?

User tests: Successful: Unsuccessful:

avatar sovainfo
sovainfo
18 Oct 2014

Fixes #4841

User registration from frontend should work, whether you are logged in or not. Both user email and admin verification should be allowed when logged in. Both as user and admin.

Testing scenario's:
1. Backend adding user
2. Frontend registration with verification none
3. Frontend registration with verification self, verification while not logged in
4. Frontend registration with verification self, verification while logged in as different user
5. Frontend registration with verification admin, verification while not logged in
6. Frontend registration with verification admin, verification while logged in as different user
7. Frontend registration with verification admin, verification while logged in as admin

All scenarios passed with PR applied to J2520 updated to J2527 via J2525 on MySQL, Apache on W8.1

avatar sovainfo sovainfo - open - 18 Oct 2014
avatar jissues-bot jissues-bot - change - 18 Oct 2014
Labels Added: ?
avatar wilsonge
wilsonge - comment - 18 Oct 2014

4. Frontend registration with verification self, verification while logged in as different user

This shouldn't pass. That is exactly why the current code is designed to stop that you are removing. The only thing that we need to allow is the admin activation to be allowed through.

The fix you need is to apply f7754e7 then 34c33dc

avatar sovainfo
sovainfo - comment - 18 Oct 2014

What makes you say that it shouldn't pass?
As far as I am concerned that sounds very stupid. I couldn't care less who happens to be logged in. It is completely irrelevent. Why force to logout?

Or start any of the other browsers and enter the link there, and it succeeds!!!!!!

avatar wilsonge
wilsonge - comment - 18 Oct 2014

Why should another user be able to confirm the account of another? It shouldn't be possible. We want to make as sure as we can that the user who created the account is the one who is actually activating it. The likelihood of a user wanting two accounts is low in comparison. Hence why we've had this check since 1.5 days!

avatar sovainfo
sovainfo - comment - 18 Oct 2014

It is not another user that is confirming the email!. You can't be logged in to verify an email, complete nonsense for both self and admin!

And again, logout or start different browser and you'll succeed! What kind of protection/security is that?????

avatar wilsonge
wilsonge - comment - 18 Oct 2014

Why should it be nonsense that an admin is logged in when he goes to verify a user?

Also you stated as one as your use case above 4. Frontend registration with verification self, verification while logged in as different user and that test should fail because as you said it is stupid that a user can be logged in and verify another user

avatar sovainfo
sovainfo - comment - 18 Oct 2014

Giving up. This was what was requested. As an exception I created this for J2.5. Couldn't care less whether it gets implemented! J2.5 is dead for me a long time ago!

Had a similar discussion about this on J3 when reverting. Appearantly we have a different opinion.
No interest to continue discussion. No intention to waste anymore time!

avatar sovainfo sovainfo - close - 18 Oct 2014
avatar sovainfo sovainfo - close - 18 Oct 2014
avatar sovainfo sovainfo - change - 18 Oct 2014
The description was changed
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2014-10-18 22:08:11
avatar sovainfo sovainfo - head_ref_deleted - 3 Apr 2015

Add a Comment

Login with GitHub to post a comment