Ultimate Members - Users Awaiting E-mail Confirmation can login

WP_w3all phpBB code with others external plugins
Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

On our website, we've created a some code around the usage of Ultimate Members plugin. It's works great and help us to manage user experience around the website. After this integration, we've add to our website a phpbb forum in the /forum subfodler.

Everything works almost as expected, but we have something like a security breach preventing the BOT activity, since after activating the Wp_w3all plugin, users can login and operate on website and forum without click on verification link.

We've tested using the:
Add users in phpBB only after first successful login in WordPress and Deactivate phpBB user account until WP confirmation but nothing helps to prevent this. users can still login in if this plugin is active.
If we deactivate the WP_w3all plugin, the activation email behavior start to works normally again

User avatar
axew3
w3all User
w3all User
Posts: 2228
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

Hello!
Everything works almost as expected, but we have something like a security breach preventing the BOT activity, since after activating the Wp_w3all plugin, users can login and operate on website and forum without click on verification link.
So, what happen, the user register into WordPress, then result to be active into phpBB, even with option add into phpBB as deactivated until confirmation? Or it happen because the password is provided/can be choose on registration step, so that the user can login without email confirmation?

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

The user register themselves by Ultimate Member form, in the Wordpress dashboard admin can see the new users is in the Awaiting E-mail Confirmation status, but all the new user can LOG IN directly from Wordpress even without click on email activation link. After the first login they can also go on phpbb and make post etc.

If you keep the Add users in phpBB only after first successful login in WordPress option on yes, you can notice that the users it will be present only on Wordpress initially, but can still make the login. And after first login the user has the account "transferred" also to phpbb. All this steps without even open the email with the activation link.

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

Any idea on that?
Unfortunately since the website appear to be getting more known by bots agent, the problem is getting more annoying than usual.
We've also moved the registration page from standard /register url to another custom url trying to mitigate the problem, but it takes us safe just for a couple of hours

User avatar
axew3
w3all User
w3all User
Posts: 2228
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

I will give it a test, in the hope i have understand the flow:
user's register into wp, via Ultimate Member frontend, and they can login even without confirm their email? Is this the problem?
I assume that this is the problem, because they choose their password when they fill the registration form.
This is the problem, isn't it?
Let me know please so i can go in short to fix the issue (i will look by the way if this is the problem but if you confirm it is better to know we are on same line)

[EDITED]

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

Yes,
It's the flow to reproduce the problem, just a note it's not the memberpress frontend but the log in form of Ultimate Member ( free plugin version @ https://wordpress.org/plugins/ultimate-member/ )

User avatar
axew3
w3all User
w3all User
Posts: 2228
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

So, this way can fix for any plugin and logins flows, just changing very few things (and this can be leaved into code by default):

open wp_w3all.php

where these lines:

Code: Select all

if( $w3all_add_into_phpBB_after_confirm == 1 )
{
just after, add the follow:

Code: Select all

  $umeta = get_user_meta($wpu->ID);

  if( isset($umeta['account_status'][0]) && $umeta['account_status'][0] != 'approved' ){
  	return;
   }
If the user should also autologin, a little code more need be added instead
earlier into function w3all_add_phpbb_user() to grab sent vars, and check against something like:

Code: Select all

 $umeta = get_user_meta($wpu->ID);
 if( isset($_GET['hash']) && isset($umeta['account_secret_hash'][0]) && $_GET['hash'] == $umeta['account_secret_hash'][0] )
    {
  	// add the user in phpBB (if already exist the function will return, with no effect)
       // login user in wp, that will setup also the phpBB session
      return;
    }
Activate only the option:
Add users in phpBB only after first successful login in WordPress

and disable the "add user as deactivated", into the integration plugin admin

i can produce also this little part of code if it is required, i will do (think) tomorrow adding a reply with all the complete procedure/code for Ultimate Member plugin.
I've read also other topic/question about cache plugin, i will take a look.

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

Hi,
You got it! Thanks!
Adding just the code:

Code: Select all

  if( isset($umeta['account_status'][0]) && $umeta['account_status'][0] != 'approved' ){
  	return;
   }
will restore the Ultimate Member email link confirmation. If it doesn't have any other side effects ( actually on our side doesn't seem to create problem ) you can think to put it in the next plugin update, Ultimate member is quite diffused and helps a lot to manage and maintain users database.

I think it's all, you can consider it SOLVED ;)

Thanks!

User avatar
axew3
w3all User
w3all User
Posts: 2228
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

Finally, after a complete system re-installation i've take the time to re-install also common plugins into my test localhost.

So now i see anyway, that avatars are not working when ultimate members active.
There is some option on it, that do not let use wp avatars and that should be deactivated or what? You know?

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

axew3 wrote:
Wed Mar 31, 2021 2:04 pm
Finally, after a complete system re-installation i've take the time to re-install also common plugins into my test localhost.

So now i see anyway, that avatars are not working when ultimate members active.
There is some option on it, that do not let use wp avatars and that should be deactivated or what? You know?
Actually we really don't care so much about users avatar, if the users want they have to setup manually their avatar for Wordpress with Ultimate Member, and do it again for phpbb.

It will be really cool have only one place to setup the avatar, and see in both wordpress and phpbb forum, but it's not really a mandatory for our projects.

I've a bad news by the way.

If the user try to login in the same browser instance of the registration, ti will receive the error message that he have to activate the account with the mail.
But if users open a private navigation tab or another browser, he can make the login even without click on the activation link in the email :-(

User avatar
axew3
w3all User
w3all User
Posts: 2228
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by axew3 »

If the user try to login in the same browser instance of the registration, ti will receive the error message that he have to activate the account with the mail.
But if users open a private navigation tab or another browser, he can make the login even without click on the activation link in the email
it is an ultimate member issue? Because this side, if the user result not active, the function return and the user is not added into phpBB.
The fact that it is in incognito or not mean nothing.

This applied solution resolve, there is no incognito mode that can interfere with:
https://www.axew3.com/w3/forums/viewtop ... 5220#p5220

Maverick87Shaka
User w
User w
Posts: 7
Joined: Thu Mar 25, 2021 2:14 pm

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by Maverick87Shaka »

axew3 wrote:
Wed Mar 31, 2021 3:06 pm
it is an ultimate member issue? Because this side, if the user result not active, the function return and the user is not added into phpBB.
The fact that it is in incognito or not mean nothing.

This applied solution resolve, there is no incognito mode that can interfere with:
https://www.axew3.com/w3/forums/viewtop ... 5220#p5220
I'll try without the WP_w3all to understand if this particular one it's a common problem of Ultimate Member and not related to the forum integration.

zpintar
User w
User w
Posts: 10
Joined: Tue May 11, 2021 7:17 am

Re: Ultimate Members - Users Awaiting E-mail Confirmation can login

Post by zpintar »

Hello,

Some new questions about Ultimate Membership <-> w3all plugins:
  • Is it possible to do do UM's profile fields exchange like with Buddypress profile fields?
  • When you in UM (Ultimate Membership) deactivate some active user, he can still login in WP. Is there some solution for split logins so in case of deactivated users, allow them to login only in phpBB but not in WP? (I suppose that it will be the huge problem, so maybe I can workaround deactivating users with putting them in new user role with less permissions)

Post Reply