Stricter behaviour for email address requirement config
-
tl;dr
This blog post is about this GitHub pull request.
- If you have
requireEmailAddress
enabled, anyone who does not have a confirmed email address will be prompted to do so. They will not have access to the forum. - This replaces the older behaviour wherein the option to require an email address only really enforced that an address was provided, not that it be confirmed; the option was essentially toothless.
- The default is unchanged, email is not a required user attribute, and a new registrant can enter nothing at all, if they wish.
Slated for v3.1.0 is a change to the
requireEmailAddress
config option.The following new behaviour has been added to this configuration option, if enabled:
- If a new registrant or existing user does not have a confirmed email, then they will not have access to the forum. They will be redirected back to the email change form and given the option to resend their confirmation email.
- Some users with an unconfirmed email address will be prompted to confirm their email address.
This is a change from the previous behaviour, where the option only enforced that the user entered an email when registering, even if it was not theirs or was not a real email.
I went into detail earlier about how we treat emails — if it's not validated, it's not added to the account.
However, in this case, even with the
requireEmailAddress
option enabled, forum access was still allowed even if the email was not validated (which went against the expectation of the user option — "require email address"). It seemed to be a bit toothless to only require that an email be entered, so we have extended the scope of this option so that it completely restricts access to the forum for logged-in users if their email is not validated.What if I want guest access to my forum?
Guest access is unchanged; the expanded scope only applies to registered accounts, and even then only if the
requireEmailAddress
option is explicitly enabled.What if I only want to show some content to verified users, but don't want to force users to enter an email?
No change — you'll leave the
requireEmailAddress
option unchecked, and hide your privileged content via category privileges. Theverified-users
andunverified-users
groups will allow you to show and/or hide content to those groups just as before. - If you have
-
Hello.
I think it's inappropriate to prohibit users with unverified email addresses from accessing the forum. Registered users should not have fewer rights than guests. I suggest allowing users with unverified email addresses to post, or preferably creating a separate user group for them. -
Hi @Redbeanw44602! Thanks for voicing your concerns.
In this particular change, the behaviour is only applied if explicitly enabled by the site admin. The default behaviour is unchanged: guests and regular users without email confirmed are able to browse the forum equally.
In the case where an admin wants to gate content behind email verification, they can also opt to use the
verified-users
privilege group.