Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Social Connect allows users to circumvent invite system

edited November 2010 in Vanilla 2.0 - 2.8
Could not find a thread regarding this, so please let me know if this has yet to be noted:

If you have invites turned on, users can access the system without an invite code by using one of the other sign-in options (OpenID/Facebook/Twitter/etc.)

I have turned off Social Connections for now.

I'll create a GitHub issue if nobody has noticed this yet.

Comments

  • But... that is a correct behavior. Why would you enable social connect if you only invite people? Because people can connect only with their e-mail address when you have invites on (and only selected people). Facebook / Twitter etc. do not store any information about the e-mail address (I think), so ... my question remains: what are you trying to achieve?

    /cd
  • edited November 2010
    Once a user has connected via Social Connect system administrators can see the email address they used to sign up (i.e. their Gmail address). A primary benefit of Social Connect is that you can use a single account (i.e. Google) to log into various accounts without having to remember multiple passwords.

    Once you've been invited and signed up, you can activate it, and use your single sign-on authentication without worrying about the forum password. It's a matter of convenience.

    If a user attempts to use Social Connect to access a private system, one would assume they'd hit the "you need an invite code" wall.
  • MarkMark Vanilla Staff
    We are aware of this issue. We're still talking about the best way to handle it if a user uses social connect with the varying registration systems. We are thinking: Basic would work as it works now, invite only would throw an error for users attempting to connect who don't have a related account, and admin approved would report that their application is in review.
  • That makes sense.

    Thanks for getting back on this.
  • I have the same issue. Any updates on this?
  • edited June 2011
    We are aware of this issue. We're still talking about the best way to handle it if a user uses social connect with the varying registration systems. We are thinking: Basic would work as it works now, invite only would throw an error for users attempting to connect who don't have a related account, and admin approved would report that their application is in review.
    Any updates on this yet?
Sign In or Register to comment.