[Plugin: Register Plus Redux] Unverified Roles and conflict with email login plugin

  • Something I’m playing with tonight….

    First, I use the EMAIL LOGIN plugin to allow users to login with either their username or login. Unfortunately using the email route to login allows an unverified user to login and see whatever the default role (in this case, subscriber) is allowed to see.

    So I wonder, if there is a way to make the users role be NO ROLE FOR THIS SITE, then upon hitting the Verify user button, it switches the role to the default (from the general settings – in this case subscriber).

    I have no idea if this is possible or hard, but that’s my idea. I don’t want the user to be able to log in until they are verifed but the email login plugin is bypassing the temporary username you give them to block their login via “username”.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author radiok

    (@radiok)

    I can think of about… 3 ways to fix this particular problem. One way would be to intercept all logins, regardless of username and reject users that are unverified (this would prevent someone aware of their unverified_xxxxxx login even), or I could store their email address as well so that there’s bogus email address on file should they try to login with their email address (this is a much less sophisticated and brute approach), or finally, I could as you say, look into permissions. The thing is, I think the lowest permission is Guest which still gives them some access, logically, I think WordPress doesn’t have anything lower because, well, why would you create a user with no permission? Ya know?

    Anyway, I think the first approach is best, if I get it working properly, we could stop storing user logins at all, and instead just prevent users with an unverified flag (of sorts) from logging in. So that’s the avenue I will check first.

    Oh, another note, a quick easy way to fix this is not let your users create their own password. In that case they may have a “working” login, but they won’t know the password. And as it stands I already intercept password resets to prevent just such a method of login.

    Plugin Author radiok

    (@radiok)

    I want to bump this up, I’ve been meaning to work on this and haven’t gotten around to it. I still consider this important though.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: Register Plus Redux] Unverified Roles and conflict with email login plugin’ is closed to new replies.