?
avatar Pinkeltje
Pinkeltje
27 Sep 2014

Votes

# of Users Experiencing Issue
0/1
Average Importance Score
4.00

avatar Pinkeltje Pinkeltje - open - 27 Sep 2014
avatar infograf768
infograf768 - comment - 28 Sep 2014

I confirm this
Message obtained by user when created account:
message_user_afterfillingaccount

Mail received by user
user_received_mail

Message displayed on site to user after confirmation
message_userafterclickingonlinktoverify

Mail received by admin
mailrecivedbyadmin

Message seen by admin on site after activating through the link received in mail above
messageseenbyadminafteractivating

avatar infograf768
infograf768 - comment - 28 Sep 2014

This is an important REGRESSION.
could be related to
f7754e7

avatar wilsonge
wilsonge - comment - 28 Sep 2014

It could be related but only in so far as that fixed a bug where if the admin was logged in they couldn't activate the user. They had to be logged out to activate the user from the email.

avatar HAZET
HAZET - comment - 28 Sep 2014

I can confirm this behaviour, but am under the impression that I had it under 3.3.3 as well. Not sure though.
An issue maybe related is that I get multiple notifications to the admin. I'm going to debug this tonight and will post my findings.
I am not that familiar with the rules and customs of this community, so if I post in the wron play or way, gentle hints are much appreciated.
H

avatar zero-24 zero-24 - change - 28 Sep 2014
Category Front End
avatar HAZET
HAZET - comment - 28 Sep 2014

Just tested. Same behaviour on 3.3.3. New user clicks on activation link, gets the message above. Admin gets 4 (!) notifications (identical), after activation in the BE no message to user.

avatar HAZET
HAZET - comment - 28 Sep 2014

The multiple admin mails were my mistake. All good there.

avatar HAZET
HAZET - comment - 28 Sep 2014

In component/com_users/models/registration.php line 74 and following this:

        // Permissions check for admin to activate user
        $admin = JFactory::getUser();
        $allow  = $admin->authorise('core.edit.state', 'com_users');

returns the user just registered for the $admin and a false for $allow. Consequently in line 146

        elseif (($userParams->get('useractivation') == 2) && $user->getParam('activate', 0) && $allow)

the condition is false. No mail is sent.

The user is still activated because the if - elseif - else ends with line 180 and following:

        else
        {
            $user->set('activation', '');
            $user->set('block', '0');
        }

Any idea why the JFactory::getUser() returns the wrong user?

Henrik

avatar HAZET
HAZET - comment - 28 Sep 2014

Do I understand the process correctly?
1. User registers. A token is generated and stored in the db. Also a mail with an activation link containing this token is sent to the user.
2. User clicks on the link. As admin activation is on, the account is not activated, but instead a new different token is generated, stored with the user in the db and sent as part of a new activation link to the admins. The parameter activate of the user object is set to 1 to reflect that the user verified the registration by clicking on the link.
3. Anyone who has the new link, logged in or not, should be able to use it to activate the user. As activate=1 is set, the user is activated.

If this is so, why use the code in line 74 at all? Why check for authorization? There won't be any as long as one is not logged in. So the fix f7754e7 actually made things worse???

avatar Pinkeltje
Pinkeltje - comment - 28 Sep 2014

Sorry HAZET, but 3.3.3 is working as expected. I'm not a coder but this definitely happened after updaten to 3.3.4.
Joomla 3.3.3:
User registers:
yndi 20140928 - 1011
User receives e-mail with verification link. User clicks link.
yndi 20140928 - 1012
Admin receives e-mail with activation link and clicks link:
yndi 20140928 - 1013
User receives e-mail that account has been confirmed.

avatar HAZET
HAZET - comment - 28 Sep 2014

Dear Madam, dear Sir,

The intended recipient of your mail, Henrik Zawischa, is no longer with SONIC Performance Support. Your mail may be forwarded and read by a colleague, who will contact you if appropriate.

Kind regards

SONIC Performance Support

avatar sovainfo
sovainfo - comment - 28 Sep 2014

Confirm that registration with admin approval works as expected in J333. Also confirm findings about j334. It requires administrator to be logged in on frontend for sending mail to user and receiving correct message.
Also confirm checking administrator permissions is poorly implemented(adding condition && $allow on line.146). Even when it is desirable!

avatar wilsonge
wilsonge - comment - 28 Sep 2014

Ok so what's the best solution. Because before previous PR we have the
opposite issue where if the admin is logged in then no activation OR email
happens!

