Approving registration now needs login!? Topic is solved

[Marvin_Martiano]

I've got a website allowing user registration, with the admin(s) approving.

This has always consisted of an email with some of the registration data being sent to the admin, plus a hyperlinks ending in the activation token; clicking the link approves the new user.

However since updating to Joomla 3.8.13 two days ago, the admin needs to be logged in to approve a hyperlink! This has been the first time in many updates that the responsible file (Joomlaroot > Components > Com_users > Models > Registration.php) has been changed.

Is this an intentional change? I suppose people can take control of an email account and then fail to reset the admin's password --- but usually you can reset webhosting passwords by hyperlink so having control over the email lets you get into the hosting and thus phpmyadmin and the jos_users table, so you can break into Joomla if you broke into the email, --- so that doesn't seem more secure.

This requirement mostly annoys me, because it means I have to insert the password into several portable devices ---laptop, ipad, mobile, family-pc, ... basically, every device I read my email (occasionally) on. It's a complicated password I don't know by heart, so it's a bother while travelling. [Half my users get registered to share relatively urgent news, so it makes sense that both admins approve as soon as possible; together we're online almost 24/7/365 as we live on different continents.]

I tested by installing a blank Joomla 3.8.12, allowing users to register, then registering via /index.php?option=com_users&view=registration --- first it worked, but after updating to 3.8.13 a password had to be given. Also it seems "www." was prepended to my domain name in the email, so the browser didn't remember the saved login+password pairs until I removed that "www.".

[annahersh]

I tend to read the change log of updates before clicking that button, just to be sure nothing will go awry. Then I wait another 7 - 10 days, just incase there was a problem and a subsequent fix is released. It happens often.

The message at https://developer.joomla.org/security-c ... ation.html does indicate that there was change done to remove the method of email approval.

[20181004] - Core - ACL Violation in com_users for the admin verification

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 1.5.0 through 3.8.12
Exploit type: ACL Violation
Reported Date: 2017-December-27
Fixed Date: 2018-October-02
CVE Number: CVE-2018-17855

Description

In case that an attacker gets access to the mail account of an user who can approve admin verifications in the registration process he can activate himself.

What is needed is to give the option to the site owner to enable/disable the function, rather than entirely remove it.

[sozzled]

... since updating to Joomla 3.8.13 two days ago, the admin needs to be logged in to approve a hyperlink. ... Is this an intentional change?

See viewtopic.php?f=9&t=966169#p3543083

[Webdongle]

https://keepass.info/news/n180910_2.40.html
On a keyboard Ctrl+Alt+A securely enters password
Android version it's a press of a button
Easy to set up for each login and even easier to auto fill the login.

[lister171254]

I'm all for the change as it enhances security. What I don't understand is that it doesn't work for the Administrator when logged in via the backend, but does work when the same administrator is logged in through the frontend.

Thanks

[Webdongle]

Does the activation link lead to the Frontend or to admin ?

[lister171254]

The activation links to the the Frontend. My expectation would be to go to the backend as it (now) needs administrator authorisation.

[sozzled]

As I've written before, from J! 3.8.13, administrators need to login to the frontend to approve user registrations.

[lister171254]

OK.
Thanks