Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [Security] Non Activated Members Can Still Log In
#1
Not Solved Exclamation 
Hey guys,

My forum registration status is set to Admin Verification.
Everything is fine but non-activated users can still log in.

I want to make it so that only activated users can log in.

And I know, I can set permissions for Awaiting Activation User Group. But that won't help me as they can still log in successfully.

TL-DR: I don't want people who aren't activated by me to use the login function successfully. I want only activated users to log in.

Thanks in advance, waiting for your replies
Reply
#2
Not Solved
(12-05-2016, 09:38 PM)hiro Wrote: Hey guys,

My forum registration status is set to Admin Verification.
Everything is fine but non-activated users can still log in.

I want to make it so that only activated users can log in.

And I know, I can set permissions for Awaiting Activation User Group. But that won't help me as they can still log in successfully.

TL-DR: I don't want people who aren't activated by me to use the login function successfully. I want only activated users to log in.

Thanks in advance, waiting for your replies

This is actually the intended behavior for the MyBB Software and there is not a way around it. There is good reasoning though: Imagine a user set the wrong email address on their account, and your board was on "send email verification", They would never be able to fix their account's email and would have no choice other than making a new account (or contacting an administrator in some other way). The "awaiting activation" usergroup will still be able to login (the same even applies to banned users). Basically being unable to login prevents you from seeing valuable information regarding your account.

What's your primary concern with the users being able to login? Are you concerned about them showing up in "Whos Online"? Displaying in the memberlist? Posting? Something else? You can restrict the "awaiting activation" user group's permissions by going to AdminCP>Users&Groups>Groups>EditUserGroup (awaiting activation)> Select your permission choices. We're able to help you prevent those users from doing tasks before activation that you deem malicious. There isn't a way to block logins of certain groups, but you can restrict what those users can do.

Please let us know if you have any further questions regarding this Smile
Software Engineer specializing in Crystal Program Development

Reply
#3
Not Solved
(12-05-2016, 11:08 PM)Deatives Wrote:
(12-05-2016, 09:38 PM)hiro Wrote: Hey guys,

My forum registration status is set to Admin Verification.
Everything is fine but non-activated users can still log in.

I want to make it so that only activated users can log in.

And I know, I can set permissions for Awaiting Activation User Group. But that won't help me as they can still log in successfully.

TL-DR: I don't want people who aren't activated by me to use the login function successfully. I want only activated users to log in.

Thanks in advance, waiting for your replies

This is actually the intended behavior for the MyBB Software and there is not a way around it. There is good reasoning though: Imagine a user set the wrong email address on their account, and your board was on "send email verification", They would never be able to fix their account's email and would have no choice other than making a new account (or contacting an administrator in some other way). The "awaiting activation" usergroup will still be able to login (the same even applies to banned users). Basically being unable to login prevents you from seeing valuable information regarding your account.

What's your primary concern with the users being able to login? Are you concerned about them showing up in "Whos Online"? Displaying in the memberlist? Posting? Something else? You can restrict the "awaiting activation" user group's permissions by going to AdminCP>Users&Groups>Groups>EditUserGroup (awaiting activation)> Select your permission choices. We're able to help you prevent those users from doing tasks before activation that you deem malicious. There isn't a way to block logins of certain groups, but you can restrict what those users can do.

Please let us know if you have any further questions regarding this Smile

Thanks for the reply man, I'm using my mybb users on a vb.net program I coded. I was using the mybb's login as my login system on the program, but I think Im gonna have to move to another forum software if there is no other way around it.
Reply
#4
Not Solved
(12-05-2016, 11:19 PM)hiro Wrote:
(12-05-2016, 11:08 PM)Deatives Wrote:
(12-05-2016, 09:38 PM)hiro Wrote: Hey guys,

My forum registration status is set to Admin Verification.
Everything is fine but non-activated users can still log in.

I want to make it so that only activated users can log in.

And I know, I can set permissions for Awaiting Activation User Group. But that won't help me as they can still log in successfully.

TL-DR: I don't want people who aren't activated by me to use the login function successfully. I want only activated users to log in.

Thanks in advance, waiting for your replies

This is actually the intended behavior for the MyBB Software and there is not a way around it. There is good reasoning though: Imagine a user set the wrong email address on their account, and your board was on "send email verification", They would never be able to fix their account's email and would have no choice other than making a new account (or contacting an administrator in some other way). The "awaiting activation" usergroup will still be able to login (the same even applies to banned users). Basically being unable to login prevents you from seeing valuable information regarding your account.

What's your primary concern with the users being able to login? Are you concerned about them showing up in "Whos Online"? Displaying in the memberlist? Posting? Something else? You can restrict the "awaiting activation" user group's permissions by going to AdminCP>Users&Groups>Groups>EditUserGroup (awaiting activation)> Select your permission choices. We're able to help you prevent those users from doing tasks before activation that you deem malicious. There isn't a way to block logins of certain groups, but you can restrict what those users can do.

Please let us know if you have any further questions regarding this Smile

Thanks for the reply man, I'm using my mybb users on a vb.net program I coded. I was using the mybb's login as my login system on the program, but I think Im gonna have to move to another forum software if there is no other way around it.

