Allow Google login only if existing Google account present

  • Resolved jamesrblack

    (@jamesrblack)


    1 year, 1 month ago

    Hi there, I run a website for a club. Users are only registered onto the site once they have been approved by the committee. We do not allow anyone to register. The admins manually register members. There is sensitive information that only authenticated members are allowed to access. We want to allow social login, however, only want to allow the login to occur is the email that we have registered the wordpress account with matches the google account they are attempting to authenticate with.

    How to stop anyone with a Google account successfully logging in?

    Note, we currently use “Content Control –?Code Atlantic” to restrict access to the entire site to logged in users.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Robert

    (@robertnextendweb)

    Hi @jamesrblack!

    By default Nextend Social Login inherits the WordPress – Membership settings ( WordPress admin menu side bar > Settings > General > Membership – Anyone can register )
    This means if you have that setting disabled, the registration won’t be enabled with Nextend Social Login either. So in this case, since users are added manually, I would recommend disabling this default WordPress membership option, and that way, only those users will be able to connect with the social login who:

    • either have manually linked a social media account to their WordPress account (this can be done by default on the edit profile page with the Link/Unlink buttons, which can be shown anywhere with our shortcode as well – [nextend_social_login link=”1″ unlink=”1″])
    • or if the email address of the social media account matches with a WordPress account’s set email address, then we will log the user into this WordPress account – so if you disabled the registration, and someone uses Google to sign in, and that Google email address matches with a WordPress account’s email address, we will log the user in.

    As a note: We also have our own membership option, which you can access at the Global Settings General tab:
    https://nextendweb.com/nextend-social-login-docs/global-settings/
    And you can set the “Membership” to “Disabled”. This will always disable registration with Nextend Social Login, even if it is enabled in WordPress.

    Thread Starter jamesrblack

    (@jamesrblack)

    Hi Robert! Thank you so much for your prompt response.

    The wordpress and Nextend allow registration settings are disabled.

    I’ve realised I didn’t fully describe the issue.

    The random, non registered google account used is not actually logged into the site, as you have described, there is no matching email so no matching profile to log into.

    However, we are using ?“Content Control –?Code Atlantic” to restrict access to the entire site to logged in users. This plugin only allows the front page and anything else to be accessed, if a user is logged in. Somehow, it’s security is being bypassed by an attempt to ‘Continue with Google” using a non registered google account, and while not registering and logging that user in, the non-registered user is then presented with the front page etc.

    I’m wondering if it isn’t something to do with the “Bypass cache on redirect” option adding a GET. I’ll try turn that off and see what happens.

    Thanks again.

    Plugin Support Laszlo

    (@laszloszalvak)

    Hi @jamesrblack

    Please note that, we don’t have any control over the way the content restriction plugin works. So if the content is visible even if the user is not logged in, then I would suggest you to get in touch with the developers of “Content Control” and they will be able to tell you why that happens exactly.

    Anyways I checked this plugin on my local test site, with:

    • the WordPress default registration and the registration with Nextend Social Login both disabled
    • and with a rule in “Content Control” that applies a role based restriction to the entire site. So the site is only visible for the logged in users with the “Subscriber” role, non subscribers will be redirected to the login page.

    When I tried to login with Nextend Social Login, I was redirected back to the login page as I wasn’t logged in because the registration was disabled, so it worked fine for me.

    As for the “Bypass cache on redirect” setting:
    The “Bypass cache on redirect” only appends a GET parameter to the URL if the login with social login was successful. So if you see the associated parameter in the URL, that means that you are actually logged in, and that’s why you see the content. For this, the email address matching is not always necessary. E.g. if earlier you have already linked the social media account to an existing WordPress account, then we will log you in to the linked WordPress account, even if the email address of the WordPress account is completely different.

    Thread Starter jamesrblack

    (@jamesrblack)

    Hi Robert, many thanks for your excellent support. Your additional testing made me go through the site with a fine toothed comb and I realised I was being an idiot as there was a test account registered with the email I had being using to do negative testing. Apologies for wasting your time, I did learn a lot through the process and have to say this is definitely the best plugin for social login that I’ve tried.

    Will look to purchase if we enable woocommerce.

    Thanks again.

    Plugin Support Laszlo

    (@laszloszalvak)

    Hi @jamesrblack

    Thank you for providing this update, I am glad you managed to find the source of the problem! ??

    If you have no further questions or problems related to this topic, then I will mark it as resolved.

    Best regards,
    Laszlo.

    • This reply was modified 1 year, 1 month ago by Laszlo.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Allow Google login only if existing Google account present’ is closed to new replies.