I'm using elgg 2.3.14 currenty and I have a plugin that uses a third-party authenticator (Auth0) to login to my site. I currently register the auth0 user in the background once I have their credentials making a call like:
forward('register?name='.$name.'&email='.$email.'&authId='.$ authId.'&username='.$username);
where I have pulled the users creds from my auth0 object. My question is, how can I prevent outsiders from hitting the register action? I can see that it's listed as a public action when I view all of the actions from the administration page, how would I change that setting? I currently get lots of fake registrations because that is a public action and I can't block. I know setting the verify email to 'on' would at least make the users unvalidated, but I don't want to force email verification in order to register.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Jerome Bakker@jeabakker

Jerome Bakker - 0 likes
- TCB@tblack06

TCB - 0 likes
You must log in to post replies.You could register an action hook on the register action and prevent the action from continuing if the autheid doesn't match the given credentials.
see http://learn.elgg.org/en/2.3/guides/actions.html
Thanks.. I will take a look at that option.