Required checkbox field can be bypassed


(Christoph) #1

While creating a test user the other day via google auth, I noticed that I was able to create the user even though I did not fill in (tick) the custom user field that is required at sign-up.


(Jeff Atwood) #2

Sorry I am unclear here. Can you list the exact repro steps please?


(Christoph) #3

If memory serves:

  1. Make sure you have Google Auth as an option for creating new user avcount.
  2. Create a custom user field (type: confirmation) and set it to “Required at signup”.
  3. Access the sign-up page as an unknown user and use the Google button to fill in the “Create New Account” form
  4. Don’t tick the checkbox of the required custom user field
  5. The “Create New Account” button is not greyed out and works to create the account (despite the required field not being checked).

(Jeff Atwood) #4

So this is specific to checkbox? Does it happen with text fields as well?

Wait a second. Checkboxes are only checked or unchecked. How can you even tell if someone “didn’t” fill it in? This is a logical fallacy. There is no third “not-checked-or-unchecked” state here.


(Eli the Bearded) #5

When checkboxes are for things like “I agree to the Terms of Service”, the only state that matters is “checked”. Any other value should be no-go.


(Christoph) #6

I mentioned checkbox because that is my scenario. I didn’t check other user field types but it seems improbable to me that the code that checks required user fields would be bypassed only in the case of one type of user field.

Could you explain why you changed the category for this bug report to feature? Are you suggesting that required user fields are supposed to be required only for the ordinary sign-up method?

Yes, that is how it works for sign-up without social login.


#7

by signing up they agree to tos as per default tos that comes with discourse


(Jeff Atwood) #8

Please read my reply. That explains what I said. Can you explain what state you expect the checkbox to be in? In other words, can you provide a real live example with actual values?


(Christoph) #9

The state of the checkbox is not an expected result but a condition:

The expectation is that required user fields will work the same regardless of which method a new user uses to sign up, i.e. in the case of a check box, that the user cannot sign-up as long as the required check box is not ticked.

Here you go:

What else do you need?


I think it was meant as an example:


(Jeff Atwood) #10

What is the actual checkbox text on the screen? Can you share a screenshot?


(Christoph) #11

How would that text (i.e. the field description) have anything to do with the technical issue here?


(Jeff Atwood) #12

Are you requiring that the box be checked, as in “did you read the terms of service”? There’s no other way this can work. There’s only one state you can have – checked.

Therefore the text is quite relevant.


(Christoph) #13

I think we are somehow talking past each other: The bug I’m reporting is no more and no less than that required user fields seem to work differently when a social login is used as opposed to manually filling in your email etc. I consider this a bug because I think it makes no sense that required user fields are not required if you use a different authentication method. In other words, I’m assuming that what I’m seeing is unintentional (while you seem to be implying that it is intentional?):

If a new user signs up by manually entering their email, username and password, the “Create New User” button will be greyed out and ineffective until the user checks the checkbox of the required custom user field. This is expected behaviour and everything is fine with that.

Now, if a new user clicks on the “Google” button instead of the above method, the sign-up form will be filled in automatically once s/he returns from the Google Auth page. This is also fine and as expected. What is not fine is that even though the custom user field checkbox has not been ticked, the “Create New User” button is not greyed out and fully functional. In other words, the user can create a new user while ignoring the required custom user field. This should not be possible and this is the issue that I’m reporting here.

To be clear: I am talking about signing up via the /signup modal.


#14

i get what you’re saying, btw, do you have Required at signup ticked?

EDIT:

you’re going to have to tick it for it to not be “bypassed”


(Christoph) #15

Yes, of course. And it works fine when creating a new user the “ordinary” way.


(Christoph) #16

Any chance that this will be fixed?


(Sam Saffron) #17

Can you share some screenshots please, it does sound like a bug to me.


(Christoph) #18

Here you go:

So, just to be explicit: the above screenshot shows that, if I use Google Auth I can create a new account without accepting the required custom user field.

By contrast, if I go the ordinary route and fill in my details manually, the “Create New Account” button remains greyed out:


… until I fill in/acccept the custom user field: