Posted 11 months ago #
Hi,
I have found a bug.
This plugin lets users that are not activated (user_status = 2) login with their email address. If they use their username they receive an error (as they should) but not when they use their email address.
I am using this plugin with BuddyPress, so this obviously creates problems when they can login without being activated.
Posted 11 months ago #
Yep I think you've finally also found the cause of my site being overrun by sploggers and spammers all the time - they are registering, not activating, then logging in and creating buddypress groups. I can delete a spam log and a new one literally appears within a few hours.. be great if this plug-in can be fixed urgently.
Posted 11 months ago #
It simply needs to check that their user_status is not '2' (which means not activated).
Posted 11 months ago #
have you made that code change in your copy of the plug-in steve? if so would you mind posting it here with the surrounding code and I'll edit it into mine.
Posted 11 months ago #
No but I might have a go tonight and will post it here if it works.
Posted 11 months ago #
Well the fix was a lot easier than I thought.
Open up email-login.php (within the plugin's folder /wp-email-login/) and edit the main "dr_email_login_authenticate" function:
function dr_email_login_authenticate( $user, $username, $password ) {
if ( !empty( $username ) )
$user = get_user_by( 'email', $username );
if ( isset( $user->user_login, $user ) )
$username = $user->user_login;
if ($user->user_status != '2') {
return wp_authenticate_username_password( null, $username, $password );
}
else {
return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Your account has not been activated. Check your email for the activation link.'));
}
}
remove_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
add_filter( 'authenticate', 'dr_email_login_authenticate', 20, 3 );This includes an IF Statement that says; if the user's status is not 2 (ie; not activated), let them login, otherwise show them an error.
Posted 11 months ago #
Worked for me thanks Steve, hopefully the next plug-in version will be updated with a fix to prevent users that havn't activated from logging in, and also ideally have a "resend activation" link in the error message.
cheers
Hi Steve (and sporty),
Thanks for investigating.
This is, in fact, a BuddyPress issue. I have filed a ticket here:
https://buddypress.trac.wordpress.org/ticket/4245
In the meantime, you can keep using your workaround until BuddyPress has addressed this.
Posted 11 months ago #
Hey Guys while I used this BUG as a backdoor access because BECAUSE I HAD LOST the EMAIL Activation.
AGREE the FIX SHOULD definitively have the RESEND ACTIVATION.
Posted 11 months ago #
I've just committed an update (v4.3) that includes a check for user_status == 0.
I opted for this because user_status == 1 appears to have been used for spamming users, so basically only 0 users should be allowed to log in.
FTR, it looks like this value is completely ignored in core WP, so changing the value to 2, 3 or 1, or anything for that matter will allow the user to log in, but with this new change, WP Email Login will *not* allow them to log in.
Posted 11 months ago #
Also note that I didn't change any error message or provide an extra link or anything, it just treats the log in attempt as a failed attempt.
Posted 11 months ago #
Thanks Beau.
Steve I have some users that get stuck user_status==2 even when they try and use the activation email link it does nothing with the key - it goes to the page in buddypress and asks for the activation key versus okay your activated message. I then have to go into mysql and set them to user ==0.
It does not happen to everyone of course just maybe one in 10 users.
Ideas ?
Posted 11 months ago #
Unrelated, I think, but I seem to get some user stuck i.e. the value == 2. When they try and use the activation key it does nothing hence they stay at status ==2. I have to go into mysql and change them to a 0.
Posted 3 months ago #
Is this the same bug as with the plugin "PIE Register"?
http://wordpress.org/support/topic/logging-in-prior-to-verification-url-being-used
Maybe his plugin isn't setting the user status? (his code changes the username, to prevent logins, which is then bypassed by email login). If the core code doesn't check it, he probably didn't think it worth setting.
You must log in to post.
