Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Email unconfirmed user can create posts.

edited March 2017 in Vanilla 2.0 - 2.8

I made a test user and im able to post without confirming email.

I dont want user approval. I want users to be able to confirm email and only then be able to post. So when user registers and not email verified he should be "User Unverified" role (pic below). When he confirms email, he should be Member.

I have tried many posts with similar issues but dont seem to be successful with my config. please help.

Here's my roles and settings

This is config.php

$Configuration['Garden']['Registration']['ConfirmEmail'] = '1';
$Configuration['Garden']['Registration']['Method'] = 'Captcha';
$Configuration['Garden']['Registration']['InviteExpiration'] = '1 week';
$Configuration['Garden']['Registration']['CaptchaPrivateKey'] = '';
$Configuration['Garden']['Registration']['CaptchaPublicKey'] = '';
$Configuration['Garden']['Registration']['InviteRoles']['1'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['2'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['3'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['4'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['5'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['6'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['7'] = '0';
$Configuration['Garden']['Registration']['InviteRoles']['8'] = '0';
$Configuration['Garden']['Registration']['SendConnectEmail'] = '1';

This is config-defaults.php

$Configuration['Garden']['Registration']['DefaultRoles']        = array('8'); // The default role(s) to assign new users (4 is "Member")
$Configuration['Garden']['Registration']['ApplicantRoleID']     = 4; // The "Applicant" RoleID.
$Configuration['Garden']['Registration']['InviteExpiration']    = '1 week'; // When invitations expire. This will be plugged into strtotime().
$Configuration['Garden']['Registration']['InviteRoles']         = 'FALSE';
$Configuration['Garden']['Registration']['ConfirmEmail']        = FALSE;
$Configuration['Garden']['Registration']['ConfirmEmailRole']    = 3;
$Configuration['Garden']['Registration']['MinPasswordLength']   = 6;
$Configuration['Garden']['Registration']['NameUnique']          = true;
Tagged:

Comments

  • R_JR_J Admin

    Yes, the internals of this process are not obvious...

    Most probably you have this line in your /conf/config.php (or /conf/config-defaults.php):

    $Configuration['Garden']['Registration']['DefaultRoles'] = array('8');

    The effect is, that every new user is automatically a member.

    What you want is that a new user is an unconfirmed user. If you found that line in /conf/config.php, change "8" to "3" (which should be the role id of the unconfirmed role), otherwise add the line $Configuration['Garden']['Registration']['DefaultRoles'] = array('3'); to this file. Don't change /conf/config-defaults.php!

    It should be working afterwards for new members.

  • edited March 2017

    @R_J no that dint work. As per below picture I also tried $Configuration['Garden']['Registration']['DefaultRoles'] = array('10'); , but this puts both member as well as User Unverified role to the new user. My GDN_Role table is as below:

  • R_JR_J Admin

    Using "10" was

    I remember I made a pull request because of that recently: https://github.com/vanilla/vanilla/pull/4977

    I thought changing that config setting sort of "fixes" that behavior. Are you sure that your unconfirmed is not allowed to post? Have you checked that in the role permission?

  • edited March 2017

    @R_J Yes, Unconfirmed is not allowed to post or comment.

    I did some googleing and found this I realised there was no mention of ConfirmEmailRole in my Config.php or Config-defaults.php. Check @River 's post. So I did below changes and now the new unconfirmed user doesn't even see the "New Discussion" button or "Comments editor". Once email is confirmed he can make comments or post. Weird thing is that regardless confirmed or unconfirmed, the user list shows the unconfirmed user as "Member" role only.

    $Configuration['Garden']['Registration']['ConfirmEmail'] = '1';
    
    //default role for email unconfirmed user set to User unverified role ID 10
    
    $Configuration['Garden']['Registration']['DefaultRoles'] = array('8'); // The default role(s) to assign new users (4 is "Member")
    $Configuration['Garden']['Registration']['ConfirmEmailRole'] = 10;
    $Configuration['Garden']['Registration']['ApplicantRoleID'] = 4;
    //
    
