Community

Registering - Force email confirmation?

General Discussion
  • M

    Hey I'm about to go in Production in the next few days.
    I want to make sure that user verify their email address before being able to login.

    I checked "Require Email confirmation" in Admin panel Settings/User, but the user can still login in before he has clicked the link in the confirmation mail.
    Is there a way to not let the user login like that?
    Thanks

    0
  • A

    It will let them login. But nothing else. So they cant post or access anything that you've denied access to to registered members. Probably should be a check on login though. Or at least something that's checked every 10-15 seconds just in case someone verifies the email while logged in.

    2
  • M

    Oh oh I assumed they had access after login, good to know! [solved] 🙂

    0
  • LeeML

    Sorry to hijack this post, but this advice isn't quite right?

    Nodebb doesn't differentiate between a confirmed or unconfirmed user, they both occupy the same "registered users" group.

    For example on my forums, I offer downloadable files that are only available to registered users, which is ok because guests can't view or download the files, but suppose someone uses a fictional email address? They gain access .... even though they haven't confirmed their address.

    Access control would work as expected if there was an "email confirmed" user group.

    Regards, Lee 😄

    0
  • ?

    I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.

    While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.

    guoG 1 Reply
    1
  • aldrinvA
    This post is deleted!
    0
  • guoG

    @A-Former-User said in Registering - Force email confirmation?:

    I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.

    While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.

    I know it is an old topic, can anyone give some hints on how to create a group for registered users without email validation? Although this kind of users are not able to post, they can view topics just like the registered one while a guest cannot. 🤠

    guoG 1 Reply
    0
  • guoG

    @guo said in Registering - Force email confirmation?:

    @A-Former-User said in Registering - Force email confirmation?:

    I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.

    While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.

    I know it is an old topic, can anyone give some hints on how to create a group for registered users without email validation? Although this kind of users are not able to post, they can view topics just like the registered one while a guest cannot. 🤠

    I dig into the code and try to avoid users without email validation from reading posts.
    In src/controllers/api.js, I made some changes as:

    apiController.getPostData = async function (pid, uid) {
	const [userPrivileges, post, voted, userData] = await Promise.all([
		privileges.posts.get([pid], uid),
		posts.getPostData(pid),
		posts.hasVoted(pid, uid),
		user.getUserFields(uid, ['email:confirmed']), // add
	]);
	if (!post) {
		return null;
	}
	Object.assign(post, voted);

	const notConfirmed = meta.config.requireEmailConfirmation && !userData['email:confirmed']; // add

	const userPrivilege = userPrivileges[0];
	if (!userPrivilege.read || !userPrivilege['topics:read'] || notConfirmed) { // add
		return null;
	}

	post.ip = userPrivilege.isAdminOrMod ? post.ip : undefined;
	const selfPost = uid && uid === parseInt(post.uid, 10);
	if (post.deleted && !(userPrivilege.isAdminOrMod || selfPost)) {
		post.content = '[[topic:post_is_deleted]]';
	}
	return post;
};

    But it is of no avail. I am a nodejs newbie, can anyone give some advises?

    0
  • barisB

    You will need to add it to the topic controller as well. https://github.com/NodeBB/NodeBB/blob/master/src/controllers/topics.js

    A better way to do this is to write a plugin and alter topics:read privilege to false if the email is not confirmed.

    I added 2 hooks for this in https://github.com/NodeBB/NodeBB/commit/d080c7b04c83a6c2925d8a61f26dc268829afdc2.

