Questions about discrepancies with the different log in methods.

[rM//AndY]

Hello IPS,

Two simple questions:

- When logging in with Twitter Connect, you are asked to manually enter an email address. If User Validation is set in the ACP, shouldn't the email address entered during this type of registration be validated by the board? Facebook Connect seems to provide IPB with the user's email address (which was already validated by Facebook). I believe I saw an option to change that address, does Facebook allow a user to enter one manually and skip the validation process this way as well?

- Twitter Connect allows you to attach your Twitter log in to an existing account, during the Twitter Connect log in/registration process. Any reason why Facebook Connect doesn't give you that option?


Thanks!

[bfarber]

Hello IPS,

Two simple questions:

- When logging in with Twitter Connect, you are asked to manually enter an email address. If User Validation is set in the ACP, shouldn't the email address entered during this type of registration be validated by the board? Facebook Connect seems to provide IPB with the user's email address (which was already validated by Facebook). I believe I saw an option to change that address, does Facebook allow a user to enter one manually and skip the validation process this way as well?

- Twitter Connect allows you to attach your Twitter log in to an existing account, during the Twitter Connect log in/registration process. Any reason why Facebook Connect doesn't give you that option?

Thanks!

Facebook does allow that. :unsure:

[rM//AndY]

Facebook does allow that. :unsure:

Allow what? :/

[Mat Barrie]

Linking to a logged in user. Just go to User CP > Profile > Manage Facebook Connect.

[rM//AndY]

Linking to a logged in user. Just go to User CP > Profile > Manage Facebook Connect.

Sure, but I was talking about giving the option during the initial log in/registration (as Twitter Connect does), to prevent users from inadvertently creating duplicate accounts.

Either way, my main concern is still the lack of email validation when using these log in methods. Any thoughts on that?

[Collin1000]

You have to validate your email to use twitter and facebook, don't you?

[Mat Barrie]

I don't know if you're allowed to require email validation with those login methods. The agreements for using twitter/facebook are pretty long winded, and quite strict on what you can and can't do to their members. For example: did you know that you aren't allowed to have the facebook sign in link any smaller than your largest other sign in link?

[bfarber]

I meant that if you visit an IPB with Facebook Connect option available, and go to the login form or registration page, and put in your Facebook details, you should be able to then associate with an existing account, just like you can with Twitter. At least, it used to be this way.

[rM//AndY]

You have to validate your email to use twitter and facebook, don't you?

Sure, but IPB doesn't take the email address from Facebook or Twitter, it asks you to enter one. At that point, you can enter whatever you want and it isn't validated against anything.

I don't know if you're allowed to require email validation with those login methods. The agreements for using twitter/facebook are pretty long winded, and quite strict on what you can and can't do to their members. For example: did you know that you aren't allowed to have the facebook sign in link any smaller than your largest other sign in link?

I don't see why not. If Facebook/Twitter connect provided the email address that the user already validated on those sites, then sure, I'd agree with that. However, the user is asked to enter an email address to access the board, I think this falls under IPB's jurisdiction.

I meant that if you visit an IPB with Facebook Connect option available, and go to the login form or registration page, and put in your Facebook details, you should be able to then associate with an existing account, just like you can with Twitter. At least, it used to be this way.

That's the thing, unless I'm remembering wrong, it didn't give me that option when I tested it a couple days ago.

[CheetahShrk]

How to spam IPB 3.1 boards like a pro:
1. Get a twitter account
2. Log into forum with twitter acount
3. Provide fake email addy
4. Spam board
5. Disconnect twitter acount from forums before bannage
6. Rinse and repeat with same account, no captcha at all :)

[Collin1000]

How to spam IPB 3.1 boards like a pro:

1. Get a twitter account

2. Log into forum with twitter acount

3. Provide fake email addy

4. Spam board

5. Disconnect twitter acount from forums before bannage

6. Rinse and repeat with same account, no captcha at all :)

You do need a captcha to join twitter. And a validated email account.
However, if you really wanted to spam "like a pro" you would
a) hire people on Mechanical Trunk to fill out signups and captchas for pennies an hour
b) write a bot to do it for you.

