We have set up one of our client sites to allow users to request an account for the site. The site manager then receives an e-mail with a link he can use to activate the user. ("You can activate the user by selecting on the link below:")
Clicking on the link should activate the user.
An error appears "Please log in to confirm that you are authorized to activate new accounts."
This did not happen before. (Before Joomla 3.9)
Joomla 3.9
PHP 7.2.10 on Linux Apache/2
MySQL 5.5.61
Labels |
Added:
?
|
Ah, I see.
But when an attacker has access to the mailbox of the user then could also reset the password...
But besides that, to get the activation link to work, the user should first log in to the frontend of the website and then click on the link?
I could also ask the user (site manager that gets the activation mail) ) to log in to the backend and activate the user there, but I am not sure if that action also sends out the e-mail to the new user confirming their subscription?
The problem is that after logging in to the front end (even as super user) you cannot activated the user. If I am logged in I get the error message:
You are not authorised to view this resource.
Is this a bug?
The only way to activate a user now seems to be via the administration area but this does not send an email to the user to let them know they have been activated.
But besides that, to get the activation link to work, the user should first log in to the frontend of the website and then click on the link?
No just login at the page the message showed to you. It redirects to the link you clicked from the mail and activates the account.
The problem is that after logging in to the front end (even as super user) you cannot activated the user. If I am logged in I get the error message:
A bit more details here please. Where did you logged in? What url you are entering than? What kind of "Security" extensions do you have installed? Can you reproduce this on a clean installed site with protostar?
I have tried logging in before I click the registration approval link and also clicking the link and then logging in. Both ways produce the same error message.
We are using the GDPR extension from Joomla Extension store.
I will try a clean install and let you know.
Thanks
It works OK on a clean install so it must be one of the extensions I am using. I will investigate.
Thanks
Please let us know what the problem was when you find it. Would be interesting to know. Thanks!
Neither way works on my live site but clicking the link and then logging in works fine on a clean install. This is the way I would expect it to work. The problem must be something on my live site. It could be a component or the way I redirect after login. I will investigate this later today.
Is there also a way to be able to activate the user from the backend that also does send the activation mail? Then I could just lket the site manager know he needs to log in to the site's backend and actibvate the user from there. But I believe activating the user from the backend does not trigger the mail to be send to the user. Correct? So the only way to do this would be through the frontend with the need to login there?
Labels |
Added:
J3 Issue
|
@brianteeman OK, great.
In the mean time I created a user with rights to the user component to see if the link works OK on our site. I believe in our case clicking on the link, then logging in did not work. But first logging in, the use the link in the mail did work.
Unfortunalely we do not get any visual gfeedback (message) on the site sying the activation was succesfull or not. But since we got the mail in the second scenario we knew it worked.
If you help to test that PR it might get merged - otherwise it will just stay there
I am quit new to to GitHub and testing, other then reporting issues. Not even sure what a PR is exactly and how to test. But I will look into that.
I think I have discovered the issue. It had nothing to do with any of my extensions. It appears to be due to ACL (access level) for the login menu item. I followed the steps for the first answer in this post and now it works perfectly.
I would be happy to but how do I get the changed files to my dev server?
Mmm, yes. As I said I am also new to GitHub / testing / PR's etc. So I can't help you with that. Maybe someone else can point you (and me) in the right direction to get familiar with testing?
Excellent!
Sure!
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-12-19 11:03:05 |
Closed_By | ⇒ | joomla-cms-bot |
Closed_By | joomla-cms-bot | ⇒ | Quy |
Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/22940
In order to overcome this problem:
Best Regards
Nikos
This is a security fix introduced in 3.8.13 https://developer.joomla.org/security-centre/754-20181004-core-acl-violation-in-com-users-for-the-admin-verification.html.