This is a security fix introduced in 3.8.13 https://developer.joomla.org/security-centre/754-20181004-core-acl-violation-in-com-users-for-the-admin-verification.html.

Ah, I see.

But when an attacker has access to the mailbox of the user then could also reset the password...

But besides that, to get the activation link to work, the user should first log in to the frontend of the website and then click on the link?

I could also ask the user (site manager that gets the activation mail) ) to log in to the backend and activate the user there, but I am not sure if that action also sends out the e-mail to the new user confirming their subscription?

The problem is that after logging in to the front end (even as super user) you cannot activated the user. If I am logged in I get the error message:

You are not authorised to view this resource.

Is this a bug?

The only way to activate a user now seems to be via the administration area but this does not send an email to the user to let them know they have been activated.

But besides that, to get the activation link to work, the user should first log in to the frontend of the website and then click on the link?

No just login at the page the message showed to you. It redirects to the link you clicked from the mail and activates the account.

The problem is that after logging in to the front end (even as super user) you cannot activated the user. If I am logged in I get the error message:

A bit more details here please. Where did you logged in? What url you are entering than? What kind of "Security" extensions do you have installed? Can you reproduce this on a clean installed site with protostar?

I have tried logging in before I click the registration approval link and also clicking the link and then logging in. Both ways produce the same error message.
We are using the GDPR extension from Joomla Extension store.
I will try a clean install and let you know.
Thanks

It works OK on a clean install so it must be one of the extensions I am using. I will investigate.
Thanks

Please let us know what the problem was when you find it. Would be interesting to know. Thanks!

@Khodes Could you let me know what exactly does not work on your site that does work on a clean Joomla install? Do you mean first logging in and then use the link in the mail to activate the user? Or click on the link and then login on the frontend?

Neither way works on my live site but clicking the link and then logging in works fine on a clean install. This is the way I would expect it to work. The problem must be something on my live site. It could be a component or the way I redirect after login. I will investigate this later today.

Is there also a way to be able to activate the user from the backend that also does send the activation mail? Then I could just lket the site manager know he needs to log in to the site's backend and actibvate the user from there. But I believe activating the user from the backend does not trigger the mail to be send to the user. Correct? So the only way to do this would be through the frontend with the need to login there?

is there also a way to be able to activate the user from the backend that also does send the activation mail?

Unfortunately not yet - at least with the core - see #20282

@brianteeman OK, great.

In the mean time I created a user with rights to the user component to see if the link works OK on our site. I believe in our case clicking on the link, then logging in did not work. But first logging in, the use the link in the mail did work.

Unfortunalely we do not get any visual gfeedback (message) on the site sying the activation was succesfull or not. But since we got the mail in the second scenario we knew it worked.

If you help to test that PR it might get merged - otherwise it will just stay there

I am quit new to to GitHub and testing, other then reporting issues. Not even sure what a PR is exactly and how to test. But I will look into that.

I think I have discovered the issue. It had nothing to do with any of my extensions. It appears to be due to ACL (access level) for the login menu item. I followed the steps for the first answer in this post and now it works perfectly.

https://stackoverflow.com/questions/34883387/joomla-3-4-8-logged-in-users-seeing-error-you-are-not-authorised-to-view-this-re

URL not working. This one is:

https://stackoverflow.com/questions/34883387/joomla-3-4-8-logged-in-users-seeing-error-you-are-not-authorised-to-view-this-recource

@Khodes Maybe you can also test the PR for the activate button in the backend? Then this feature might be included in an upcomming release of Joomla. #20282

I would be happy to but how do I get the changed files to my dev server?

Mmm, yes. As I said I am also new to GitHub / testing / PR's etc. So I can't help you with that. Maybe someone else can point you (and me) in the right direction to get familiar with testing?

@jjnxpct @Khodes : https://brian.teeman.net/joomla/873-a-dummies-guide-to-joomla-bug-testing

Excellent!

@jjnxpct Can this be closed per PR #20282?

Sure!

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/22940

In order to overcome this problem:

1. change the following parameter:
   Global Configuration -> Users: Options -> Integration = Modern (instead of default Legacy)
2. Then click on the activation link to approve the new user.
3. Login as user that have permission to activate the user
4. And finally ... the user is activated!

Best Regards

Nikos

@nikosfa that means there is a bug as you shouldnt need to change a default setting to make something work. Please open a new issue so this can be investigated further