Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Email unconfirmed user can create posts.
desai_amogh
New
I made a test user and im able to post without confirming email.
I dont want user approval. I want users to be able to confirm email and only then be able to post. So when user registers and not email verified he should be "User Unverified" role (pic below). When he confirms email, he should be Member.
I have tried many posts with similar issues but dont seem to be successful with my config. please help.
Here's my roles and settings
This is config.php
$Configuration['Garden']['Registration']['ConfirmEmail'] = '1'; $Configuration['Garden']['Registration']['Method'] = 'Captcha'; $Configuration['Garden']['Registration']['InviteExpiration'] = '1 week'; $Configuration['Garden']['Registration']['CaptchaPrivateKey'] = ''; $Configuration['Garden']['Registration']['CaptchaPublicKey'] = ''; $Configuration['Garden']['Registration']['InviteRoles']['1'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['2'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['3'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['4'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['5'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['6'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['7'] = '0'; $Configuration['Garden']['Registration']['InviteRoles']['8'] = '0'; $Configuration['Garden']['Registration']['SendConnectEmail'] = '1';
This is config-defaults.php
$Configuration['Garden']['Registration']['DefaultRoles'] = array('8'); // The default role(s) to assign new users (4 is "Member") $Configuration['Garden']['Registration']['ApplicantRoleID'] = 4; // The "Applicant" RoleID. $Configuration['Garden']['Registration']['InviteExpiration'] = '1 week'; // When invitations expire. This will be plugged into strtotime(). $Configuration['Garden']['Registration']['InviteRoles'] = 'FALSE'; $Configuration['Garden']['Registration']['ConfirmEmail'] = FALSE; $Configuration['Garden']['Registration']['ConfirmEmailRole'] = 3; $Configuration['Garden']['Registration']['MinPasswordLength'] = 6; $Configuration['Garden']['Registration']['NameUnique'] = true;
Tagged:
0
Comments
Yes, the internals of this process are not obvious...
Most probably you have this line in your /conf/config.php (or /conf/config-defaults.php):
$Configuration['Garden']['Registration']['DefaultRoles'] = array('8');
The effect is, that every new user is automatically a member.
What you want is that a new user is an unconfirmed user. If you found that line in /conf/config.php, change "8" to "3" (which should be the role id of the unconfirmed role), otherwise add the line
$Configuration['Garden']['Registration']['DefaultRoles'] = array('3');
to this file. Don't change /conf/config-defaults.php!It should be working afterwards for new members.
@R_J no that dint work. As per below picture I also tried
$Configuration['Garden']['Registration']['DefaultRoles'] = array('10');
, but this puts both member as well as User Unverified role to the new user. My GDN_Role table is as below:Using "10" was
I remember I made a pull request because of that recently: https://github.com/vanilla/vanilla/pull/4977
I thought changing that config setting sort of "fixes" that behavior. Are you sure that your unconfirmed is not allowed to post? Have you checked that in the role permission?
@R_J Yes, Unconfirmed is not allowed to post or comment.
I did some googleing and found this I realised there was no mention of ConfirmEmailRole in my Config.php or Config-defaults.php. Check @River 's post. So I did below changes and now the new unconfirmed user doesn't even see the "New Discussion" button or "Comments editor". Once email is confirmed he can make comments or post. Weird thing is that regardless confirmed or unconfirmed, the user list shows the unconfirmed user as "Member" role only.
That config setting is only there for backward compatibility, but if it helps you, that's great. You have set the "DefaultRoles" to 8/Member. If you also set this to 10, your unconfirmed users should only have the unconfirmed role.
But you've said already that they have both roles if you do so... Sorry, I don't know of a way to prevent that.
Yes. Anyways this should suffice my spam issue. Hoping not to break it in the next upgrade. or ill be back searching this thread
Thanks for the help!
I don't think so. That could be simply done by a bot. Those plugins might help:
https://open.vanillaforums.com/addon/addregistrationquestion-plugin
https://open.vanillaforums.com/addon/promoteaftermoderated-plugin
I've got Captcha enabled for registration, is that any better than the questions?? Cpatcha looks and feels much better than typing an answer. what do you think??
Ill also look at the Promote plugin. Is there a way to stop users with lets say less than 5 post count from making posts with links ??
Personally I very much dislike captchas. I know that they are no problem for a good AI and at least 30% of all captchas I am confronted with are a problem for me and I solve them wrong the first time.
The "I am a human" from Google looks nice, but since I most of the time block the information they need to recognize me as a human, I have to go through the same "click on the traffic sign/shop fronts/whatever" procedure. At least I enjoy the "click on something" more than the "what text do you see".
A registration question like "which color has my logo" is unsolvable for most bots. The downside is, that a human needs to only solve this one time to fire a thousand bots on your page.
Requiring moderation for the first few posts gives you the advantage that you can see if the comments of that new user really make sense or if they are only "Looks good. Visit my spam page at...". The downside is of course that you have to to the moderation for all those posts...
I thought @peregrine had written a plugin which prevents links in the first posts of users, but I haven't found it.
Writing such a plugin would be similar to the promoteAfterModerated, but a little bit less complex.
But I don't think a spammer checks first if he could post links on your forum and therefore the spamming wouldn't be less, but only a little bit more ineffective
I've got Stop Forum Spam, Akismet and Captcha (one with I am a Human). So I'm covered for the bots. I saw some Human spammers with decent gmail ids spamming about decent websites, music shows, local stores, etc.. volume is very low for these and my forum though is old, I have started working to grow it just now after moving it to Vanilla.
With the below structure in mind, If I want to use the Promote Plugin, Do I need to add another role??
What should I set here in the promote plugin?? obviously the below options dont work.
The check and the role promotion are made in the moment where the admin moderates a post. So if you publish a post of user it is checked if all criteria are met: in this case: does this user has at least 3 published comments and 2 published discussions? If yes, remove role A and set role B. If not, do nothing.
If the plugin is not working for you it might have been because you expected that users would be changed automatically when you activate the plugin. But without moderator action, nothing will happen.
Ok Got it. I set another role and set the procedure again with a test user. It works now with new users, for old users they have to make a post or comment and once moderated (regardless of number of their old posts), their role is changed to Member.
Thanks for the info. Im all set now.