ecwpa wrote:naderman wrote:You probably trust Google to provide you with a working email address
I do not. Lots of bots managed to bypass user activation with Gmail addresses. Hard to believe but it happened to me.
naderman wrote:Sure, but the gmail address they have is still valid. And if they bypassed that, they can bypass email activation too. So no additional safety from bots through email activation in this case.
ecwpa wrote:If phpBB ended up doing it like this, this won't affect boards with manual activation by administrators, right?
naderman wrote:So far, are there any plans regarding the user interface for all of this yet? What will the user interface for logging in, signing up or connecting your account to multiple providers look like?
AmigoJack wrote:BUG: Changing Auth type breaks UCP change email or username (and as a result ticket PHPBB3-10870) comes with an additional aspect: if the user changes his username or e-mail-address he needs to type in his password. If a (current) non-DB auth plugin is used there is no chance that a user can do this, as the entered password is compared with the one being hashed by phpBB and stored in the DB - and not the one which the auth plugin would refer to.
Reading this RFC makes me wonder if checking the passwords should move from phpBB's core to the auth plugin, or if it should stay where it is, where it gets augmented by checking if the auth plugin provides a function/method for comparing passwords (and if not, the core is used).
Users browsing this forum: wGEric and 17 guests