Details

Applies to

1.9.4

Purpose

Make new users verify their account by email; reduce drive-by spam

Description:

1. Adds a new config option require_email_verification.
2. If you set that and make sure your wiki is configured to send email, then new account creation adds a token to the new user account file and sends an email to the email address given with a link to follow.
3. New action added: verifyaccount (new code to check the token and remove it from the user account).
4. Once the user account file no longer contains the token, the user may log in as normal.
5. In case the email gets lost or deleted, if the user tries to create a new user account with the same username or email again, they will be prompted with a link to re-send the same verification link.

Hopefully should stop some of the spammers if they actually have to supply a working email address.

Patch

mail-verification.patch for 1.9.7 updated to match the patch in Debian's 1.9.7-1 package -- SteveMcIntyre 2013-09-05 17:05:26

    return (1, _("Verification message sent to %(email)s" % {'email': user.email))    # syntax error

Looks like the syntax error maybe sneaked in while trying to add _() i18n support. It needs to look like this:

    return (1, _("Verification message sent to %(email)s") % {'email': user.email})

Always make sure that ONLY the translatable string is inside of _() and that placeholders are getting replaced AFTER translation has happened (otherwise it just won't work).

You also may want to check again whether you translated all strings that need translation, saw some without _().

Looking at more tweaks to fix the above comments now. Any more feedback? -- SteveMcIntyre 2013-09-05 17:05:26

Doesn't the body text of the verification e-mail need to be translatable? -- PaulBoddie 2013-09-07 00:39:02

Discussion

Steve, did you have a look at the email verification moin2 feature and tried to make it as similar as possible? -- ThomasWaldmann 2012-04-26 08:14:55

Hi Thomas; no, I didn't know of such a feature at the time... -- SteveMcIntyre

Also, as suggested on irc: we've been using this patch now for a number of weeks on wiki.debian.org with no major problems. Works for us!

I have been looking at the stuff again: even moin 1.9.x has a "forgot password" functionality that does a somehow similar thing.

I think it should be changed / generalized to support the following scenarios (rather than adding this patch "as is"):

• "forgot password" - needing an email roundtrip to establish a new password
• "new account" - created by user, needing an email roundtrip to verify email
• "new account" - created by admin, needing an email roundtrip to establish a password (and verify email)
• strictly taken, we should even do this when the user changes his/her email address (optional, rare cases of users entering an invalid email AND forgetting their password can also get handled by admin)

This is all fundamentally the same:

• account is currently in a unusable / not-enabled state (due to user error or intentionally) or email is not verified
• needs a email roundtrip to verify email and / or let the user enable the account
• after clicking a link in the email (and maybe defining a password), account gets enabled

I'll maybe work on this in the near future. -- ThomasWaldmann 2014-01-05 00:04:21

Plan

• Priority:
• Assigned to:
• Status:

CategoryMoinMoinPatch