Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
2.1k views
in Q2A Core by
Default Q2A behaviour is that new user is allowed to login and update his/her profile even email is not verified. I want to prevent lurkers from login to the site and setup their website field on user profile page if the email is not verified.

I enabled both options in Admin > Spam, Request confirmation of user emails and New users must complete confirmation but new users are still automatically loggedin during registration process and able to update their profiles.

Is there any way to prevent user login if email is not confirmed?

3 Answers

0 votes
by
I agree with you this is not quite the way I would expect this to work.

If I want email confirmation, I would normally expect the account to be on hold (i.e. blocked) until it is confirmed.
+1 vote
by
edited by

There is the method of preventing change of profile in addition to the method of preventing login. If you added filter plugin, it is not necessary to hack of Q2A core, and I think that appearance is also finely realizable. 

 
Key information of Q2A-API (qa-include/qa-app-users.php):
  • QA_USER_FLAGS_MUST_CONFIRM
  • QA_USER_FLAGS_MUST_APPROVE
  • qa_get_logged_in_flags()
Reference information for you:
I coped with this problem at  certain site. Users immediately after registration wants to often change his profile. Therefore, I thought that it was not good to take this freedom of registered user. Moreover, users changes his profile always even after registration. We adopted the method of notifying to moderators by email and checking change of profile. 
by
Thanks for this info, this may be useful.
Actually, I am using a SSO, so the the 3rd party application looks after this registration process for me (I was just mentioning it because I find this non blocked unconfirmed account a bit unusual)
+1 vote
by
I do not agree with you, if the user did not recieve the verfication email, how can he request to resend a new verification email if he can not login.
by
Well, that's what I expect from a security / anti-spam point of view.

If the account was blocked until it is confirmed it would be wise to have a field to confirm the email entry in the registration form to cope with what you mention.
by
the best way to solve this problem is  that the admin can sepicify the permission base on usergroup.
by
Hmm, sorry I don't get your point of view (maybe I am missing something).
If a registration confirmation process is implemented this should apply to ANY new registrant ( regardless of usergroup) to avoid abuse.
...