Skip to:
Content
Pages
Categories
Search
Top
Bottom

I can invite myself w/o an invitation

  • Great plugin, yet I am hesitant to use it because anyone can invite him/herself without having an invitation, if s/he figures out the ACCEPTURL syntax – which is fairly easy.

    Is there a way to make the ACCEPTURL syntax more complex, or change it periodically? Or, will that plugin at some point check against the invitations made? If somebody figures out the ACCEPTURL syntax, the plugin could check if that Email was actually invited, and not send an activation key if it was not.

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Avatar of Boone Gorges
    Boone Gorges
    Keymaster

    @boonebgorges

    If you navigate manually to:
    http://example.com/register/accept-invitation/fake@email.com
    you will be allowed to register, as long as you have registration turned on in general. However, it will not be registered as counting as an invitation, since when the lookup happens, nothing will be matched.

    It does appear that there is a bug that will let you register in the above manner even if you’ve disabled open registration. (Not sure if that’s what you’re talking about – your description isn’t 100% clear to me.) I’ve opened a bug ticket so that I remember to fix it. https://github.com/boonebgorges/invite-anyone/issues/75

    There is another, related, issue: when installing and activating the plugin, the Admin / General / Settings are changed to “Allow Anyone can register”, even if these where previously set to “Do not allow anyone to register”

    I changed settings back to “Do not allow anyone to register”, and tested again if one can fake an invite. And yes, entering the ACCEPTURL allows anybody to register, even though s/he has not been invited.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.