[buddypress-trac] [BuddyPress Trac] #9137: REST API related issues for signups and pending accounts
buddypress-trac
noreply at wordpress.org
Thu Apr 25 01:05:24 UTC 2024
#9137: REST API related issues for signups and pending accounts
---------------------------------------+--------------------------
Reporter: niftythree | Owner: espellcaste
Type: defect (bug) | Status: new
Priority: normal | Milestone: Up Next
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: needs-patch needs-testing |
---------------------------------------+--------------------------
Comment (by espellcaste):
@niftythree
**Scenario 1**: Multiple pending accounts can be registered through the
REST API with the same email address, but different usernames.
This one I'm unable to confirm.
This is the message I get if I try to create a signup via the REST API,
and the email address is already used in a **pending account** (not yet
activated).
{{{
{
"code": "bp_rest_signup_validation_failed",
"data": {
"status": 500
},
"message": "That email address has already been used. Please check your
inbox for an activation email. It will become available in a couple of
days if you do nothing."
}
}}}
This is the message I get if I try to create a signup via the REST API,
and the email address is already used in an **activated account**.
{{{
{
"code": "bp_rest_signup_validation_failed",
"data": {
"status": 500
},
"message": "<strong>Error:</strong> This email address is already
registered. <a href=\"https://bar.wp.test/wp-login.php\">Log in</a> with
this address or choose another one."
}
}}}
----
**Scenario 2**: Account registered through the website, but not yet
activated.
This is actually a known issue that we are fixing in BP 14.0. See #6123
and this [https://buddypress.trac.wordpress.org/changeset/13798 commit].
In a nutshel, when a new signup is created, users won't be created anymore
and the issue you describe won't happen again.
cc: @imath
----
**Scenario 3**: Account registered through the REST API, but not yet
activated.
> User tries to log in through the website with the correct email, and
either a correct/incorrect password, they see an error message stating
"Unknown email address. Check again or try your username" (i.e. the user
isn't told that their account isn't activated and/or that the password is
incorrect)
I can't confirm this. I do see the following message in the login screen:
{{{
Error: Your account has not been activated. Check your email for the
activation link.
If you have not received an email yet, click here to resend it.
}}}
With the link to activate it: https://bar.wp.test/wp-login.php?action=bp-
resend-activation&id=34&_wpnonce=220500b234
> User tries to access something where authorisation is needed (e.g.
/members/me/) through the REST API with the correct email, and either a
correct/incorrect password, they see an error message stating "Unknown
email address. Check again or try your username." (i.e. the user isn't
told that their account isn't activated and/or that the password is
incorrect)
I can confirm this. And the other one too. This is a good addition. o/
> Anyone who knows the username of a pending account that's been
registered through the REST API, or if a user thinks that username belongs
to them, can constantly request the resending of activation emails by
entering the username and anything into the password field.
I actually can't confirm this. Currently, the REST API requires a `signup
id` or `email` or `activation key` to request sending an activation email.
So it is not possible to use an username of a pending account or password.
We do not however protect this endpoint. So it is a public endpoint. And
anyone with any of this data, could fire it.
But this information is not public.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/9137#comment:2>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list