I am developing website using elgg. I want to know when user goes in the list of unvalidated user, which is the page of 'Uservalidationbyemail' plugin.
Thanks.
The user will go in the "unvalidated" user list, when he/she signups for your site, and doesn't verifies his/her email address.
Thanks
Related
I was trying to figure out if it is possible to filter the entered username/email address before the user gets authenticated and logged in.
This way users won't be able to login using previously defined usernames/emails using a specific frontend login form.
As we have changed the default login page URL hackers won't be able to find the default login form easily and get access to administrative accounts.
Is it possible, any ideas?
I have a list of people with all their personal information (name, first name, date of birth, email, etc.). I created an account for each of these people in my database. I'm using Firebase.
Since I already have all my user's info, I don't want them to type it again when signing up to my website.
So I created a system using a custom token for authentication. I send them as a parameter of an URL to every one of my users.
When the user clicks on the link for the first time: he gets redirected to the signup page with all the fields pre-filled (name, date of birth, email, etc) except for the password. He types the password he wants and gets signed up.
When the user clicks on the link every other time: he gets redirected to the login page. A simple email + password interface with the email field already pre-filled. He types his password and gets logged in.
This is working great BUT I'm wondering: is this bad practice to do so?
Is this insecure to let anyone who gets the email create an account in the name of my user? Should I assume that someone, other than my user, may have total access to my user email account? Should I be prepared for this eventuality?
Since I already have all my user's info, I don't want them to type it again when signing up to my website.
If you already have the user's information, and you are allowed to process it, then it's a good practice to not let the user do something that it's already done.
is this bad practice to do so?
Not at all. That seems to me like a practice that is present almost everywhere. If you want to edit the profile data, you always have the existing data already pre-filled. The user has just to verify it or change it if needed.
Is this insecure to let anyone who gets the email create an account in the name of my user?
That sounds not like the best option if someone else can use that URL and create an account on behalf of the user. Most likely you should consider letting the user create the account only if it can validate the data through an SMS, or any other service that is specific to that user in particular.
Should I assume that someone, other than my user, may have total access to my user email account? Should I be prepared for this eventuality?
Yes indeed. You should always prepare for that. Never trust the users. There's not a perfect world out there.
I'm trying to password protect a page that contains confidential information.
Upon clicking a link, user will be shown a pop-up dialog to enter password.
If successful, redirect user to page. Otherwise, display "Wrong password".
The thing is, this can be easily overcome if user just copies the URL and add "/exec#ConfidentialPage" to the end of the URL.
Any suggestions?
If at all possible I would highly discourage implementing your own authentication system and instead rely on Google login to secure your data. See https://developers.google.com/appmaker/security/secure-your-app. My short recommendation is to:
Create a google group which contains the users you want to access the
data.
Create a role in App Maker which contains that group
Restrict access to both your data and your view to members of that role.
This is much more secure than a password based approach as #1 It's implemented by Google (implementing your own auth correctly is hard) and #2 You have a list of everyone who has access to your data in the form of the Google group.
I am creating a website on top wordpress,
The reason to use wordpress is that,
We want to restrict or block the entire site,
Only registered people should be able to access the site that too after verification,
Can anybody help me choosing the right plugins to achieve this.
Note : the site will be similar to a membership website, but the users who are going to use this are not paying, We just want to allow only people whom we approve.
Example: The steps are the one we are looking,
Default page should be Registration page,
Once Registered, Email verification has to be done by clicking the link in the Email ID giving during registration,
Post verification, Email with log-in page link along with username & password goes to the user's registered Email ID,
User logs-in using the username and password,
User is able to view the entire site
I AM A NEWBIE IN WORDPRESS,
Thanks
Ashok
Check this plugin : https://fr.wordpress.org/plugins/wp-user-frontend/
It's the best to make membership / private page / registration page and etc.. and he is the most documented plugin on this.
Have fun and welcome on Wordpress :)
I would like that the user after clicking on the registration link sent via email (after the complete the registration form), log-in automatically without that he must enter your username and password.
How can I do?
Thanks in advance
That is a security issue. You should verify the appropriate person received the email by asking for credentials. At most, you could probably store email in local storage/cookie and retrieve it on the login page. But please dont auto login.