Register new family entered data directly into database without verification

[boluak]

On what page in the application did you find this issue?

Login.php

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?

Xampp, shared linux hosting

What version of PHP is the server running?

5.6, 7.1

What browser (and version) are you running?

Chrome, Firefox, ie, Microsoft edge.

What version of ChurchCRM are you runniung?

families are entered directly into the database without any verification or confirmation. this might be a security risk. Because anyone can register thus have access to information being sent out to members etc. This was formally the case with churchinfo but it was addressed Admin has to approve before it's entered in the database.

[DawoudIO]

@boluak I'll look at adding a verify email ... that said Self Register Report under the People Dashboard. /members/self-register.php which will show you who got added of late.

[DawoudIO]

also note the following setting

sNewPersonNotificationRecipientIDs

[DawoudIO]

people who self register have no access to the system in ChurchCRM. they are just stored in the DB with the value of self registered

[DawoudIO]

that said we should send the info back to them if they have an email and ensure it is correct

[boluak]

The security/Privacy issue is this:

1. Spam/Bots and fake registrations are a possibility, thus may compromise the system (similar to a DOS attack, or just fill the database with junk data, making additional job for admin clean up.)(Captcha will help but not eliminate a malicious person)
2. Privileged information are sometimes sent to members through ChurchCRM, in a large church, the person sending this information would most likely not know/recognize a fake member, hence the said info becomes compromised

You envisage that

1. "Self Register Report under the People Dashboard. /members/self-register.php which will show you who got added of late." This becomes of no consequence in that a large growing church admin can never know who is fake. e.g, in my local church, about 10-20 people are added weekly, by different ministers.... later to be verified and updated with self verify option.
2. "sNewPersonNotificationRecipientIDs" is good for small congregations as mentioned above as mentioned above, but becomes in-effective for large churches.
3. "people who self register have no access to the system in ChurchCRM. they are just stored in the DB with the value of self registered" direct access to database is not required, information being sent out to them so far as they have phone number/email registered in the database is a security/privacy risk

Self Register Report, Church Greeter Notification + email verification should be a check to verify identity before committing self registered person to main database. that is defer making the person and family records until the confirmation process completes

Presently I have this option turned off, but would really love to use it as it would make data collection easier and faster.

[DawoudIO]

Thank you for the detailed listing I’ll keep what in mind when I’m working on the feature.

I’m not sure we have a silver bullet. But we can keep making it better every time

[DawoudIO]

working on this as part of the next release

[DawoudIO]

here is what I'm going to do

1. create a new classification called - pending
2. have a setting to select a classification of persons who are part of a self reg family. (can't default to pending as we don't know what they db Id it is)
3. use the value in #2 if set for all new registrations
4. send an email to the notification list saying a new person has been added to the system.
5. send an email to the new family members saying please verify your info once again.

feedback

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.