+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: Shield Login possible on active = 0 (/showthread.php?tid=92511)
Shield Login possible on active = 0 - petewulf1 - 02-25-2025
Hey guys,
as the title says, its possible to login with Shield although active flag is set to 0 in users table.
I can activate/deactivate user with the corresponding functions ($user->activate() / $user->activate() ), the status in the database gets updated correctly but the function $user->isActivated() always returns true.
My version is 4.6.0
There are several existig threads about this bug, but none of them addresses the problem.
Thanks!
RE: Shield Login possible on active = 0 - datamweb - 02-25-2025
Before anything else, the active/inactive status is not meant to prevent user login. This field is used to check whether the user has been verified(email/phone) or not. Therefore, you should not expect it to block user access. If you need to prevent a user from logging in, you should use the BAN feature instead.
Secondly, if $user->isActivated() always returns the 0, it's likely because you haven't set value https://github.com/codeigniter4/shield/blob/e782eb076e4c0e14cee7fcd51458e17c4cbd8acc/src/Config/Auth.php#L106 in the config file. The result of these functions depends on setting Auth::$actions['register']; in the Auth config file. Make sure to check and update your configuration accordingly.
RE: Shield Login possible on active = 0 - petewulf1 - 02-25-2025
(02-25-2025, 10:28 AM)datamweb Wrote: Before anything else, the active/inactive status is not meant to prevent user login. This field is used to check whether the user has been verified(email/phone) or not. Therefore, you should not expect it to block user access. If you need to prevent a user from logging in, you should use the BAN feature instead.
Secondly, if $user->isActivated() always returns the 0, it's likely because you haven't set value https://github.com/codeigniter4/shield/blob/e782eb076e4c0e14cee7fcd51458e17c4cbd8acc/src/Config/Auth.php#L106 in the config file. The result of these functions depends on setting Auth::$actions['register']; in the Auth config file. Make sure to check and update your configuration accordingly.
Hey datamweb,
thanks for the clarification.
I have created the users internally via the create() method, thats why i haven't set the email register config.
I just don't understand the logical correlation between a registered email verification and the isActivated() function which basically should only return the value of the database field.
What would the workflow if a user registers and an admin has to activate the account? Sounds impossible this way.
Unfortunately the documentation lacks essential information.
Regards, Daniel
RE: Shield Login possible on active = 0 - datamweb - 02-25-2025
Hey!
Quote:I just don't understand the logical correlation between a registered email verification and the isActivated() function which basically should only return the value of the database field.
It has been decided that if the user's verification is not active, there will be no need to check the database, as this decision has been made by the admin. However, we can consider this feedback as fair.
Quote:What would the workflow if a user registers and an admin has to activate the account?
Basically, an admin should not validate or reject a user's email or phone number (i.e., verify them), as security-wise, the user should be the one confirming this. However, if for any reason you want to go through this process, you should write a custom action.
As for the documentation, we've already covered this topic, but if you think it needs further improvement, feel free to submit a PR.
https://shield.codeigniter.com/references/authorization/?h=acti#user-activation
RE: Shield Login possible on active = 0 - petewulf1 - 02-25-2025
Thank you for your fast reply and help!
RE: Shield Login possible on active = 0 - grimpirate - 02-27-2025
You can see an example of how the user active functions are used here: TOTPActivator. This is a two-factor authentication mechanism that needs to show an initial QR code to a user upon registration. It activates the user only if they input the appropriate one time password after registration. If they neglected to, when they attempt to log in, their active status is checked and if not active prompts them to scan the QR code and enter the one time password anew in order to finish activating their account.