[buddypress-trac] [BuddyPress Trac] #9137: REST API related issues for signups and pending accounts
buddypress-trac
noreply at wordpress.org
Sat Apr 20 09:05:49 UTC 2024
#9137: REST API related issues for signups and pending accounts
--------------------------+-----------------------------
Reporter: niftythree | Owner: espellcaste
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Keywords:
--------------------------+-----------------------------
Hello,
We've come across a few REST API related issues for signups and pending
accounts, which occur in specific scenarios or situations.
**Scenario 1:** Multiple pending accounts can be registered through the
REST API with the same email address, but different usernames.
* If one account is activated, and a user tries to activate any additional
accounts through either the website or the REST API, it causes a critical
error. The additional account(s) is removed from the pending list
(activated in the database).
**Scenario 2:** Account registered through the website, but not yet
activated.
* User tries to access something where authorisation is needed (e.g.
/members/me/) through the REST API, with the correct email/password or the
correct username/password, the user can access information from the area,
even though their account is still pending. They do not see an error
notifying them that the account isn't active. They are then visible as an
active user in the members directory (unless sorted by alphabetical).
Other users can interact with the visible non-activated account, both
through the website and REST API (e.g. send a private message).
**Scenario 3:** Account registered through the REST API, but not yet
activated.
* User tries to log in through the website with the correct email, and
either a correct/incorrect password, they see an error message stating
"Unknown email address. Check again or try your username" (i.e. the user
isn't told that their account isn't activated and/or that the password is
incorrect)
* User tries to access something where authorisation is needed (e.g.
/members/me/) through the REST API with the correct email, and either a
correct/incorrect password, they see an error message stating "Unknown
email address. Check again or try your username." (i.e. the user isn't
told that their account isn't activated and/or that the password is
incorrect)
* User tries to access something where authorisation is needed (e.g.
/members/me/) through the REST API with the correct username and either a
correct/incorrect password, they see an error message stating "The
username <usernamegoeshere> is not registered on this site. If you are
unsure of your username, try your email address instead." (i.e. the user
isn't told that their account isn't activated and/or that the password is
incorrect).
* Anyone who knows the username of a pending account that's been
registered through the REST API, or if a user thinks that username belongs
to them, can constantly request the resending of activation emails by
entering the username and anything into the password field.
We've tested all of the above with the following set-up:
* WordPress version: 6.5.2
* BuddyPress version: 12.4.0
* BuddyPress Template: Legacy
* Theme: Twenty Twenty-Four
* Plugins active: BuddyPress, JSON Basic Authentication
(https://github.com/WP-API/Basic-Auth)
* PHP: 7.4
Thanks.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/9137>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list