I believe I found a core bug with elgg registration...
if the user trying to register provides mismatched passwords, they receive an error message however, they become an active user without any notification, leaving their email address and username useless for further registration!
serious problem? Definitely. Can anyone address this?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
Just added it to trac http://trac.elgg.org/ticket/2454
and I think a small change is there Dhrup,
if (((trim($password) != "") && (strcmp($password, $password2) == 0)) && ($guid))
{
$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
The guide for user is created only after register_user() function runs. But our first line is asking for a guid, Si I think it should be like
if (((trim($password) != "") && (strcmp($password, $password2) == 0)))
{
$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
true.. i'm going blind lolz ;-)
Alright, It's working well! Users get error message, redirected back to reg page and there's no new active users under the User Administration panel!! : )
1 issue still though: the username becomes unavailable after an error is made on the registration page. Any idea what is capturing the username?
@Webgalli & Dhrup
Nice catch, everything is working perfect now after webgalli's last change!
Works fine for me too! Thanks guys!!!
triout, is this still an issue?:
@Yakiv
No, this is no longer an issue, with the inclusion of Webgalli's latest addition to the code, removing the && ($guid)):
and I think a small change is there Dhrup,
if (((trim($password) != "") && (strcmp($password, $password2) == 0)) && ($guid))
{
$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
The guide for user is created only after register_user() function runs. But our first line is asking for a guid, Si I think it should be like
if (((trim($password) != "") && (strcmp($password, $password2) == 0)))
{
$guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
cheers : )
@Tri - I already caught the code typo lolz and I think so did yew ;-) but as you said "perfect.." good to see that you got it working - because this really was a serious buggy since some versions back that nobody ever noticed until you spoke up and i read over the code lolz ;-P
@Dhrup - just making sure the community caught the fix that we saw mentioned by webgalli above : )
- Previous
- 1
- 2
- Next
You must log in to post replies.