Just thought I would let you know...
I talked with a dev this morning. (didn't get his name) Nice guy and he was very good at his job. Anyway, the bug is in the User Registration Pack in both the rule for email verification and also in the helper file. He says they will have an update out in a while.
Here is the fix...
1) Change the "Email Confirmed" rule with SecurityAssist to the following: "Restrict If (Session 'UserEmailVerified') <> 1"
2) Remove the UserID check.
3) The helper file will be updated to the correct one by SecurityAssist so there is no reason to change it.
The way the logic works is that the rule will return on the FIRST true answer. So if you have multiple checks in the rule, the first one to evaluate to true wins.
Example: In this case the "Email Confirmed" rule shipped with the User Registration Pack has two checks...
Allow if (Session 'UserEmailVerified') = 1
Allow if (Session 'UserID') <> null
If the user has logged in but NOT verified via email yet then the first check fails, the logic moves to the second check, and the second check succeeds returning true.
That is broken.
The correct logic is...
Restrict If (Session 'UserEmailVerified') <> 1
Since the session will not be there at all if the user has not logged in, there is no reason for the UserID check.
And since the page will be restricted if the 'UserEmailVerified' value is not equal to 1, the check returns false and the user is restricted from the page.
NOTE: I have the change made on my system but users of this package should be aware of the issue so they can make changes in their product.
- Mikel
