User can login without confirming activation mail


(Alfabetagama) #1

Hi,

we are trying to set up invite only forum

Steps to reproduce:

  1. administrator invites user
  2. user receives email and creates account
  3. after account creation, user is automatically logged in and can see the content

At account creation activation mail is sent. If user logs out, he cannot login unless he activates account via email. If user stays logged in for a longer period after initial account creation, and then logs out, he can not login or activate his account, because activation link expires.

Expected behaviour:

  1. administrator invites user
  2. user receives email and creates account. User is promted to activate her account
  3. user receives activation email
  4. user activates account
  5. user can login or is automatically logged after activation

Site Settings:

invite only … checked
enable local logins … checked
login required … checked
must approve users … checked


(Daniela) #2

Thanks for the report @alfabetagama, we already know about it, it’s inserted in the fix list :wink:


(Alfabetagama) #3

Thanks for quick reply Daniela,

can you give me ETA on resolution :slight_smile: ?


(Daniela) #4

I can not give you an accurate ETA, part of the fix is ready but must be checked again.


(Jeff Atwood) #5

@dax this is not a bug, it has always been the design in Discourse that people you invite are logged in as soon as they click your invite link. Cc @gerhard

The idea is you want people you invite to be posting immediately after they arrive.


(Alfabetagama) #6

@codinghorror,

in our case we would prefer that users activate their account before login.

Right now, at account creation, user that is not confirmed is logged in automatically and activation mail is sent. If user logs out, he cannot login again unless he activates account via email. If user stays logged in for a longer period after initial account creation, and then logs out, he can not login or activate his account, because activation link expires. And currently user cannot resend activation email.

In my opinion, this behaviour is inconsistent and confusing. If activation is necessary, then user should activate her account prior to login. If it is not necessary, then it should not be sent at all.

Maybe new setting could be introduced which separates these two behaviours?

e.g. “require email confirmation before login”

If checked, system would require activation before login. If unchecked user would be considered activated and logged in automatically.

Best regards