U4-9629 - Add the ability to disable the built-in Login, Register and Update profile controller

Created by Craig Noble 14 Mar 2017, 18:26:43 Updated by Craig Noble 14 Mar 2017, 18:50:16

These controllers are problematic on most web sites I have created, as we have additional checks, such as email verification and checking against an external systems upon registering.

The registration in particular does introduce weaknesses in our web sites. When we implement registering, we use captcha's on the form and use email verification to prevent bots and malicious users.

The registration controller allows you to add a registration to the member, which allows you to bypass these checks. It also automatically logs you in (I think). I understand this is for web developers to get started using authentication but realistically, if Umbraco is wanting to attract larger companies and corporations to the Umbraco CMS, surely these controllers opens the system to abuse and pathways to bypass processes we put in place.

There are no client token validation checks, and could potentially be exploited for a denial of service attack or form part of it.

At Mentor Digital (gold partner), I can already name a few web sites that we have made and are susceptible to abuse of these controllers. I know we can fix it by adding a checkbox like "HasVerifiedEmail", but not 70,000 members down the line. Also, to do this seems like a hack or quirk of Umbraco, because "Approved" should be enough.

We are in dire need of a setting that will disable these. Can this be added?

Comments

Priority: Major

Type: Feature (request)

State: Submitted

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version:

Sprint:

Story Points:

Cycle: