Issue 1602497
Created on 2006-11-24 22:26 by stefan, last changed 2006-12-13 23:24 by richard.
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2006-11-24 22:26:35 | stefan | create | |
Created on 2006-11-24 22:26 by stefan, last changed 2006-12-13 23:24 by richard.
| Messages | |||
|---|---|---|---|
| msg2354 | Author: [hidden] (stefan) | Date: 2006-11-24 22:26 | |
Roundup's self-registration logic seems to have a bug. In particular, the way the mechanism works is that: 1. The user submits their registration form, which fires RegisterAction. 2. RegisterAction creates a temporary entry in the database (using "one-time keys") that represents the user ID. A URL is sent to the user's email address. 3. When the user visits the URL, the user record is created *by the admin user*. This is true even though Roundup requires that the anonymous user have the "Create user" permission for self-registration. Note that this means that an auditor for users cannot distinguish an administrative creation of a user from self-registration. This might well result in auditors being too generous, in that they might permit users to register with invalid settings of fields that would be permitted for administrators, but not for ordinary users. |
|||
| msg2355 | Author: [hidden] (richard) | Date: 2006-12-13 23:24 | |
This is not the behaviour I observe. When that link is accessed the user is the anonymous user. Are you sure you're not logged into the tracker as admin and then clicking on the link? |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2006-11-24 22:26:35 | stefan | create | |
Supported by The Python Software Foundation,
Powered by Roundup