?
avatar tntmartin
tntmartin
27 Mar 2019

Steps to reproduce the issue

I hope this is the right place to request changes.

After Joomla 3.8.12 it's no longer possible to activate new user by link in e-mail.
Now an additional requirement to login before clicking on the link. Is it resonable to make this security design optinal in future versions so you can turn it off? I mean you have the option for users to get activated directly on registration, then I don't see it as a big flaw to make it optional for admins to directly activate users by link in e-mail, without login.

https://developer.joomla.org/security-centre/754-20181004-core-acl-violation-in-com-users-for-the-admin-verification.html

Expected result

Actual result

System information (as much as possible)

Additional comments

avatar tntmartin tntmartin - open - 27 Mar 2019
avatar joomla-cms-bot joomla-cms-bot - change - 27 Mar 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 27 Mar 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 27 Mar 2019
Category com_users
avatar mbabker
mbabker - comment - 27 Mar 2019

This cannot be turned off without re-introducing the referenced security issue, even if it is an option turned on by the user's choice it has security repercussions. Issue should be closed as a won't fix.

avatar joomla-cms-bot joomla-cms-bot - change - 27 Mar 2019
Status Expected Behaviour Closed
Closed_By Quy joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 27 Mar 2019
avatar Quy Quy - change - 27 Mar 2019
Status New Expected Behaviour
Closed_Date 0000-00-00 00:00:00 2019-03-27 21:10:03
Closed_By Quy
avatar joomla-cms-bot
joomla-cms-bot - comment - 27 Mar 2019

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/24381

Add a Comment

Login with GitHub to post a comment