unverified user is able to access secure pages?
I've set up a slightly modified double opt-in user registration system. Instead of the person verifying themselves via email, I've set it up so that an email goes to the administrator who then decides whether or not to allow access. This changes the "userVerified" column from a 0 to 1 and the user then gets access. All works fine, apart from one thing which I discovered by accident - immediately after registering (at which point the user gets a screen telling them they will be emailed when their account is approved), if they then try to access any of the secure pages directly, they can view them. This is while their userVerified state is still set to 0. If they logout and then try to login again however, they can't get access (until of course their status is set to 1 by the administrator). Any idea why this would be?