    
    $Configuration['Garden']['Registration']['Method'] = 'Captcha';
    $Configuration['Garden']['Registration']['InviteExpiration'] = '1 week';
    $Configuration['Garden']['Registration']['CaptchaPrivateKey'] = '';
    $Configuration['Garden']['Registration']['CaptchaPublicKey'] = '';
    $Configuration['Garden']['Registration']['InviteRoles']['1'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['2'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['3'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['4'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['5'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['6'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['7'] = '0';
    $Configuration['Garden']['Registration']['InviteRoles']['8'] = '0';
    $Configuration['Garden']['Registration']['SendConnectEmail'] = '1';
    
  • R_JR_J Admin

    That config setting is only there for backward compatibility, but if it helps you, that's great. You have set the "DefaultRoles" to 8/Member. If you also set this to 10, your unconfirmed users should only have the unconfirmed role.

    But you've said already that they have both roles if you do so... Sorry, I don't know of a way to prevent that.

  • Yes. Anyways this should suffice my spam issue. Hoping not to break it in the next upgrade. or ill be back searching this thread :)

    Thanks for the help!

  • R_JR_J Admin

    @desai_amogh said:
    Yes. Anyways this should suffice my spam issue.

    I don't think so. That could be simply done by a bot. Those plugins might help:
    https://open.vanillaforums.com/addon/addregistrationquestion-plugin
    https://open.vanillaforums.com/addon/promoteaftermoderated-plugin

  • I've got Captcha enabled for registration, is that any better than the questions?? Cpatcha looks and feels much better than typing an answer. what do you think??

    Ill also look at the Promote plugin. Is there a way to stop users with lets say less than 5 post count from making posts with links ??

  • R_JR_J Admin

    Personally I very much dislike captchas. I know that they are no problem for a good AI and at least 30% of all captchas I am confronted with are a problem for me and I solve them wrong the first time.

    The "I am a human" from Google looks nice, but since I most of the time block the information they need to recognize me as a human, I have to go through the same "click on the traffic sign/shop fronts/whatever" procedure. At least I enjoy the "click on something" more than the "what text do you see".

    A registration question like "which color has my logo" is unsolvable for most bots. The downside is, that a human needs to only solve this one time to fire a thousand bots on your page.

    Requiring moderation for the first few posts gives you the advantage that you can see if the comments of that new user really make sense or if they are only "Looks good. Visit my spam page at...". The downside is of course that you have to to the moderation for all those posts...

    I thought @peregrine had written a plugin which prevents links in the first posts of users, but I haven't found it.
    Writing such a plugin would be similar to the promoteAfterModerated, but a little bit less complex.

    But I don't think a spammer checks first if he could post links on your forum and therefore the spamming wouldn't be less, but only a little bit more ineffective

  • edited March 2017

    I've got Stop Forum Spam, Akismet and Captcha (one with I am a Human). So I'm covered for the bots. I saw some Human spammers with decent gmail ids spamming about decent websites, music shows, local stores, etc.. volume is very low for these and my forum though is old, I have started working to grow it just now after moving it to Vanilla.

    With the below structure in mind, If I want to use the Promote Plugin, Do I need to add another role??

    @desai_amogh said:

    I did below changes and now the new unconfirmed user doesn't even see the "New Discussion" button or "Comments editor". Once email is confirmed he can make comments or post. Weird thing is that regardless confirmed or unconfirmed, the user list shows the unconfirmed user as "Member" role only.

    $Configuration['Garden']['Registration']['DefaultRoles'] = array('8'); // The default role(s) to assign new users (4 is "Member")
    $Configuration['Garden']['Registration']['ConfirmEmailRole'] = 10;
    $Configuration['Garden']['Registration']['ApplicantRoleID'] = 4;
    //
    

    What should I set here in the promote plugin?? obviously the below options dont work.

  • R_JR_J Admin
    edited March 2017

    The check and the role promotion are made in the moment where the admin moderates a post. So if you publish a post of user it is checked if all criteria are met: in this case: does this user has at least 3 published comments and 2 published discussions? If yes, remove role A and set role B. If not, do nothing.

    If the plugin is not working for you it might have been because you expected that users would be changed automatically when you activate the plugin. But without moderator action, nothing will happen.

  • Ok Got it. I set another role and set the procedure again with a test user. It works now with new users, for old users they have to make a post or comment and once moderated (regardless of number of their old posts), their role is changed to Member.

    Thanks for the info. Im all set now.

Sign In or Register to comment.