User is automatically logged in after registration without clicking activation

Started by JestaBlunt, November 09, 2015, 17:03:08 PM

Previous topic - Next topic

JestaBlunt

hi,

when a user registers at checkout, he is logged in automatically without even has to click the activation link. what can cause this behaviour?

VM: 3.0.10
Joomla: 3.4.5

JestaBlunt

also, the activation link then is not usable...but the account is not activated

GJC Web Design

there is absolutely no case to use activation!  unless you want to loose customers

Think about it.. what is it?

If I'm a spammer I activate..  if my email address is wrong I never get the email.. so the point is?
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Milbo

In j2.5 there is a function "activate" in /components/com_users/controller/registration.php

just remove


if ($user->get('id')) {
$this->setRedirect('index.php');
return true;
}

and it should work
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

innato

Quote from: GJC Web Design on November 09, 2015, 17:54:58 PM
there is absolutely no case to use activation!  unless you want to loose customers

Think about it.. what is it?

If I'm a spammer I activate..  if my email address is wrong I never get the email.. so the point is?

Using VM3.0.18 on J3.6.2 with PHP 5.6.26.
I agree that activation of a VM-originating account is not what you want (you'll indeed lose customers).
BUT fact is also that...
1. Customer is receiving an activation email and when he/she tries to activate the account, Joomla! throws an error: "Registration failed: Verification code not found."
2. As a consequence, the account will never be activated. Upon return to the webshop, this customer cannot log in, because the account has not been activated and he/she sees the Joomla! message "Login denied! Your account has either been blocked or you have not activated it yet."
3. Another consequence of not being able to activate the account, is that I am using an account management plug-in that deletes accounts that have not been activated within X days (an anti-spam measure). Therefore the account will get removed automatically and customer will not be able to use it upon return to my webshop. But he/she wasn't able to use it anyway (see 2).

This is poor integration by VM with Joomla! core.
Maybe registration through VM should automatically activate the account and of course not send an activation email?
Regards
Rob

VM3.2.6 (enhanced) on J3.8.8 and PHP 7.1 or 7.2

Milbo

That would just mean to ignore the config set in joomla. The right method is just to use the proper option. It is an old topic, cant find it atm, but someone wrote a nice hack, removed just one line in joomla and it works.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

innato

Quote from: Milbo on September 29, 2016, 21:07:35 PM
...someone wrote a nice hack, removed just one line in joomla and it works.
Thanks Max. Needless to say that I don't want to hack the Joomla! core for reasons well known to all of us.
Do you think that it will be complicated to let VM properly register the user, i.e. "the Joomla! way", but then with skipping the activation?
Regards
Rob

VM3.2.6 (enhanced) on J3.8.8 and PHP 7.1 or 7.2

GJC Web Design

Confused by this whole post

Why use activation?

If u don't then the user is fully and correctly registered and passed to the cart
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Milbo

Quote from: innato on September 30, 2016, 10:42:16 AM
Thanks Max. Needless to say that I don't want to hack the Joomla! core for reasons well known to all of us.
No, it is just a but and they refuse to fix it, that is the problem.

Quote from: innato on September 30, 2016, 10:42:16 AM
Do you think that it will be complicated to let VM properly register the user, i.e. "the Joomla! way", but then with skipping the activation?
The problem is that we USE the joomla way. All of this is solved when we do WP version and do our own user registration.

Here is the main thread about this topic https://forum.virtuemart.net/index.php?topic=99755.0

and here is the solution for joomla http://forum.virtuemart.de/allgemeine-fragen-157/registrierungslink-funktioniert-ueber-registrieren-kasse-begeben-2673/

The problem is that joomla uses this

SELECT 'id' FROM 'MEINDBPREFIX_users' WHERE 'activation' = ' xxxx ' AND
'block' = 1 AND 'lastvisitDate' = '0000-00-00 00:00:00'


and this 'lastvisitDate' = '0000-00-00 00:00:00 destroys the activation. I did not understand yet, why they have it. From my point of view, it is just wrong, thats it. But as you can see, they do not change it since years
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

innato

Quote from: GJC Web Design on September 30, 2016, 10:44:52 AM
Confused by this whole post
Why use activation?
If u don't then the user is fully and correctly registered and passed to the cart
I appologise GJC. Why would you register an account with VM? To view your orders/invoices at a later stage or to skip entering your data with a next order, I suppose. The point is that if you register in the VM checkout process, you can indeed complete the current order, but as soon as you log out, you can't log into your account again because Joomla! denies access (Account not activated and not enabled. Using the activation link does not work).
Regards
Rob

VM3.2.6 (enhanced) on J3.8.8 and PHP 7.1 or 7.2

innato

Quote from: Milbo on September 30, 2016, 11:00:28 AM
The problem is that we USE the joomla way. All of this is solved when we do WP version and do our own user registration.
Here is the main thread about this topic https://forum.virtuemart.net/index.php?topic=99755.0
and here is the solution for joomla http://forum.virtuemart.de/allgemeine-fragen-157/registrierungslink-funktioniert-ueber-registrieren-kasse-begeben-2673/
Thnks again Max, this is useful info. I will study it. Should I find something helpful, I will report back.
One final stupid question... what is WP? WordPress?
Regards
Rob

VM3.2.6 (enhanced) on J3.8.8 and PHP 7.1 or 7.2

GJC Web Design

QuoteI appologise GJC. Why would you register an account with VM? To view your orders/invoices at a later stage or to skip entering your data with a next order, I suppose. The point is that if you register in the VM checkout process, you can indeed complete the current order, but as soon as you log out, you can't log into your account again because Joomla! denies access (Account not activated and not enabled. Using the activation link does not work).

