[4.x]: New user activation email link pointing to site instead of CP

[JasonStainton]

What happened?

Description

When creating a new user with a group that has the CP access permission. The activation link goes to the site and not the CMS. If you create a new user with the group and the individual CP access permission it generates the link to the CP as expected.
If you create a new user with just the group but do not send the activation email at the same time and instead send the activation email for the user after it has been created, it also works correctly.

Steps to reproduce

1. Create a user group with the CP access permission (Access the control panel).
2. Create a new user, set the user to have the created user group containing the CP access permission and choose to send the activation email at the same time.
3. The activation link in the email points to the site and not the CP.

Expected behaviour

The activation link should point to the CP as the user does have CP access permission as part of the group.

Actual behaviour

The activation link points to the site login.

Craft CMS version

4.4.9

PHP version

8.0.28

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

• Amazon S3 | 2.0.3
• Asset Rev | 7.0.0
• HOMM XML Sitemap | 1.0.3
• Neo | 3.7.7
• Redactor | 3.0.4
• Retour | dev-develop-v4

[i-just]

Hi, thanks for reaching out. By default, the activation URL will point to <your_domain>/setpassword. You can change it via setPasswordPath config (more info). I do not see any discrepancy in the way that URL is generated.

Or do you maybe refer to where the user is taken after clicking the activation link? If that’s the case, then you can be taken to the homepage if the URL is not valid (e.g. expired, the user already activated their account etc).

Hope the above helps. If I misunderstood the problem, please let me know.

[JasonStainton]

Thanks for the reply @i-just. I think there is a misunderstanding. I'm aware of the setPasswordPath and it's use but this issue isn't about that.

When making the call to vendor/craftcms/cms/src/services/Users.php#getActivationUrl() during a new user creation after selecting the option to send an activation email at the same time.

It ultimately calls _getUserUrl() and within its inner workings, there is a check to see if the user has cp access permission and that determines if the URL will go to the frontend or the CP.

If the user has been granted a group with the cp access permission it should link to the cp password reset URL, the same as if they had been given the cp access permission directly.

If you create the user first, then choose to send the activation email from the cp it will link to the cp password reset URL.

The issue appears to be that the user does not have the group permissions set when _getUserUrl() is called in this process.

Hope that clarifies things a little more. Let me know if more info is needed.

[i-just]

Looks like I completely missed your point, sorry. On it now!

[brandonkelly]

Craft 3.8.12 and 4.4.12 are out with a fix for this!