Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Issue with permissions and roles

Hi,

I recently upgraded to Vanilla 2.1.3 from 2.0.18.3. The upgrade went quite smoothly (thanks to the Vanilla team).

However, I noticed that after upgrade, bots were able to come and post URLs in their profiles, and those would show up in the Activity stream. I remember having turned this permission off explicitly in the settings in 2.0.18x. So, it seems that the permissions got changed after the upgrade. While I was investigating into it, I noticed a few issues, which I would like to get help on.

My registration option is set to Approval, and it requires users to confirm their email address. Email Confirmation Role is set to Applicant.

Questions/Issues:

  1. I registered myself with a test account. I confirmed my email address successfully. However, in the Dashboard, I see that the Role is set to "Not Verified, Member". Why is the role set to Not Verified after I've successfully verified the email address?

  2. The "Not Verified" role is actually a link. If I click on it, it toggles between Not Verified / Verified, but it doesn't seem to make any difference. What is the purpose of having it as a link?

  3. If I approve a user before the user has verified the email, then the email verification link becomes invalid. Is it possible to configure it such that the admin gets the user application only after the user has verified the email link?

  4. In Roles and Permissions, I have 6 roles - Guest, Applicant, Member, Moderator, Administrator, Confirm Email. I'm not sure which ones are default (come out of the box with Vanilla(, and which ones were added by me. I would like to use the out of the box roles and delete the ones that I added. Which roles come out of the box?

  5. In the Email Confirmation Role drop down, I see only 4 roles. Why do I not see all 6? I don't see Guest and Confirm Email. Ideally, I think it should be set to Confirm Email role. What do I need to see all roles in the Email Confirmation Role drop down list?

I'll appreciate any help on these issues.

Thanks.

Tagged:
«1

Comments

  • Welcome to the community!

    The 'Verified' status refers to Spam Verification. Verified users don't get passed through the spam filters. Flood protection still applies.

    Those are all the default roles.

    I will have to check on the others, but I just woke up. :)

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Thanks, @hgtonight for your help. It makes sense now. Looking forward to your responses on the other questions :)

  • In the drop down, I see 5 roles (every one except Guest). I am assuming something is a little off in your Role table because of the import.

    As far as approval processing goes, your approval shouldn't effect the email confirmation process. It will grant the user the default role making them able to post and stuff.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Is there a way I can go about fixing the missing role (in the drop down)? Ideally I would like the user to stay in the Confirm Email role until he/she completes the email confirmation process.

    Thanks again.

  • peregrineperegrine MVP
    edited October 2014

    Ideally I would like the user to stay in the Confirm Email role until he/she completes the email confirmation process.

    they should.

    you may need to reset

    http://vanillaforums.org/discussion/26685/vanilla-2-1-stable-released/p1

    Verify your permissions are correct for every role. Then go to /role/defaultroles and confirm your default roles are set correctly.

    I believe all your five questions are answered in the forum already with a search of the words.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Thanks, @peregrine‌

    I have verified that the permissions are set correctly. I went to /role/defaultroles.

    1. Check all roles that should be applied to new/approved users. -> Member
    2. Check all roles that should be applied to guests. -> Guest
    3. Select the role that should be applied for new applicants. This only applies if you have the approval registration method. -> Applicant.

    Is this correct?

    Even if I change the last one to "Confirm Email", I don't see Confirm Email in the drop down for Email Confirmation Role.

    Is there anything else I can do to fix it?

  • The Applicant has the Confirm Email Role which has guest permissions.

  • Another strange thing that I'm seeing after the upgrade - new members (bots) are able to join without my approval even though my registration is set to Applicant. Just today a member (bot) joined without approval. That never happened before the upgrade.

    How is that possible?

  • Those are Bot Applicants not new members. I suggest you use all of peregrine's plugins that deal with spam bots and such.

  • post a snapshot of /dashboard/role

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Hello @vrijvlinder‌

    That's correct, but I'm not seeing them under Applicants. Previously (before the upgrade), I used to see them under the Applicants list and would decline them. That's the issue I'm highlighting.

    I have used peregrine's spam bots and and registration blocker plugin and they are surely helping to reduce the spam bot registrations. I also used the Cleanser plugin.

    Thanks.

  • ok post a pic like peregrine suggests .... of the roles window

  • Here's the snapshot of /dashboard/role

  • peregrineperegrine MVP
    edited October 2014

    @brainolution said:
    Another strange thing that I'm seeing after the upgrade - new members (bots) are able to join without my approval even though my registration is set to Applicant. Just today a member (bot) joined without approval. That never happened before the upgrade.

    How is that possible?

    depends what your settings are.

    v said: Those are Bot Applicants not new members. I suggest you use all of peregrine's plugins that deal with spam bots and such.

    before you start adding plugins, see what the issue is, its not clear what your permissions are for each role.

    what role do the "new members (bots)" get?

    what registration type and mail confirmation do you want?

    if you have a goal, then it might be able to be attained. however you still have a strange issue with confirmation role dropdown. So if you want to focus to solve. post information.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @peregrine said:
    what role do the "new members (bots)" get?

    Currently, they are automatically getting the role Member.

    @peregrine said:
    what registration type and mail confirmation do you want?

    I want the registration type as Applicant (which is what I've set it to), and email confirmation role as "Confirm Email", but I can't see Confirm Email in the drop down.

    Please let me know what other information you want me to post. I'm based in Asia, and there could be delays because of time zone difference, but I'll try to get the information as soon as possible. I would really like to get this resolved.

    Thanks for your help.

  • peregrineperegrine MVP
    edited October 2014

    what roleid is Confirm Email - you can look in the role table.

    as a test my Confirm Email Role is id number 3 - so these are the setting you want.

        $Configuration['Garden']['Registration']['ConfirmEmail'] = '1';
        $Configuration['Garden']['Registration']['Method'] = 'Approval';
        $Configuration['Garden']['Registration']['ConfirmEmailRole'] = '3';
    

    user gets set Confirm Email Role

    personally, I'd skip the confirm email role and just use approval.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Correction: I meant to say " I want the registration type as **Applicant **(which is what I've set it to)

    @brainolution said:
    I want the registration type as Approval (which is what I've set it to),

  • edited October 2014

    There is no Applicant registration, when you choose Approval as registration mode , all registrants are applicants until you approve them as members. They can only confirm their email after being approved and or they do not need the confirm email because the fact that you approved them is confirming them.

  • peregrineperegrine MVP
    edited October 2014

    I used to see them under the Applicants list and would decline them. That's the issue I'm highlighting.

    you won't see applicants in applicants area, who haven't confirmed their e-mail

    you can see the unconfirmed e-mail role using

    http://vanillaforums.org/addon/memberslistenh-plugin

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • My bad:

    Registration method should be "Approval" (I had it correct earlier).

    Here's the snapshot of the role table:

Sign In or Register to comment.