The majority of the shops I build and run ask for registration..
And they all are successfully registered and can log in and out when they want

that's not the point .. the point is why ask for activation?.. This would IMHO loose u 50% of the clients right there...

switch it off.. it achieves nothing
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

innato

Quote from: Milbo on September 30, 2016, 11:00:28 AM
The problem is that joomla uses this

SELECT 'id' FROM 'MEINDBPREFIX_users' WHERE 'activation' = ' xxxx ' AND
'block' = 1 AND 'lastvisitDate' = '0000-00-00 00:00:00'


and this 'lastvisitDate' = '0000-00-00 00:00:00 destroys the activation. I did not understand yet, why they have it. From my point of view, it is just wrong, thats it. But as you can see, they do not change it since years

Hi Max. The zero lastvisitDate makes perfect sense from a Joomla perspective. If a user has registered but not yet activated his account, he has not yet been able to visit the website as a registered user, hence the zero lastvisitDate.
VM on the other hand, logs you in immediately after registration (which I agree is the right thing to do) and then lets Joomla ask for activation (and this is illogical, unnecessary and undesirable). If you log out after having been logged in by VM, the Joomla lastvisitDate is set from zero to the actual date, which is standard Joomla procedure. And this is the reason why the emailed activation link is not working, because Joomla activation requires the lastvisitDate to be zero (security measure).

I disagree that it is a Joomla issue. The website is a 'Joomla house' and VM needs to play it by the Joomla rules, not vice versa. That - of course - is my opinion, and you are free to disagree with that.
Again, it is illogical and contradictory by VM to immediately log in a user and next let Joomla ask for activation.

GJC suggested to completely disable the activation in the Joomla config. This fixes the issue, but in my case leads to many bogus registrations through the Joomla interface by non-existing email addresses, even if a captcha is used. Also you are then fixing a VM problem by adapting Joomla.

I have solved it as follows, based on VM3.0.18:
File \administrator\components\com_virtuemart\models\user.php

Starting line 386 reads the following 3 lines
if ($useractivation == '1' or $useractivation == '2') {
   $doUserActivation=true;
}


I have commented out the second line so that the code now reads
if ($useractivation == '1' or $useractivation == '2') {
//   $doUserActivation=true;
}


The doUserActivation flag now always remains false and activation is skipped for registrations through VM. An email containing the log-in details is still sent to user.

I admit that it would be better practice to cut out all code that runs when the flag is true, but I leave that up to you to decide. For me this does the trick.
Finally, please don't send me to prison for changing the VM code... ;)
Regards
Rob

VM3.2.6 (enhanced) on J3.8.8 and PHP 7.1 or 7.2

Milbo

lol, the ironie is so funny.

Quote from: innato on October 01, 2016, 12:02:37 PM
Quote from: Milbo on September 30, 2016, 11:00:28 AM
The problem is that joomla uses this

SELECT 'id' FROM 'MEINDBPREFIX_users' WHERE 'activation' = ' xxxx ' AND
'block' = 1 AND 'lastvisitDate' = '0000-00-00 00:00:00'


and this 'lastvisitDate' = '0000-00-00 00:00:00 destroys the activation. I did not understand yet, why they have it. From my point of view, it is just wrong, thats it. But as you can see, they do not change it since years

Hi Max. The zero lastvisitDate makes perfect sense from a Joomla perspective. If a user has registered but not yet activated his account, he has not yet been able to visit the website as a registered user, hence the zero lastvisitDate.
and why makes this sense? "'activation' = ' xxxx ' AND 'block' = 1 " is completly enough. Ask the other way. Why it makes sense to block the activation, if a user was already logged in? I dont see any sense there.

Quote from: innato on October 01, 2016, 12:02:37 PM
VM on the other hand, logs you in immediately after registration (which I agree is the right thing to do) and then lets Joomla ask for activation (and this is illogical, unnecessary and undesirable). If you log out after having been logged in by VM, the Joomla lastvisitDate is set from zero to the actual date, which is standard Joomla procedure. And this is the reason why the emailed activation link is not working, because Joomla activation requires the lastvisitDate to be zero (security measure).
Yes, we know that. It is not illogical to let joomla ask for registration.

Quote from: innato on October 01, 2016, 12:02:37 PM
I disagree that it is a Joomla issue. The website is a 'Joomla house' and VM needs to play it by the Joomla rules, not vice versa. That - of course - is my opinion, and you are free to disagree with that.
Yeh and you ignore the rules by writing an hack, which ignores the joomla setting.

Quote from: innato on October 01, 2016, 12:02:37 PM
Again, it is illogical and contradictory by VM to immediately log in a user and next let Joomla ask for activation.
The other way is to block the checkout or let the user checkout as guest, both makes it even worse. Another idea is to store the userid and the user checks out as guest, but the userid is known and stored with the order. But this can again create problems with discount rules or other things, which check if you are logged in or not.

It is similar to the handbreak in the car. There exists the idea to automatically release the break, when you use the gas pedal. But in my country, most cars do not automatically release the handbreak. It is considered as wrong handling.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

I think that all 2 are wrong.
If Virtuemart add a Joomla user account and this need confirmation mail, it should not login the user in Joomla.
The checkout and account creation are 2 thinks and if someone want to block guest then auto creating account simply permit a guest to do an order without validating the email address.
So the right solution is to create the user entry in the DB, send the confirrmation mail and not more in this case.
If you want follow the full right rules, if confirmation mail is needed and user creation, then no user should have the possibility to do a cart, before account mail confirmation .