Userpoints awarded prior to email verification
rcourtna - November 13, 2007 - 17:19
| Project: | User Referral |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
Hello,
The referral module assigns userpoints when a new & referred user is inserted into the database (hook_user op='insert'). Email verification of the new user's account is not required. This introduces the risk of gaming/cheating, as it would be simple for someone to write a script that programatically requests the referral url and creates accounts.
Ideally, we could call userpointsapi only after a user has completed the email verification. This is complicated by email verification being optional. Perhaps further complicated by logintoboggan, which can be configured to auto-activate the user, but not escalate the user-role to 'authenticated' until the email verification is complete.
Thoughts?