mateopang

Forum Replies Created

Viewing 1 replies (of 1 total)
  • Forum: Plugins
    In reply to: [New User Approve] [BUG/security risk] registering users bypass
    Thread Starter mateopang

    (@mateopang)

    1 year, 1 month ago

    Thanks!
    However, I already solved the problem via the functions.php this way:

    add_filter(‘authenticate’, function ($user, $username, $password) {
    if (is_a($user, ‘WP_User’)) {
    // Always allow administrators to log in
    if (user_can($user, ‘manage_options’)) {
    return $user;
    }

        $status = get_user_meta($user->ID, 'pw_user_status', true);
    if ($status && $status !== 'approved') {
        return new WP_Error(
            'approval_pending',
            __('Your account has been registered, but must be manually approved by an administrator. You will receive an email once it is activated.', 'new-user-approve')
        );
    }
}
return $user;

    }, 30, 3);

    // 📪 2. Disable the automatic email with password setup after registration
    remove_action(‘register_new_user’, ‘wp_send_new_user_notifications’);
    remove_action(‘register_new_user’, ‘woocommerce_registration_redirect’, 10); // optional, only if WooCommerce overrides the redirect
    add_filter(‘woocommerce_email_enabled_customer_new_account’, ‘__return_false’);

    // ✅ 3. Send activation/password setup email only after manual approval by admin
    add_action(‘new_user_approve_approved’, function ($user_id) {
    wp_new_user_notification($user_id, null, ‘user’); // send the password setup link
    });

Viewing 1 replies (of 1 total)