Require email validation before account approval


(Dave Higgins) #1

Continuing the discussion from Require email activation before Admin approval:

When must approve users and login required are active, the admin needs to manually send the activation email from the user profile for every user who registers.

Can this be (optionally) automatic, so that the admin need only be concerned with real/confirmed email addresses.


(Jeff Atwood) #2

This is not correct. The admin just has to press the approve button in their browser.


(Dave Higgins) #3

I have not explained myself clearly - every user must be approved, but I don’t want to approve any until their email is activated. And - here’s the problem - I have to manually send every activation email.

I just tested a new signup in v1.6.0.beta1 +49

No activation email was sent, unless that is manually initiated. I don’t want to consider any registrations for Approval (which additional work for me, not related to Discourse) until the email is at least activated. So I would like the activation email to be automatically sent.


(Jeff Atwood) #4

Sorry I am not following you at all. If you have approval required, then press the approve button – the email validation is automatic and part of new user signup on any Discourse.

Unless there is some new bug here in 1.5.


(Dave Higgins) #5

Here’s my use case, step by step:

  1. User registers.
  2. I realise, via the admin forum. Before Approving, I must check that the user’s employer has a legal agreement with my employer. I’m not doing that work until I at least know the email is a real person (at least, the email is activated). So I manually have to send the activation email. It is not sent yet.
  3. If user activates, I start the consideration for approval.

I would like to skip my involvement in step 2. (I don’t see an option to have the activation email to be sent automatically, when must approve is on.)


(Jeff Atwood) #6

So this is some unusual requirement on your end where seeing and looking at the email is not enough to know that it is valid.

Still your plan seems strange here, if you “approve” me as barackobama@whitehouse.gov it does not matter since I will never be able to confirm that email address, and thus never gain access to the site anyway.

Try it yourself if you do not believe me. So what is the point of this request?


(Gerhard Schlager) #7

OK, so you want it to change from:

  1. user registers
  2. admin approves
  3. email address is validated by sending activation email
  4. user is activated

to

  1. user registers
  2. email address is validated by sending activation email
  3. admin approves
  4. user is activated

Makes sense…


(Jeff Atwood) #8

Does it? The end result is 100% identical in either case. A user with a fake, unverifiable email will never gain access to the site.


(Gerhard Schlager) #9

Ah, I see… good point. :blush:
I guess changing that flow doesn’t make any sense then. :wink:


(Dave Higgins) #10

The point is less work, skipping admin involvement in step 2 (from my step-by-step above).
Yes, barackobama@whitehouse.gov won’t get approved anyway. But what about xcs1123@gmail.com? (I just made that up, it could be a real address, please no-one email it :smirk:). If I am to approve that, I need to find out who it is, without letting them see the forum content. So I am not going to just click approve, and see if they validate after. I am going to find out who in our company knows this email address, and if it is known, whether that user’s employer has a research agreement with my company, and whether the owner of the email address has signed a non-disclosure agreement! I don’t want to start all that, wasting everyone’s time, if the email is some spam signup, which won’t ever be activated anyway.
So I use activation-emails before approval-consideration. I am trying to avoid the admin involvement in sending the activation emails before approval.

So @gerhard I want to change from

1.user registers
2. admin logs in, manually sends activation emails for each new registrant
3. email address is validated (or not…we’ll see!)
4. admin begins approval consideration

to

  1. user registers, activation email sent automatically
  2. [there is no step 2!]
  3. email address is validated (or not…we’ll see!)
  4. admin begins approval consideration

(Felix Freiberger) #11

I see your point – but are signups with incorrect addresses a real problem? I’d assume that the fact that the email will be validated anyway means that only very, very few people will even try to sign up with an incorrect address.

On the other hand, I don’t see any argument for not swapping the order, except that it needs to be implemented and might be weird for accounts that are currently waiting for approval while an update that changes this order is installed…


(Dave Higgins) #12

You’re right, the additional work is not a huge issue. However can be an unnecessary delay for the user/customer before an activation email is sent, which adds to the (necessary) approval delay. I’d like to avoid that.


(Felix Freiberger) #13

I don’t think this increases the wait time for the user:

Currently, he signs up, and has to wait for approval. When he receives the activation mail, he might not be around, but as soon as he clicks it, he can immediately use the forum. In total, he has to wait for approval plus until he’s around again.

After the switch, he signs up, and immediately clicks the activation link. Then, he has to wait for approval. After he is approved, he’d get another email, and can use the forum as soon as he’s around again. In total, he has to wait for approval plus until he’s around again.

I actually see a disadvantage for the user: When he has a crappy email provider and mails are slow, he has to sign up – wait for the mail – click the link – wait for approval – can use the forum. In the current system, he has to sign up – wait for approval and mail delivery – click the link – can use the forum. So the current system is actually more convenient, because he doesn’t have to intervene during the activation+approval process.


(Dave Higgins) #14

That’s a fair analysis. I hadn’t considered email provider delays. Thanks.

If spam signups become frequent then the activation email auto-sending right after registration, before approval, would still be preferred.