Community Support Forums

[rcherry]

Is this a known security bug with S2Member?

Open registration is set to "No (do NOT allow Open Registration)". However if I request a password reset from the wp-login.php page and then click on the link in the email sent by WordPress the link sends me to a page where the "Register" link shows on the page. From here I can register a new account:

http://~/wp-login.php?action=rp&key=JG1 ... zh3&login=

I don't want open registration, all users will be manually input by the sysadmin. Is there a way to fix the issue described above?

[DJEcon]

Yes, I think I'm having the same or similar problem, that came to my attention from some of my members. They were choosing "Lost Password" on the Login page, and were repeatedly redirected back there, even after selecting "get new password". They never received an email with a new password.
I've had members use this function before, and never had any complaints.
Any ideas?

[rcherry]

Not quite the same issue. When I click on "Lost Password?" then enter my email address I do get an email message with a link to click that takes me to the Login page. The issue is that on this page there is a link to register, even though in s2member admin I chose not to allow open registration. From the register link I can register an account on the site and I don't want to allow registration. All users are to entered by the sysadmin.

[DJEcon]

Aha . . . it IS different. Seems as though we need help from the PROS. Sorry I don't have a solution for you. I don't have open registration either, but I do have 2 membership levels managed by S2Member and PayPal; those who pay us by check are entered in manually by me. Good luck!

[rcherry]

Sorry I don't have an answer for your issue either. I use this for club membership where members are at level 0. No paypal involved.

[Cristián Lávaque]

rcherry, sorry I took so long to notice your thread, it was in the general WordPress forum instead of the s2Member specific one (the one I monitor). I moved it here now.

I did a little test and, with free registrations off, I am shown the registration link in the login page if I'm logged in as an admin, if I log out, then the link goes away...

This is just weird WordPress behavior, why even show the login page or registration one to a logged in user, not to mention admin, is beyond me.

Does your problem go away if you're not logged in?

[Cristián Lávaque]

DJEcon, could you start a new thread in this forum about your problem, and give as many details as possible to reproduce your problem? viewforum.php?f=4

Thanks.

[rcherry]

Hey, sorry. Yes the problem does go away when I log out from admin. So sorry to have bothered you with this.

I have another question about redirecting login to the login welcome page for the author role. I will start another thread.

[Cristián Lávaque]

I'm glad that solved it for you.