Community Support Forums

[zielakxar]

Hello - i have an issue with s2member open registration Option. After i've upgraded to s2member Pro turning that option OFF doesnt seem to change anything. It is probably not a plugin issue since i have like 2 plugins now - s2member and JW player. Any ideas what might causing this ?
I have open registration disabled both in s2 member and general wordpress settings.

Edit:
Ok - solved it. It seems that if browser will remember some settings - open registration will be still possible.
Seems like a security flaw ?
Anyway cleaning browser cashe did the trick. I'm leaving this post for future people. Although problem is fixed it seems pretty disturbing that with right cookies people can bypass Closed registration - and it wasnt only visual issue - i've chcecked and i was able to actually register - looks like something worth for devs to look into.
Tested on Firefox 9.0.1.

[Jason Caldwell]

Thanks for reporting this important issue.
~ I'm not aware of any issue related to security in this regard. A browser cache, and/or a page generation cache could prohibit you from seeing an updated version of a page, but it should not allow you to actually register if Open Registration is turned off, as this requires interaction with server side scripting, which would detect such things.

This is something that's hard coded into WordPress which prevents this.
/wp-login.php

Code: Select all

case 'register' :
    if ( is_multisite() ) {
        // Multisite uses wp-signup.php
        wp_redirect( apply_filters( 'wp_signup_location', site_url('wp-signup.php') ) );
        exit;
    }

    if ( !get_option('users_can_register') ) {
        wp_redirect( site_url('wp-login.php?registration=disabled') );
        exit();
    } 

[zielakxar]

Ok i've just tested it out - the reason of confusion is that you can register with a new account in closed registration when you're logged as wordpress administrator. Cleaning browser cashe made me logged out so i thought it was an issue.
Maby it woud be less confusing if form woud somehow inform about closed registration - even an admin.
Something like "Registration is closed - you see this from cause logged as admin". Or to avoid this even disallow admin to register (hey he can swich the option or create users manually).

[Jason Caldwell]

Thanks for the feedback on this. I appreciate it. Please let us know if we can be of further assistance.