Change email after registering and pending activation?

Bug
1

Hello,

It seems that this feature is a great opportunity for people to impersonate others using another domain name.

  1. I register with @coolcompany.com
  2. I get the “change email address” button when registering but pending activation.
  3. I wait a few hours with that window open (or maybe a few minutes) until I get approved, you never know, maybe they are super effective.
  4. I click change my email address, and I basically can put whatever there, but I am already approved!

The admin does not get a "@coolcompany.com has not activated, and @another.com is pending", no, instead, I have approved someone I thought it was from @coolcompany.com, but actually it was just using that domain to get approved, as I don’t get another pending approval item.

Is this by design? is it a bug? I could not find a topic like this in the forums.

My big question is, can I deactivate this feature? I honestly don’t want it.

Thanks!

1 Like
2

There is a site setting that keeps users from being able to change their email address. Will that help?

3

Of course! I mean, my post has 2 goals:

  • Letting you guys that this seems like a good way to impersonate people
  • Find out how to disable this.

@pfaffman how do I disable it?

4

Doesn’t the signup with @coolcompany need to confirm control of the email address? Or does that happen after the approval? Confirmation should happen for all email addresses.

1 Like
5

Yeah this seems like a bug in the feature – @eviltrout worked on it, can you confirm this does not work Robin because I don’t think it should.

Once the user has confirmed their email, that function should no longer work.

This is basically a security exploit so I think handling it should be prioritized.

1 Like
6

I just tried to reproduce this and got an error from the server: You are not permitted to view the requested resource.

The URL makes a request to /u/update-activation-email. I confirmed in the source code that if a user is already active that it raises an error:

https://github.com/discourse/discourse/blob/master/app/controllers/users_controller.rb#L605

Are you 100% sure you were able to change the email address following the above steps? Because I am not able to.

4 Likes
7

@eviltrout Yes! just tried it again.

Basically I tried it with a teammate.

  1. He signs up, writes the @coolcompany.com email.
  2. Stops on the screen when he can change his email (pending approval)
  3. I go to the admin panel, approve him (as I see he is a good fella from @coolcompany.com)
  4. He then proceeds to change his email on that screen clicking the “change email address” grey button.
  5. He gets a “new” confirmation email to his NEW INSERTED email address, and validates his NEW address.
  6. He is now approved, and into the forums.
  7. When I go to see the list of users, he now has another email! I mean, I am not going to check everybody’s emails once a week just to check if they did not do that. I have already approved someone based on the initial information they provided, presuming they CANNOT change it afterwards (I have disabled the option to change their emails in the future).

But I am REALLY interested in disabling this feature we are talking about here.

Thanks!

8

Just making sure, what version of Discourse are you running?

9

Trial of Std version, cloud, hosted by Discourse :slight_smile:

1 Like
10

This seems to be the main difference, you have mandatory account approvals enabled, not default out of box signup?

So disable that on your site, since it seems to be the source of the issue.

11

I think I’ve seen this before on my instance - isn’t really an issue for us though as we don’t care what email address people use. Just repro-d it successfully on tests-passed.

Just in case there’s any confusion about active vs. approved. As I understand it:

  • “active” is related to verifying your own email address
  • “approved” is when a staff member approves a user (with must approve users site setting)

I think @fermelone is talking about this scenario, which I can reproduce:

  • User signs up, but does not “activate”
  • Staff member sees new user, and clicks “approve” after looking at their (un-activated) email address
  • User uses “update activation email” to change email address
  • User can now activate an account

So maybe users shouldn’t be added to the approval queue until they are ‘activated’?

5 Likes
12

@codinghorror I get your point, but I want to control who accesses and registers to my forum.

@david I like David’s idea, once they confirmed the email that they cannot change, then show me I have a pending approval. I like this one.

1 Like
13

Absolutely, this also cuts down noise in the approve users queue, should be our default behavior, not sure you should even be allowed to disable

4 Likes
14

I believe this was discussed early on, the chicken and egg problem between the admin approving first, or the user validating their email first. They definitely should not show up as approve-able until they validate their email though.

7 Likes
15

Are you able to repro this now @eviltrout?

16

The issue here is someone doesn’t ever want users to change their emails, and they were allowed to do so following approval if they hadn’t activated their original email. It doesn’t seem like a security hole to me since the user still had the authenticate the email, but I understand in some rare situations forum owners don’t want users to change their emails.

The solution is what’s suggested earlier: don’t allow staff to approve a user until they’ve confirmed their email address.

https://github.com/discourse/discourse/commit/db929e58fc02923ddc2d09add5103aaba73c027f

8 Likes
17

This topic was automatically closed after 5 days. New replies are no longer allowed.