self registration is not safe with domain limitation #1111

New issue

Open

opened 2026-02-20 15:28:17 -05:00 by deekerman · 2 comments

deekerman commented 2026-02-20 15:28:17 -05:00

Owner

Copy link

Originally created by @sbonaime on GitHub (Feb 17, 2020).

Originally assigned to: @NGPixel on GitHub.

Describe the bug
2.1.13
self registration is not safe with domain limitation

To Reproduce

1. With a wiki address as wiki.bar.com, self registration and domain limitation to bar.com (for instance), register a new user on the login page random with foo@bar.com
2. A popup window appears with
   "Can't send email - all recipients were rejected: 550 5.1.1 foo@bar.com User unknown"
   Even if the registration email can't be send because the user does not exist, this message do not need to be so informative. It is a way to find valid login on a specific domain.

Expected behavior
The popup window after registration should be something link
"A registration email has been sent to the provided email if it is valid"

Originally created by @sbonaime on GitHub (Feb 17, 2020). Originally assigned to: @NGPixel on GitHub. **Describe the bug** 2.1.13 self registration is not safe with domain limitation **To Reproduce** 1. With a wiki address as wiki.bar.com, self registration and domain limitation to bar.com (for instance), register a new user on the login page random with foo@bar.com 2. A popup window appears with "Can't send email - all recipients were rejected: 550 5.1.1 foo@bar.com User unknown" Even if the registration email can't be send because the user does not exist, this message do not need to be so informative. It is a way to find valid login on a specific domain.  **Expected behavior** The popup window after registration should be something link "A registration email has been sent to the provided email if it is valid"

deekerman added the

enhancement

contrib-easy

labels 2026-02-20 15:28:17 -05:00

deekerman commented 2026-02-20 15:28:19 -05:00

Author

Owner

Copy link

@sbonaime commented on GitHub (Feb 20, 2020):

Another linked bug :
In the "User unknown" case, the user is still created. It should not ! Also this user cannot be removed due to a "Cannot delete user because of content relational constraints." popup ! Even if this user is invalid, not activated, never login and never created anything...

@sbonaime commented on GitHub (Feb 20, 2020): Another linked bug : In the "User unknown" case, the user is still created. It should not ! Also this user cannot be removed due to a "Cannot delete user because of content relational constraints." popup ! Even if this user is invalid, not activated, never login and never created anything...

deekerman commented 2026-02-20 15:28:19 -05:00

Author

Owner

Copy link

@despens commented on GitHub (Mar 10, 2020):

It is indeed possible to create a user that would be a random email handle on the allowed domain. That user will idle as "unverified" and "inactive" in the wiki's user list and is impossible to delete, although no content was created by that user.

@despens commented on GitHub (Mar 10, 2020): It is indeed possible to create a user that would be a random email handle on the allowed domain. That user will idle as "unverified" and "inactive" in the wiki's user list and is impossible to delete, although no content was created by that user.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

scarlett

vega

feat-toc

v2.5.312

v2.5.311

v2.5.310

v2.5.309

v2.5.308

v2.5.307

v2.5.306

v2.5.305

v2.5.304

v2.5.303

v2.5.302

v2.5.301

v2.5.300

v2.5.299

v2.5.298

v2.5.297

v2.5.296

v2.5.295

v2.5.294

v2.5.293

v2.5.292

v2.5.291

v2.5.290

v2.5.289

v2.5.288

v2.5.287

v2.5.286

v2.5.285

v2.5.284

v2.5.283

v2.5.282

v2.5.281

v2.5.280

v2.5.279

v2.5.278

v2.5.277

v2.5.276

v2.5.275

2.5.274

2.5.272

2.5.268

2.5.264

2.5.260

2.5.255

2.5.254

2.5.219

2.5.214

2.5.201

2.5.197

2.5.191

2.5.170

2.5.159

2.5.144

2.5.136

2.5.132

2.5.126

2.5.121

2.5.117

2.5.105

2.4.107

2.4.105

2.4.75

2.3.81

2.3.77

2.3.72

2.3.71

2.2.51

2.2.50

2.1.113

2.0.12

2.0.1

2.0.0-rc.17

2.0.0-rc.1

2.0.0-beta.303

2.0.0-beta.275

2.0.0-beta.268

2.0.0-beta.267

2.0.0-beta.241

2.0.0-beta.230

2.0.0-beta.208

2.0.0-beta.203

2.0.0-beta.180

2.0.0-beta.174

2.0.0-beta.148

2.0.0-beta.147

2.0.0-beta.115

2.0.0-beta.91

2.0.0-beta.84

2.0.0-beta.68

2.0.0-beta.42

2.0.0-beta.11

v1.0.102

v1.0.78

v1.0.76

v1.0.68

v1.0.66

v1.0.12

v1.0.11

v1.0.10

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.1

v1.0.0-beta.13

v1.0.0-beta.12

v1.0.0-beta.11

v1.0.0-beta.10

v1.0.0-beta.9

v1.0.0-beta.8

v1.0.0-beta.7

v1.0.0-beta.6

v1.0-beta.5

v1.0-beta.4

v1.0-beta.3

v1.0-beta.2

v1.0-beta.1

v1.0-alpha.7

v1.0-alpha.6

v1.0-alpha.5

v1.0-alpha.4

v1.0-alpha.3

v1.0-alpha.2

v1.0-alpha.1

Labels

Clear labels   

BETA

  

BETA

  

accessibility

  

backlog

  

bug

  

can't replicate

  

contrib-easy

  

contrib-hard

  

contrib-medium

  

deferred

  

documentation

  

duplicate

  

duplicate

  

editors

  

enhancement

  

invalid

  

localization

  

migrate

  

ui

  

under review

  

v3

No labels

BETA

BETA

accessibility

backlog

bug

can't replicate

contrib-easy

contrib-hard

contrib-medium

deferred

documentation

duplicate

duplicate

editors

enhancement

invalid

localization

migrate

ui

under review

v3

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/wiki#1111

No description provided.