[buddypress-trac] [BuddyPress Trac] #6049: Do not activate user accounts automatically with one click
buddypress-trac
noreply at wordpress.org
Tue Nov 28 20:58:04 UTC 2017
#6049: Do not activate user accounts automatically with one click
-------------------------+-----------------------
Reporter: vimes1984 | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: 3.0
Component: Members | Version:
Severity: normal | Resolution:
Keywords: needs-patch |
-------------------------+-----------------------
Changes (by boonebgorges):
* milestone: Future Release => 3.0
Comment:
I've run into this issue on two different client sites in the past six
months. In at least one of the cases, a spammer was aware of the flaw, and
was exploiting it by (1) creating accounts using a domain that he knew to
be scanned in this way, (2) waiting for the scanner to activate the
accounts, and (3) logging into the accounts.
The fix I put in place basically does what @r-a-y [comment:3 suggests
above]. In the case of the client sites, I also needed to juggle the
`current_action`; presumably, we'd do this differently in BP.
https://github.com/livinglab/openlab/commit/caa395eeb4e1d62907ab6363c231fd15cb3510cf
Any objections to changing this behavior in 3.0?
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6049#comment:8>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list