Skip to:
Content

BuddyPress.org

Opened 7 years ago

Last modified 5 months ago

#6049 closed enhancement

Do not activate user accounts automatically with one click — at Version 3

Reported by: vimes1984 Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Members Keywords: has-patch needs-testing
Cc:

Description (last modified by r-a-y)

Just had to fix this on a shared hosting account @ https://www.a2hosting.com, they run a spam filter called https://www.barracuda.com/products/spamfirewall
what this does it follow external links in any outgoing emails sent from the server in question. So when buddypress sends out it's activation link like so : http://example.com/activate?key=7678978978978789 it gets clicked on by the spam filter activating the account and rendering the activation link useless...
I think this is the ongoing issue with invalid activation links that some users are experiencing.

I suggest we move the activate link to a actual button on page that needs to be physically clicked?
My temp fix was to add a deny from all into the .htaccess denying the server access to it's self.

Change History (3)

#1 @r-a-y
7 years ago

  • Milestone Awaiting Review deleted
  • Status changed from new to closed

We added a fix for this in #5831. Check out the fix in that ticket if you're interested and see if that works.

Would definitely like to know if that addresses your issue.

Marking this as a duplicate.

Sorry I misread your ticket description, vimes1984!

I think for your particular usecase, you would need to alter the activation email and change the link so it would take you to example.com/activate and add the key on another line in the email.

In order for this to work, you'd need to override the 'bp_core_signup_send_validation_email_message' filter:
https://buddypress.trac.wordpress.org/browser/tags/2.1.1/src/bp-members/bp-members-functions.php#L1938

Last edited 7 years ago by r-a-y (previous) (diff)

#2 @vimes1984
7 years ago

I found the method sending out the emails, that wasn't my problem. It was more a not wanting to edit the core and some users can be a little slow if they have two lines one with the key and one with a link to /activate it's a little complex for people instead of a form with input box say that then requires them to click on a button to confirm it...
I've been reading through a couple of form threads where people are experiencing this issue or similar and I was wondering if it was due to there spam filters...
I was also reading that some email clients do the same.
I have this fixed for me here using a htaccess "deny from X.X.X.X" disallowing the spam filter from reading the outgoing mails, but I also think we could improve this by adding a onpage button validating the users accounts instead of the link providing the validation in itself...
Maybe pass a var through to the onpage form via $_GET which populates a hidden input..
Chris

#3 @r-a-y
7 years ago

  • Component changed from Core to Members
  • Description modified (diff)
  • Keywords dev-feedback added
  • Milestone set to Awaiting Review
  • Status changed from closed to reopened
  • Summary changed from When certain spam filters are installed account gets activated due to spam filters following external link in the email.. to Do not activate user accounts automatically with one click
  • Type changed from defect (bug) to enhancement

Maybe pass a var through to the onpage form via $_GET which populates a hidden input..

That's an interesting idea. I kinda like it!

Instead of the hidden input, I would just populate the existing text field that shows up at example.com/activate/.

Putting this back in the "Awaiting Review" milestone.

Note: See TracTickets for help on using tickets.