Approving registration now needs login!? Topic is solved
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Intern
- Posts: 92
- Joined: Fri Sep 09, 2011 12:36 pm
Approving registration now needs login!?
I've got a website allowing user registration, with the admin(s) approving.
This has always consisted of an email with some of the registration data being sent to the admin, plus a hyperlinks ending in the activation token; clicking the link approves the new user.
However since updating to Joomla 3.8.13 two days ago, the admin needs to be logged in to approve a hyperlink! This has been the first time in many updates that the responsible file (Joomlaroot > Components > Com_users > Models > Registration.php) has been changed.
Is this an intentional change? I suppose people can take control of an email account and then fail to reset the admin's password --- but usually you can reset webhosting passwords by hyperlink so having control over the email lets you get into the hosting and thus phpmyadmin and the jos_users table, so you can break into Joomla if you broke into the email, --- so that doesn't seem more secure.
This requirement mostly annoys me, because it means I have to insert the password into several portable devices ---laptop, ipad, mobile, family-pc, ... basically, every device I read my email (occasionally) on. It's a complicated password I don't know by heart, so it's a bother while travelling. [Half my users get registered to share relatively urgent news, so it makes sense that both admins approve as soon as possible; together we're online almost 24/7/365 as we live on different continents.]
I tested by installing a blank Joomla 3.8.12, allowing users to register, then registering via /index.php?option=com_users&view=registration --- first it worked, but after updating to 3.8.13 a password had to be given. Also it seems "www." was prepended to my domain name in the email, so the browser didn't remember the saved login+password pairs until I removed that "www.".
This has always consisted of an email with some of the registration data being sent to the admin, plus a hyperlinks ending in the activation token; clicking the link approves the new user.
However since updating to Joomla 3.8.13 two days ago, the admin needs to be logged in to approve a hyperlink! This has been the first time in many updates that the responsible file (Joomlaroot > Components > Com_users > Models > Registration.php) has been changed.
Is this an intentional change? I suppose people can take control of an email account and then fail to reset the admin's password --- but usually you can reset webhosting passwords by hyperlink so having control over the email lets you get into the hosting and thus phpmyadmin and the jos_users table, so you can break into Joomla if you broke into the email, --- so that doesn't seem more secure.
This requirement mostly annoys me, because it means I have to insert the password into several portable devices ---laptop, ipad, mobile, family-pc, ... basically, every device I read my email (occasionally) on. It's a complicated password I don't know by heart, so it's a bother while travelling. [Half my users get registered to share relatively urgent news, so it makes sense that both admins approve as soon as possible; together we're online almost 24/7/365 as we live on different continents.]
I tested by installing a blank Joomla 3.8.12, allowing users to register, then registering via /index.php?option=com_users&view=registration --- first it worked, but after updating to 3.8.13 a password had to be given. Also it seems "www." was prepended to my domain name in the email, so the browser didn't remember the saved login+password pairs until I removed that "www.".
-
- Joomla! Guru
- Posts: 734
- Joined: Wed Aug 15, 2018 8:23 pm
Re: Approving registration now needs login!?
I tend to read the change log of updates before clicking that button, just to be sure nothing will go awry. Then I wait another 7 - 10 days, just incase there was a problem and a subsequent fix is released. It happens often.
The message at https://developer.joomla.org/security-c ... ation.html does indicate that there was change done to remove the method of email approval.
The message at https://developer.joomla.org/security-c ... ation.html does indicate that there was change done to remove the method of email approval.
What is needed is to give the option to the site owner to enable/disable the function, rather than entirely remove it.[20181004] - Core - ACL Violation in com_users for the admin verification
Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Versions: 1.5.0 through 3.8.12
Exploit type: ACL Violation
Reported Date: 2017-December-27
Fixed Date: 2018-October-02
CVE Number: CVE-2018-17855
Description
In case that an attacker gets access to the mail account of an user who can approve admin verifications in the registration process he can activate himself.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Approving registration now needs login!?
See viewtopic.php?f=9&t=966169#p3543083Marvin_Martiano wrote: ↑Thu Oct 11, 2018 6:53 pm... since updating to Joomla 3.8.13 two days ago, the admin needs to be logged in to approve a hyperlink. ... Is this an intentional change?
- Webdongle
- Joomla! Master
- Posts: 44085
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Approving registration now needs login!?
https://keepass.info/news/n180910_2.40.html
On a keyboard Ctrl+Alt+A securely enters password
Android version it's a press of a button
Easy to set up for each login and even easier to auto fill the login.
On a keyboard Ctrl+Alt+A securely enters password
Android version it's a press of a button
Easy to set up for each login and even easier to auto fill the login.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 45
- Joined: Tue Oct 25, 2011 6:09 am
Re: Approving registration now needs login!?
I'm all for the change as it enhances security. What I don't understand is that it doesn't work for the Administrator when logged in via the backend, but does work when the same administrator is logged in through the frontend.
Thanks
Thanks
- Webdongle
- Joomla! Master
- Posts: 44085
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Approving registration now needs login!?
Does the activation link lead to the Frontend or to admin ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 45
- Joined: Tue Oct 25, 2011 6:09 am
Re: Approving registration now needs login!?
The activation links to the the Frontend. My expectation would be to go to the backend as it (now) needs administrator authorisation.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Approving registration now needs login!?
As I've written before, from J! 3.8.13, administrators need to login to the frontend to approve user registrations.
-
- Joomla! Apprentice
- Posts: 45
- Joined: Tue Oct 25, 2011 6:09 am
Re: Approving registration now needs login!?
OK.
Thanks
Thanks