[Plugin: Secure Invites] Can sign up as anyone once at registration page

  • Resolved darinroman

    (@drome22)


    14 years, 6 months ago

    This plugin is exactly what I was looking for and has lots of potential, but it needs some improvement. I am not too familiar with PHP (just learning) and I can appreciate all of the hard work that goes into coding plugins. Thank you.

    I am running WordPress 3.0.1 and BuddyPress 1.2.5.2
    After playing around with this plugin and testing the process I noticed a flaw in the security: After clicking the link in the email or typing it into a browser you do successfully reach the registration page, however, once at the registration page you can sign up as anyone with any email address. The Invitation list shows the original invitation as incomplete and shows the uninvited email and username as invited by the admin. This happened when using with the ‘BP Disable Activation Plugin’ so I decided to deactivate that plugin and try again. It still allows anyone to sign up only the new user is now completely undetected in the invitaion list. When logging in there is an alert that the account could not be activated but you are logged in anyway. Shouldn’t Secure Invite restrict signup to the email address in the invitation. Simply intercepting an email or adding ?emailaddress to the URL could allow anyone to register and this link remains open if the signup is not with the intended email address or until it expires or is deleted by the admin.

    https://www.ads-software.com/extend/plugins/wordpress-mu-secure-invites/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Chris Taylor

    (@mrwiblog)

    Hi,

    Yes, this has occurred to me before. However I don’t think it’s a massive problem as you’d need to know an email address which has been invited to append to the ?email= part of the URL (I know this isn’t ideal…)

    It would take quite a big change to the WordPress registration procedure to force the user to register with the same email address they are invited on, and at the moment it doesn’t seem worth it.

    In a nutshell: I see you point but the amount of work it would take to overcome this problem is too large.

    Chris

    Thread Starter darinroman

    (@drome22)

    Thank you for the reply Chris…it is certainly not a major problem and I appreciate the hard work you’ve done. I do understand that it would take a great deal of work to perform this function without hacking the WordPress core, which of course, we try to avoid. Perhaps I’ll get good enough with PHP to create my own plugins sometime soon. Thanks again for this plugin as it is exactly what I needed for a private community.

    Darin

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: Secure Invites] Can sign up as anyone once at registration page’ is closed to new replies.