Most forum softwares will have similar behavior and you might have to write up your own login/registration system for what you are trying to accomplish. Good luck though Smile
Software Engineer specializing in Crystal Program Development

Reply
#5
Not Solved
You'd need a plugin to do this, as above every software I've used works in the same way, you just have restricted permissions until you've been activated. You'll need a plugin that checks the user's activation status after logging in, and log them back out if they're not activated yet.
MyReactions - All Plugins

Can you still feel the butterflies?

Free never tasted like pudding.
Reply
#6
Not Solved
(12-06-2016, 09:15 AM)Matt Wrote: You'd need a plugin to do this, as above every software I've used works in the same way, you just have restricted permissions until you've been activated. You'll need a plugin that checks the user's activation status after logging in, and log them back out if they're not activated yet.

From what I understand he is just using MyBB for it's login system. I advised him as most forum software will have similar behavior and that he to write up a simple login system (custom, not on top of MyBB, or other forum software) that's custom and suits his needs. A plugin that hooks to the login system could accomplish this but is it worth the trouble? I believe that it would do more harm than good. What if a forum using email activation installs the plugin and someone enters the wrong email? It's a series of accidents waiting to happen.
Software Engineer specializing in Crystal Program Development

Reply
#7
Not Solved
Yeap, I use it mainly for its login system, and I want my forum to be a closed community for my customers. I suppose I will write a plugin for it, or just close the registrations and manually create accounts for my customers
Reply
#8
Not Solved
(12-06-2016, 12:44 PM)hiro Wrote: Yeap, I use it mainly for its login system, and I want my forum to be a closed community for my customers. I suppose I will write a plugin for it, or just close the registrations and manually create accounts for my customers

I disagree with the plugin idea. Maybe manual account creation is a better idea :/
Software Engineer specializing in Crystal Program Development

Reply
#9
Not Solved
(12-05-2016, 11:08 PM)Lunorian Wrote: This is actually the intended behavior for the MyBB Software and there is not a way around it. There is good reasoning though: Imagine a user set the wrong email address on their account, and your board was on "send email verification", They would never be able to fix their account's email and would have no choice other than making a new account (or contacting an administrator in some other way). The "awaiting activation" usergroup will still be able to login (the same even applies to banned users). Basically being unable to login prevents you from seeing valuable information regarding your account.

I understand the reasoning here, but want to give a little pushback on a principle.  In developing software, one should never assume that just because as a designer you cannot think of a reason to do something, that a good reason does not exist.  I come from the unix/linux school of designing software where one views software as a tool in the tool-kit.  The more powerful the tool kit, the more you unleash the power of the users community to use that tool kit in imaginative ways.  Do not limit users to just your ideas of how the software might be used.

This is not a criticism of MyBB, in fact just the opposite. I give praise to the designers of MyBB, it is a very flexible tool.  But in this case, yes I want to consider prospective users of my BB as guests until I have verified them. I wonder if there is a fundamental difference in registration requirements between BBs for closed vs open communities and the needs of a closed community wasn't in the forefront of thinking for the registration process design.

My community is an HOA and we want membership to be restricted to just home owners.  Anybody can use the registration process and I do not want non-owners that go through registration to be see anything differently that what a guest sees (implementing a referral system or email/IP whitelist would just make the entire registration experience more complicated for the users, a bad idea).  If I could keep anyone from being able to login until activated by the administrator, I am implementing the concept that an account is not an account until the admin says it is.  The simplest way to implement that concept in MyBB would be to have an option to treat accounts that way, but as you stated, not allowing that was built into the software. (The reasoning behind that decision does not apply in my case. If anyone does give their wrong email in the registration process, it is easier for them to call/email me than it would be to correct it using the userCP on a system they are a novice to, this is a very localized environment.  So the reasoning is sound for an open community, but does not apply for my closed and very localized situation.)

Now I could try to kludge permissions for AwaitingActivation users to be like guests but that is not a great solution.  It would be ongoing maintenance to see to it the permissions for guests stay the same as the permissions for AwaitingActivation (different forums/catgories are going to have different custom permissions). But more importantly, AwaitingActivations can still login.  They will get what header_welcomeblock_member gives them and I do not want them to get that (they should see what member_welcomeblock_guest gives them).

With just a few beta testers, that has already been an issue, as I knew it would be.  I changed the messaging to emphasize that until accounts were activated, users would be restricted in how they could use the BB.  But to a novice users, that messaging was not sufficient because the behavior was not "natural" to them.  I had someone start registration and they verified their email.  Despite the messaging, when they went to the site and logged in, they thought they were good to go.  It was confusing to them when things did not work.   I could arrange to do "manual" creation of accounts, but that complicates the registration process for a new user (I will assume it is not necessary to go into details why).

I do not think my enviroment is unique. There are two types of bulletin board communities: open and closed.  While I asume open is much more common, for those closed communities, delaying login-rights until after activation would be a natural setup for a great number of them. That is inherit in the nature of the community being "closed".

I will be looking at how I can kludge our setup to make it work that way.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)