Registering - Force email confirmation?
-
Hey I'm about to go in Production in the next few days.
I want to make sure that user verify their email address before being able to login.I checked "Require Email confirmation" in Admin panel Settings/User, but the user can still login in before he has clicked the link in the confirmation mail.
Is there a way to not let the user login like that?
Thanks -
It will let them login. But nothing else. So they cant post or access anything that you've denied access to to registered members. Probably should be a check on login though. Or at least something that's checked every 10-15 seconds just in case someone verifies the email while logged in.
-
Oh oh I assumed they had access after login, good to know! [solved]
-
Sorry to hijack this post, but this advice isn't quite right?
Nodebb doesn't differentiate between a confirmed or unconfirmed user, they both occupy the same "registered users" group.
For example on my forums, I offer downloadable files that are only available to registered users, which is ok because guests can't view or download the files, but suppose someone uses a fictional email address? They gain access .... even though they haven't confirmed their address.
Access control would work as expected if there was an "email confirmed" user group.
Regards, Lee
-
I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.
While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.
-
@A-Former-User said in Registering - Force email confirmation?:
I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.
While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.
I know it is an old topic, can anyone give some hints on how to create a group for registered users without email validation? Although this kind of users are not able to post, they can view topics just like the registered one while a guest cannot.
-
@guo said in Registering - Force email confirmation?:
@A-Former-User said in Registering - Force email confirmation?:
I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.
While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.
I know it is an old topic, can anyone give some hints on how to create a group for registered users without email validation? Although this kind of users are not able to post, they can view topics just like the registered one while a guest cannot.
I dig into the code and try to avoid users without email validation from reading posts.
In src/controllers/api.js, I made some changes as:apiController.getPostData = async function (pid, uid) { const [userPrivileges, post, voted, userData] = await Promise.all([ privileges.posts.get([pid], uid), posts.getPostData(pid), posts.hasVoted(pid, uid), user.getUserFields(uid, ['email:confirmed']), // add ]); if (!post) { return null; } Object.assign(post, voted); const notConfirmed = meta.config.requireEmailConfirmation && !userData['email:confirmed']; // add const userPrivilege = userPrivileges[0]; if (!userPrivilege.read || !userPrivilege['topics:read'] || notConfirmed) { // add return null; } post.ip = userPrivilege.isAdminOrMod ? post.ip : undefined; const selfPost = uid && uid === parseInt(post.uid, 10); if (post.deleted && !(userPrivilege.isAdminOrMod || selfPost)) { post.content = '[[topic:post_is_deleted]]'; } return post; };But it is of no avail. I am a nodejs newbie, can anyone give some advises?
-
You will need to add it to the topic controller as well. https://github.com/NodeBB/NodeBB/blob/master/src/controllers/topics.js
A better way to do this is to write a plugin and alter
topics:readprivilege to false if the email is not confirmed.I added 2 hooks for this in https://github.com/NodeBB/NodeBB/commit/d080c7b04c83a6c2925d8a61f26dc268829afdc2.
Here is how it would be used in a plugin
// this handles multiple users for a single privilege/category myPlugin.isUsersAllowedTo = async function (hookData) { if (meta.config.requireEmailConfirmation && hookData.privilege === 'topics:read') { const userData = await user.getUsersFields(hookData.uids, ['email:confirmed']); hookData.allowed = userData.map((data, index) => hookData.allowed[index] && data['email:confirmed']); } return hookData; }; // this handles single user for multiple privileges or categories myPlugin.isUserAllowedTo = async function (hookData) { if (meta.config.requireEmailConfirmation) { const emailConfirmed = await user.getUserField(hookData.uid, 'email:confirmed'); if (Array.isArray(hookData.privilege) && hookData.privilege.includes('topics:read')) { const index = hookData.privilege.indexOf('topics:read'); hookData.allowed[index] = hookData.allowed[index] && emailConfirmed; } else if (Array.isArray(hookData.cid) && hookData.privilege === 'topics:read') { hookData.allowed = hookData.cid.map((cid, index) => hookData.allowed[index] && emailConfirmed); } } return hookData; };
Hope I can contribute to the community soon after.