WordPress.org

Ready to get started?Download WordPress

Forums

WP Email Login
[resolved] This plugin allows non-activated users to login (14 posts)

  1. John Smith
    Member
    Posted 2 years ago #

    Hi,

    I have found a bug.

    This plugin lets users that are not activated (user_status = 2) login with their email address. If they use their username they receive an error (as they should) but not when they use their email address.

    I am using this plugin with BuddyPress, so this obviously creates problems when they can login without being activated.

    http://wordpress.org/extend/plugins/wp-email-login/

  2. sporty
    Member
    Posted 2 years ago #

    Yep I think you've finally also found the cause of my site being overrun by sploggers and spammers all the time - they are registering, not activating, then logging in and creating buddypress groups. I can delete a spam log and a new one literally appears within a few hours.. be great if this plug-in can be fixed urgently.

  3. John Smith
    Member
    Posted 2 years ago #

    It simply needs to check that their user_status is not '2' (which means not activated).

  4. sporty
    Member
    Posted 2 years ago #

    have you made that code change in your copy of the plug-in steve? if so would you mind posting it here with the surrounding code and I'll edit it into mine.

  5. John Smith
    Member
    Posted 2 years ago #

    No but I might have a go tonight and will post it here if it works.

  6. John Smith
    Member
    Posted 2 years ago #

    Well the fix was a lot easier than I thought.

    Open up email-login.php (within the plugin's folder /wp-email-login/) and edit the main "dr_email_login_authenticate" function:

    function dr_email_login_authenticate( $user, $username, $password ) {
    	if ( !empty( $username ) )
    		$user = get_user_by( 'email', $username );
    	if ( isset( $user->user_login, $user ) )
    		$username = $user->user_login;
    	if ($user->user_status != '2') {
    	return wp_authenticate_username_password( null, $username, $password );
    	}
    	else {
    		return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Your account has not been activated. Check your email for the activation link.'));
    	}
    }
    remove_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
    add_filter( 'authenticate', 'dr_email_login_authenticate', 20, 3 );

    This includes an IF Statement that says; if the user's status is not 2 (ie; not activated), let them login, otherwise show them an error.

  7. sporty
    Member
    Posted 2 years ago #

    Worked for me thanks Steve, hopefully the next plug-in version will be updated with a fix to prevent users that havn't activated from logging in, and also ideally have a "resend activation" link in the error message.

    cheers

  8. r-a-y
    Member
    Plugin Contributor

    Posted 2 years ago #

    Hi Steve (and sporty),

    Thanks for investigating.

    This is, in fact, a BuddyPress issue. I have filed a ticket here:
    https://buddypress.trac.wordpress.org/ticket/4245

    In the meantime, you can keep using your workaround until BuddyPress has addressed this.

  9. bollocks187
    Member
    Posted 2 years ago #

    Hey Guys while I used this BUG as a backdoor access because BECAUSE I HAD LOST the EMAIL Activation.

    AGREE the FIX SHOULD definitively have the RESEND ACTIVATION.

  10. Beau Lebens
    Member
    Plugin Author

    Posted 2 years ago #

    I've just committed an update (v4.3) that includes a check for user_status == 0.

    I opted for this because user_status == 1 appears to have been used for spamming users, so basically only 0 users should be allowed to log in.

    FTR, it looks like this value is completely ignored in core WP, so changing the value to 2, 3 or 1, or anything for that matter will allow the user to log in, but with this new change, WP Email Login will *not* allow them to log in.

  11. Beau Lebens
    Member
    Plugin Author

    Posted 2 years ago #

    Also note that I didn't change any error message or provide an extra link or anything, it just treats the log in attempt as a failed attempt.

  12. bollocks187
    Member
    Posted 2 years ago #

    Thanks Beau.

    Steve I have some users that get stuck user_status==2 even when they try and use the activation email link it does nothing with the key - it goes to the page in buddypress and asks for the activation key versus okay your activated message. I then have to go into mysql and set them to user ==0.

    It does not happen to everyone of course just maybe one in 10 users.

    Ideas ?

  13. bollocks187
    Member
    Posted 2 years ago #

    Unrelated, I think, but I seem to get some user stuck i.e. the value == 2. When they try and use the activation key it does nothing hence they stay at status ==2. I have to go into mysql and change them to a 0.

  14. jondaley
    Member
    Posted 1 year ago #

    Is this the same bug as with the plugin "PIE Register"?

    http://wordpress.org/support/topic/logging-in-prior-to-verification-url-being-used

    Maybe his plugin isn't setting the user status? (his code changes the username, to prevent logins, which is then bypassed by email login). If the core code doesn't check it, he probably didn't think it worth setting.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.