Dnn.platform: Default settings 'assume' that people are allowed to register
Description of bug
On a clean DNN installation, under the Security options > Member Accounts > Registration setting, the default setting for 'User Registration' is set to 'Private'.
So this kind of makes an assumption that people are allowed to register on the website.
So by default, people can create an account (even though the accounts still must be verified).
I think this is a wrong assumption, and even a possible security risk because you never know what will be changed to the installation in the future, which theoretically might allow some kind of access for this user account.
The default should be set to none.
Screenshots
Affected version
- [x] 9.3.2
- [x] 9.3.1
- [x] 9.2.2
- [x] 9.2.1
- [x] 9.2
- [x] 9.1.1
trouble2
All 9 comments
it is always a challenge to demo features of the system versus hiding it for security.
However, in this case, security impact should be low, as "private" requires the user to be acknowledged by an admit to gain additional permission within the site.
sleupold
on 21 Jun 2019
Yes, but I think a default CMS installation should not be used to 'demo' the features.
If I create a new installation I would like it to be configured in the 'most' appropriate way for the 'average' use. So I don't have to switch and configure 20 different things which in most cases I'm not using anyway. Just because it gives a nice 'demo' would not be a good argument for me.
trouble2
on 21 Jun 2019
This has been discussed in the past, the default behavior here ensures that the Register & Login links are still valid, and the common use-case does support additional user accounts.
If this is "none" by default the behavior doesn't fit as large of a target audience and can restrict access to things for those with new installations.
If there is broad support for a change, we can discuss, which I will add this to the TAG agenda for discussion.
mitchelsellers
on 21 Jun 2019
Since nobody else has voiced they want this badly, I am closing this issue in the spirit of cleaning the backlog.
valadas
on 30 Jul 2019
We re-discussed this and we could default to none on new installs actually.
valadas
on 6 Oct 2019
We have detected this issue has not had any activity during the last 90 days. That could mean this issue is no longer relevant and/or nobody has found the necessary time to address the issue. We are trying to keep the list of open issues limited to those issues that are relevant to the majority and to close the ones that have become 'stale' (inactive). If no further activity is detected within the next 14 days, the issue will be closed automatically.
If new comments are are posted and/or a solution (pull request) is submitted for review that references this issue, the issue will not be closed. Closed issues can be reopened at any time in the future. Please remember those participating in this open source project are volunteers trying to help others and creating a better DNN Platform for all. Thank you for your continued involvement and contributions!
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 5 Jan 2021
still an issue
sleupold
on 5 Jan 2021
Still needed.
jeremy-farrance
on 5 Jan 2021
I have pinned the issue
valadas
on 5 Jan 2021
Related issues
trouble2
路
4Comments
moorecreative
路
4Comments
Roylej
路
3Comments
trouble2
路
5Comments
thabaum
路
4Comments
Most helpful comment
This has been discussed in the past, the default behavior here ensures that the Register & Login links are still valid, and the common use-case does support additional user accounts.
If this is "none" by default the behavior doesn't fit as large of a target audience and can restrict access to things for those with new installations.
If there is broad support for a change, we can discuss, which I will add this to the TAG agenda for discussion.