I use XOOPS 2.0.6 for an internal project, i have set up user activation through the administrator.

When a new user registers and the activation-mail is sent to the admin, one can click on the activation-link and then XOOPS pops up in the browser and confirms that the user has been activated, without asking for the admin password.

I think this behavior is highly insecure specially in case of a misconfigured mail-system or even an misspelled admin-email-address.

When you clicked on the activation-link, did you already have your browser open, and were you already logged in (as an admin)?

no, no browser process open and not logged in at all during the activation, even after XOOPS confirmed the activation i was not logged in

After looking at the code, it does appear to work as you described. I don't think it's especially insecure, since the activation key is only sent to admins. But it would probably be better to require an admin login.

The fix would be done in user.php, by checking that an admin is currently logged in before calling activateUser(), when $xoopsConfigUser['activation_type'] is 2.

I can also confirm that no login is needed. I recently went to admin approval for signups after having some new users signup only to try to crack the site. I quickly noticed the new issue.

Not a terribly big thing since even if the email was hijacked (which you should notice quickly) the worst is that the user gets activated. He won't get admin rights.

Maybe safer to force a login except it makes more work for the admin. I personally don't like to login as admin unless I'm on the VPN and need to do other admin duties.

One hack I did was to append a user's IP address to the signup notice so I can have a record in case of a problem user.

In the long run it might be safest to keep the admin approval method just as it is.