WordPress.org

Ready to get started?Download WordPress

Forums

Secure Invites
[resolved] Can sign up as anyone once at registration page (3 posts)

  1. darinroman
    Member
    Posted 3 years ago #

    This plugin is exactly what I was looking for and has lots of potential, but it needs some improvement. I am not too familiar with PHP (just learning) and I can appreciate all of the hard work that goes into coding plugins. Thank you.

    I am running WordPress 3.0.1 and BuddyPress 1.2.5.2
    After playing around with this plugin and testing the process I noticed a flaw in the security: After clicking the link in the email or typing it into a browser you do successfully reach the registration page, however, once at the registration page you can sign up as anyone with any email address. The Invitation list shows the original invitation as incomplete and shows the uninvited email and username as invited by the admin. This happened when using with the 'BP Disable Activation Plugin' so I decided to deactivate that plugin and try again. It still allows anyone to sign up only the new user is now completely undetected in the invitaion list. When logging in there is an alert that the account could not be activated but you are logged in anyway. Shouldn't Secure Invite restrict signup to the email address in the invitation. Simply intercepting an email or adding ?emailaddress to the URL could allow anyone to register and this link remains open if the signup is not with the intended email address or until it expires or is deleted by the admin.

    http://wordpress.org/extend/plugins/wordpress-mu-secure-invites/

  2. Chris Taylor
    Member
    Plugin Author

    Posted 3 years ago #

    Hi,

    Yes, this has occurred to me before. However I don't think it's a massive problem as you'd need to know an email address which has been invited to append to the ?email= part of the URL (I know this isn't ideal...)

    It would take quite a big change to the WordPress registration procedure to force the user to register with the same email address they are invited on, and at the moment it doesn't seem worth it.

    In a nutshell: I see you point but the amount of work it would take to overcome this problem is too large.

    Chris

  3. darinroman
    Member
    Posted 3 years ago #

    Thank you for the reply Chris...it is certainly not a major problem and I appreciate the hard work you've done. I do understand that it would take a great deal of work to perform this function without hacking the WordPress core, which of course, we try to avoid. Perhaps I'll get good enough with PHP to create my own plugins sometime soon. Thanks again for this plugin as it is exactly what I needed for a private community.

    Darin

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic