Verification email is sent even if verified is checked in UI

[tylkomat]

Describe the Bug

When creating a user and auth.verify is true on the collection, the verification email is sent despite having verified checked in UI. The verificationToken is also generated.

Missing check for resultWithLocales._verified or !verificationToken: https://github.com/payloadcms/payload/blob/main/packages/payload/src/collections/operations/create.ts#L256

Missing Check for result._verified === true: https://github.com/payloadcms/payload/blob/main/packages/payload/src/collections/operations/create.ts#L298

Link to the code that reproduces this issue

https://github.com/tylkomat/payload/tree/bug-verification-email

Reproduction Steps

1. set verify to true on user collection
2. create a new user via UI, check verified checkbox, hit save
3. CLI shows the message: INFO: Email attempted without being configured. To: ...

Which area(s) are affected? (Select all that apply)

area: core

Environment Info

Binaries:
  Node: 20.12.2
  npm: N/A
  Yarn: N/A
  pnpm: N/A
Relevant Packages:
  payload: 3.10.0
  next: 15.0.4
  @payloadcms/db-mongodb: 3.10.0
  @payloadcms/graphql: 3.10.0
  @payloadcms/next/utilities: 3.10.0
  @payloadcms/richtext-lexical: 3.10.0
  @payloadcms/translations: 3.10.0
  @payloadcms/ui/shared: 3.10.0
  react: 19.0.0
  react-dom: 19.0.0
Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Pro
  Available memory (MB): 15125
  Available CPU cores: 12

[jmikrut]

Hey @tylkomat — unfortunately if we respected the incoming initial _verified true / false from the admin UI, this could be potentially abused.

Consider this case:

• You have public signup enabled (which is where you'd want to use verify: true to prevent against fake accounts
• Anyone could easily use the REST / GraphQL APIs to create a user and manually pass _verified: true

The user is now able to circumvent the verification requirement easily.

There are two fixes here that come to mind:

1 - I think we should remove the Verified checkbox from the admin panel during create, because there, it does nothing anyway. I will do this in an upcoming PR.

2 - if you want to respect the _verified property, you could write a beforeOperation hook that would disable the verification email like so:

const users: CollectionConfig = {
  slug: 'users',
  auth: {
    verify: true,
  },
  hooks: {
    beforeOperation: [
      ({ args, operation, req }) => {
        if (operation === 'create' && req.user && args.data._verified) {
          args.disableVerificationEmail = true

          return args
        }

        return args
      }
    ]
  },
  fields: [
    // none
  ],
}

This will successfully disable the verification email, if there is a user logged in, and the person who created the user did indeed specify _verified: true.

[tylkomat]

That works for me. Thank you.

[github-actions]

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.

[github-actions]

🚀 This is included in version v3.13.0