The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!
UserSpice   ›   Support Center   ›   UserSpice 4.3 and Below   ›   able to modify account email without verification

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
able to modify account email without verification
plb
User
Joined: Aug 2016
Posts: 120

Reputation: 0
#1
08-25-2016, 06:34 PM
Not sure if this is a bug or by design... I have "Require User to Verify Their Email?" set to "yes" in the email settings and it seems to work fine on initial registration, but once I am registered I can go in and change the email in the account settings with no verification.

So, thinking like a bad guy, I could sign up and get a valid account and then change my email to someone else's address and then suddenly emails that are "verified" are actually not verified...

As far as I see there is no record of the initial, verified address, either...

And the column "email verified" in the "users" table still indicates 1.

Maybe this is standard behavior for user systems - I'm not sure I ever tested it on another system before. But I can see how it could be a cause for abuse/misuse so I'm throwing it out here.
  Website
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#2
08-25-2016, 07:06 PM
You're right. That's a bug. Something we didn't think through. I'll think through the logic of how to fix it and put it on my list for 4.1.5.

Thanks!
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#3
08-29-2016, 02:34 PM
Just FYI, your post became the subject of Debugging with Dan 5. https://youtu.be/RRYBYjnB-Co
  Reply
plb
User
Joined: Aug 2016
Posts: 120

Reputation: 0
#4
08-29-2016, 08:46 PM
Sorry to be a nay-sayer, but is blocking the user (users.active=false) really what you want to do?

Let's say I'm just a normal (non-malicious) user and I decide I would rather have my personal email used for this web-site rather than my work address. Oh, look - I can change my own email. That's convenient. Then - poof - next time I try to log in I'm told that I've been blocked?! What?! Now I have to try to contact the admin to get them to unblock me - it would have been easier to ask the admin to change my email address for me...

I think the flag that needs to be changed is users.email_verified.

The challenge is that you need to generate a new verify email... Maybe the easiest thing to do would be to make an informative "$successes[]" message which included a link for them to go and generate their own verification email? If they don't see it they're kind of stuck, but at least you've given them a pretty good chance...
  Website
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#5
08-29-2016, 09:55 PM
OOPS! You're right. I messed up my own db table designation. Thanks for that.
  Reply
mudmin
Lead Developer
*******
Joined: Dec 2015
Posts: 2,285

Reputation: 17
#6
08-29-2016, 10:24 PM
Thanks for pointing this out. I updated it in UserSpice 4.1.4b, the patch, and the video! Good catch!
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)