(Apologies if this seems terse - on phone so keeping it short)

On Sunday, September 28, 2014, sovainfo notifications@github.com wrote:

Confirm that registration with admin approval works as expected in J333.
Also confirm findings about j334. It requires administrator to be logged in
on frontend for sending mail to user and receiving correct message.
Also confirm checking administrator permissions is poorly
implemented(adding condition && $allow on line.146). Even when it is
desirable!


Reply to this email directly or view it on GitHub
#4376 (comment).

avatar sovainfo
sovainfo - comment - 28 Sep 2014

Suggest to replace the if .....else structure with a case on activation mode. When admin have a condition for user or admin. Place the email stuff in private functions. Put the changes for $user and the call for mail function in the if and else branch. Loose the check on permission of loggedin user..

avatar infograf768 infograf768 - change - 29 Sep 2014
Priority Medium Urgent
avatar HAZET
HAZET - comment - 29 Sep 2014

@pinkeltje: My bad re 3.3.3. I was confused by no mail being sent from the backend. But that is always the case, no new thing. I'll add feature request regarding that.

Back to the case here. I wonder why the condition in line 146 was introduced at all. Its only effect is the mail not going out. It can not have helped against the issue it was supposed to fix.

I'd suggest adding a configurable option for people with higher security requirements: admin approval requires authentication.
If set, check if user is logged in. If not, display message that a login is required. If logged in lacking privileges, display a message that admin rights are required. In both cases do NOT authenticate the account.

If the authentication is not required, activate the account if activate=1 is set and send a message. No checking of authentication required.
Like this:

If (admin activation) {
if (authentication required) {
if (logged in) {
if (authorised) {
activate user
send mail
display message "Account activated, mail sent"
} else {
display message "Not authorised!"
}
} else {
display message "Need to log in first!"
}
} else {
activate user
send mail
display message "Account activated, mail sent"
}
} else {
activate user
display message "Your account is active now!"
}

Maybe you can find a better way of sorting to avoid redundancy.

avatar sovainfo
sovainfo - comment - 29 Sep 2014

The reason I called it poorly implemented is because:
-1 Now you need to be logged in at the frontend to get notification to the user.
-2 Not being logged in activates the user but suggests something went wrong and doesn't notify the user.

avatar HAZET
HAZET - comment - 29 Sep 2014

@sovainfo: I agree with you. And having a test there that checks for authorisation leads to the wrong conclusion that the account could only be activated by an authenticated admin, while in reality it can be activated by anybody who has the link or token.

I think this raises two questions:
a) Do we want the option to activate an account with admin approval but without authentication, i.e. do we think the possesion of the second token is proof enough of the authenticity of the request, as only the admins can have the second token?
b) Is it neccessary to provide an configuration option to force authentication for higher security demands?

My answer to both: yes.

I'd be happy with activation by second token without authentication. For many sites this will be a reasonably secure and easy to handle approach.
I can imagine some sites needing higher security constraints, so the admin must be logged in to activate an account. Else anybody able to guess or intercept the second token can activate an account.

avatar infograf768
infograf768 - comment - 29 Sep 2014

At this stage, I am thinking that f7754e7 solves the issue for a case which is much less likely to happen than when the admin activating is not logged in frontend (Happily, a similar patch was not merged in 2.5.x)
Therefore, as we have to release a 3.3.5 urgently, I think we should revert and take the time to solve this issue fully in 3.4.0.
What do you think?

avatar HAZET
HAZET - comment - 29 Sep 2014

@infograf768: Happy with your suggestion, as long as we don't forget.

avatar Kubik-Rubik
Kubik-Rubik - comment - 29 Sep 2014

@infograf768 Fully agreement here! Let's bring the version 3.3.5 online and fix this issue in the 3.4 branch.

avatar infograf768
infograf768 - comment - 29 Sep 2014

Preparing PR to revert

avatar infograf768
infograf768 - comment - 29 Sep 2014

Please test
#4390

avatar zero-24 zero-24 - close - 29 Sep 2014
avatar mbabker
mbabker - comment - 29 Sep 2014

Fixed via #4390

avatar mbabker mbabker - close - 29 Sep 2014
avatar mbabker mbabker - change - 29 Sep 2014
Status New Closed
Closed_Date 0000-00-00 00:00:00 2014-09-29 14:41:35
avatar rvbgnu
rvbgnu - comment - 17 Oct 2014

I was testing this this summer, and I'm grateful that it is fixed with 3.3.7-dev (was kind of lost between issue, PR and comments, while not being in joomla code every day ;-). Checking in 2.5.x now...

avatar zero-24 zero-24 - change - 7 Jul 2015
Labels Added: ?

Add a Comment

Login with GitHub to post a comment