. It doesn't sign you in or do anything else does it?

--Ed
 
I really don't see this as an issue...

If you confirm another account while logged into another account, it just pushes you out of the system.

Logged in as user 'A' - copy and paste activation code from email from user 'B'
Option 1: Confirms the email - click on go to forum home and I'm logged out from User 'A'. (but not logged into user 'B')
Option 2: Confirms the email - click 'edit account details' - takes you to user 'A' settings page.
Option 3: [Not logged in at all] - Confirm email - click on 'Edit account details' - goes to the log-in page.

So, I don't really see a concern here.
 
I only raised it because I know VB doesn't allow this as its popped up an error message before, I just wanted to check whether it was expected behaviour in XF or not. Personally, if the user was logged into XF I wouldn't expect them to be able to have any effect, no matter how slight on someone else's account.

I appreciate its not exactly likely to occur in the field, but just wanted to check.
 
Just noticed this, I setup a new account using IE, whilst logged into Chrome as admin. I then copy & pasted the activation code from the email & pasted it into Chrome by mistake and even though I was logged in as admin, it activated the new user's account.

Is this intended behaviour, or if you're logged in as one user, you shouldn't be able to affect another user's activation?

Yes. The link is simply a process of confirmation. A validation that the email address for the new account has properly received the registration details.

It validates the account and it should do that irrespective of whether someone is logged in at the board or not.

Cheers,
Shaun :D
 
Top Bottom