hello

does somebody knows the szenario?

config:
password on
immediatly login no

a) user registers
b) get's pre autheticated user role
c) he has to verify by email (in the mail is only the link - no login data)
d) but he ignores the mail and login without verification

result: some pages are restricted????

is it a bug? or concept?
if yes - is there a hack or something i can do? it's webwide the standard configuration of the login process??

thanks and greetings momper

Comments

hunmonk’s picture

hunmonk commented
Status: Active » Fixed

please re-read all of the documentation that comes with the module, including the help section. the answers to your questions are in there.

momper’s picture

momper commented

o.k. - i see a structural drupal problem - because on the most sites it's not allowed to login immediatly, if you are not not verified. this would be the logical consequence (spammer etc.) ...
but i can understand - this would be maybe complicate to code. if not: can i put in an issue whis this an a feature request? this role wouldn't be allowed to login as an option?

because the user understands nothing of this technical problems: wouldn't it be possible to show a message, if he logins?

thanks and greetings momper

hunmonk’s picture

hunmonk commented
Title: Password yes / verification link required / but logged in without verification some pages/nodes show access denied » Optionally display a message to users in the pre-auth role.
Status: Fixed » Active

can i put in an issue whis this an a feature request? this role wouldn't be allowed to login as an option?

no, this is an integral feature of the module, and will not be adjusted. the main issue is one of permissions, not the fact that the user can login or not. if you don't wish the user to have any elevated permissions in the pre-auth role, then set the permissions in that role to be the same as the anonymous role -- problem solved. ;)

because the user understands nothing of this technical problems: wouldn't it be possible to show a message, if he logins

first of all, it is not a 'problem' that the user can login, nor that they can do so with limited permissions. role-based access is not an uncommon concept in the world of websites.

but are you suggesting that the problem is that they have logged in, and are not aware that they have limited permissions? this i can see as a possible issue. however, i will bring up these two related points:

  1. the user already gets a message when they register, which clearly indicates to them that they will have limited permissions until they validate their account.
  2. i've been maintaining this module for four major versions of drupal, and not once has anybody told me that their users get confused about being in the pre-auth role.

that said, i'm undecided about whether to implement the user message you suggest. i'm willing to consider further discussion on it, though, so i'm changing the issue title appropriately.

momper’s picture

momper commented

thanks for the detailed answer ....

can i put in an issue whis this an a feature request? this role wouldn't be allowed to login as an option?

no, this is an integral feature of the module, and will not be adjusted. the main issue is one of permissions, not the fact that the user can login or not. if you don't wish the user to have any elevated permissions in the pre-auth role, then set the permissions in that role to be the same as the anonymous role -- problem solved. ;)

i tried, but there are still some pages not reachable - maybe my misconfiguration - i will try again ...

1. the user already gets a message when they register, which clearly indicates to them that they will have limited permissions until they validate their account.

yes in the ideal situation they are aware of this, but sometimes they immediatly login (and i only speek here about this, because i had this situation in reality) because they think, they gave in the complete set (username,password,profile) and there comes a mail o.k. but the login works and so they move on ...

2. i've been maintaining this module for four major versions of drupal, and not once has anybody told me that their users get confused about being in the pre-auth role.

this would end in an general discussion and i really don't want to offend you, but as an short statement: i'm a designer and there are things in drupal modules usability yet not solved for years ... example: in the backend are still admin tables not sortable and a "select all" functionality is missing ... in strong ui guidelines this would be a general must ...

so maybe there are some others want to comment here too ...

and thanks for this module in general and for your work ...

hunmonk’s picture

hunmonk commented
Status: Active » Postponed (maintainer needs more info)

i'm a designer and there are things in drupal modules usability yet not solved for years

but see the thing is, that would not have kept people from complaining if their was a problem, so it doesn't mean much to me. just because it seems like a problem to you doesn't mean it seems like a problem to other people... ;)

so, yes -- i think it would be nice if some other people chimed in about your observation...

hunmonk’s picture

hunmonk commented
Version: 6.x-1.x-dev » 7.x-1.x-dev
Category: support » feature
lejon’s picture

lejon commented
Priority: Normal » Critical

Hi,

This is important for me too. We have a situation where we are using module "Register Pre-approved" http://drupal.org/project/register_preapproved

We want to preapprove certain email addresses. However, because Logintobbogan allows you to login even though you haven't confirmed your email address makes this a security risk - we want the person to PROVE that their email address is active by clicking the link they get in their email inbox.

At the moment if someone says they have an approved email address, even if they haven't, they can still login using their made-up name and password.

Thanks!

hunmonk’s picture

hunmonk commented
Priority: Critical » Normal

please don't upgrade the priority based on your personal needs -- it's critical to you, not to the users of this module in general.

At the moment if someone says they have an approved email address, even if they haven't, they can still login using their made-up name and password.

do you allow anonymous access to your site at all? if so, then setting the pre-auth permissions to the same as the anonymous permissions would solve your security issue.

lejon’s picture

lejon commented

oops, sorry about the change of priority.

Unfortunately logic still doesn't work when using RegisterPreApproved.

If I want everyone with an email address at @domain.org to be automatically allocated to a certain role then I set this in RegisterPreApproved. I want the to PROVE that they have an email address at that domain by only allowing login through clicking on a link received by email or logging in through a password sent to their account.

If LoginToboggan allows people to login even if they only say they have an account at @domain.org then they will have access to the site at a level they shouldn't have.

I am no longer using LoginToboggan, which is a shame, as the default user settings work for my set up with RegisterPreApproved, but it would have been nice...!

hunmonk’s picture

hunmonk commented
Status: Postponed (maintainer needs more info) » Closed (works as designed)

I want the to PROVE that they have an email address at that domain by only allowing login through clicking on a link received by email or logging in through a password sent to their account.

the "or logging in through a password sent to their account" is just standard core workflow, which the module supports. uncheck the 'Set password' option on the settings page and you're there.

you'll still have all the other functionality of LT with that feature disabled.