After a registration, I'm able to log in even if my account is not yet enabled
------------------------------------------------------------------------------
Key: MGNLPUR-60
URL: http://jira.magnolia-cms.com/browse/MGNLPUR-60
Project: Magnolia Public User Registration
Issue Type: Bug
Affects Versions: 1.3
Reporter: Samuel Schmitt
Priority: Critical
Fix For: 1.4
With the default configuration, registration strategy set to Never. When you
create a new account, you receive a mail asking you to click on a link that
will enable your account.
Even if you dont click on this mail, you are able to log in with this new
account.
When you create a new user, it create everything in the user workspace, and set
on the user object (in memory) a flag enabled to false.
When you try to do a log in with this new account, in the login filter, it
check if the user is here and then you are logged in... It doesnt care about
this flag, but anyway I dont really understand how the user object created
before could be retrieve at this time.
Maybe we should review the strategy.
First creating a user under {realm}/tovalidate/username, and then when the user
click on the validation link, we move the user node to {realm}/username.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