You also fail to take into account the IPS spam service, which would catch this somewhat quickly.

[CheetahShrk]

You do need a captcha to join twitter. And a validated email account.

However, if you really wanted to spam "like a pro" you would

a) hire people on Mechanical Trunk to fill out signups and captchas for pennies an hour

b) write a bot to do it for you.

But thats the thing, you just need one valid twitter account, after that you can enter in fake email addys into IPB because twitter doesn't give it the email addy otherwise. Plus IPB doesn't verify validate the email addy and theres no captcha on the twitter page. You can also disconnect twitter from the account afterward.

[Collin1000]

But thats the thing, you just need one valid twitter account, after that you can enter in fake email addys into IPB because twitter doesn't give it the email addy otherwise. Plus IPB doesn't verify validate the email addy and theres no captcha on the twitter page. You can also disconnect twitter from the account afterward.

And if you just use 1 valid twitter account, the IPS Spam Service would catch on.

[Collin1000]

Aight. Here's the fix.
Change the default user group.
Tada.
http://screencast.com/t/MmI1NjY5YTct

[CheetahShrk]

Aight. Here's the fix.

Change the default user group.

Tada.

http://screencast.com/t/MmI1NjY5YTct

Have fun not being able to mass approve the validating members :) Because the validating group is not the same as the validating page which requires the members to be inserted into a special table for that :P

And if you just use 1 valid twitter account, the IPS Spam Service would catch on.

I don't think it even checks twitter accounts at least I haven't seen it in the code

[Collin1000]

Have fun not being able to mass approve the validating members :)

...Email validation.

And if you just use 1 valid twitter account, the IPS Spam Service would catch on. <-- I don't think it even checks twitter accounts at least I haven't seen it in the code

I assume it does, im sure an IPS staff member can take a look and update us on that.

[CheetahShrk]

...Email validation.

Like I said, the validating group does not automatically run the validation options on the new members.

[Collin1000]

Like I said, the validating group does not automatically run the validation options on the new members.

Clicking resend should do the trick...

[CheetahShrk]

Clicking resend should do the trick...

Won't work, the resend validation email page will error out if it can't find the magical validation table entry.

[Morrigan]

If you're having such a problem with with Twitter registrations then why don't you turn it off?

I think a better suggestion in this whole thing is a way to disable Twitter Registrations or specific types of registrations at the administrators discretion via the "Disable new registrations?" setting. It should be a multi-select that allows you to choose if you would like only FB and IP.Board registrations but still allow for Twitter connect but not registrations. <_<

Maybe that would work for those that are getting so many?

[CheetahShrk]

If you're having such a problem with with Twitter registrations then why don't you turn it off?

Why disable a good feature? Just pointing it out as feedback it needs improvement :P

Anyway I just modded it to insert a validation entry.

[Collin1000]

Anyway I just modded it to insert a validation entry.

Care to share with others?

[Wolfie]

Sure, but IPB doesn't take the email address from Facebook or Twitter, it asks you to enter one. At that point, you can enter whatever you want and it isn't validated against anything.

Wrong about the FaceBook one. It does pull the email address from it and if it's prompting for an email address, then that means the person already has an account on there using that same email. Otherwise, it won't ask for it at all.

With Twitter though, yeah, it prompts for the email address even if it's not already in use. Just pop them into a member group where they can't access profiles (so they can't disassociate the accounts via your board) and you should be good to go.

[Collin1000]

Should fix this issue.

[blacknight]

No, there isn't a way to validate the email provided by the facebook user in the [url=" to our forum" page.
The user can easly set an invalid email!
Is possible to set automatically the facebook-mail and skip the "welcome page"?