- **status**: in-progress --> code-review - **Comment**: Closed #662. `je/42cc_7704`
There's one issue I want to discuss. Registration uses `User.claim_address` and that can cause troubles. If second user will enter existing email during registration, than it will be reassigned to this new user and that's bad. We can check that email already exists and show an error message, but that's enables password enumeration attacks. Just rechecked and it seems like email gets reassigned when second user confirms address. And that's probably okay, since only email owner can confirm it. What do you think? Everything else should work fine. --- ** [tickets:#7704] Option to require email for user registration** **Status:** code-review **Milestone:** forge-oct-17 **Labels:** 42cc **Created:** Fri Sep 19, 2014 07:17 PM UTC by Dave Brondsema **Last Updated:** Mon Oct 06, 2014 02:30 PM UTC **Owner:** Igor Bondarenko Allura doesn't currently require an email address for user registration. There should be an option to require it. We have an option called `auth.require_email_addr` which is enforced on the /auth/preferences page, so we could use the same setting to control how user registration works. Users should be in a 'pending' state (new flag) initially, and system should send a password verification email (similar to what we already do on /auth/preferences). After that email is verified, user is no longer pending. We will have to update many places in the code to check the new 'pending' state. Probable best to search everywhere users are searched by 'disabled' or `someuser.disabled` is checked, and determine if the pending flag needs to be checked too. Since pending users shouldn't be allowed to do anything yet. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