    Here is how it would be used in a plugin

    // this handles multiple users for a single privilege/category
myPlugin.isUsersAllowedTo = async function (hookData) {
	if (meta.config.requireEmailConfirmation && hookData.privilege === 'topics:read') {
		const userData = await user.getUsersFields(hookData.uids, ['email:confirmed']);
		hookData.allowed = userData.map((data, index) => hookData.allowed[index] && data['email:confirmed']);
	}
	return hookData;
};

// this handles single user for multiple privileges or categories
myPlugin.isUserAllowedTo = async function (hookData) {
	if (meta.config.requireEmailConfirmation) {
		const emailConfirmed = await user.getUserField(hookData.uid, 'email:confirmed');
		if (Array.isArray(hookData.privilege) && hookData.privilege.includes('topics:read')) {
			const index = hookData.privilege.indexOf('topics:read');
			hookData.allowed[index] = hookData.allowed[index] && emailConfirmed;
		} else if (Array.isArray(hookData.cid) && hookData.privilege === 'topics:read') {
			hookData.allowed = hookData.cid.map((cid, index) => hookData.allowed[index] && emailConfirmed);
		}
	}
	return hookData;
};
    guoG 1 Reply
    0
  • guoG

    @baris Wow, thanks for your detailed input. 👍 Hope I can contribute to the community soon after.

    0

Suggested Topics

  • D

    It's difficult for QQ Email to receive confirmation letter

    General Discussion
    0 Votes
    5 Posts
    318 Views
    gotwfG

    @julian One place the lay person can check is Talos Intelligence. My network engineer buddy w/Crisco certs up the arse reports that their paid stuff is the snizzle. I only use the freebies so cannot comment. I just checked community.nodebb.org and the email rep is reported as neutral. Ditto all my stuff. Which may just mean we're both too hole in the wall to have had much, if any, or our stuff captured in their honey pots. In any event, there's one place to check. I hear used by lots of corp types so maybe just enough to know that you're not on their naughty list. Talos has DDos measures in place, so don't everyone /. that at once. Heck, I'll just post a screenshot:

    0ff126fc-b955-4294-bdfe-f22dbcb7552c-image.png

    Maybe remedy the forward/reverse DNS but otherwise all good. Well, community.nodebb.org does not actually send email. So let's check Sendgrid while we're at it, eh? Surveying a few incoming from the Robot, I note they're all coming from same MX, at least to my mail servers:

    e6d73cfc-ea3b-452c-a5d1-213a308b77f7-image.png

    Looks just fine and dandy. 🙂

    So what about their other thousands of MX's? Well, just enter sendgrid.net to check and then scroll and page away. Most all is either good or positive. Indeed, the only "poor" ratings I noted were from democrats.org. And in that instance, pretty much all of the several I checked were on the naughty list. For whatever that may be worth: Mainly, that modern days Presidential Erections seem to spawn the lion's share of miscreants crawling out of the woodwork, irrespective of party (cuz I have tons of GOP stuff in my server logs so let's not make this about party politics).

    And for some levity, I could not find Gilda Radner's infamous skit online but here's the text:

    Emily Litella: What’s all this fuss I’ve been hearing about the 1976 presidential erection? Now, I know they erected a monument for Mr. Lincoln and President Washington, but that’s because they’re DEAD! Hopefully, the 1976 President won’t be DEAD! So he won’t NEED an erection! If Americans are going to spend money to erect anything, why don’t we tear down those nasty slums and erect luxury high rises for poor people and senior citizens! Not for presidents who can afford to pay for their OWN erections!

    Chevy Chase: Miss Litella --

    Emily Litella: I can’t believe the way things are turning out in this country -- what?

    Chevy Chase: I'm sorry. That’s election. The editorial was about the presidential election, not the presidential erection. Election.

    Emily Litella: Oh, that’s very different.

    Chevy Chase: Yes.

    Emily Litella: Never mind.

    Chevy Chase: And that's the news. Good night. Good night, and have a pleasant tomorrow.

    For the youngsters in the crowd, if you've never seen this, prepare to literally bust a gut laughing your arse's off.

    Or.... eh... Never mind... ✌

    Update: Foregoing is meant to be informational and no sleight on Sendgrid. Could just as well be any provider. Because.... there's always a sub population of miscreants who will try to exploit the hard work of others for jollies, profit, etc.

  • T

    force https

    General Discussion
    0 Votes
    5 Posts
    1482 Views
    T

    @hariom-vashisth Thank you

  • A

    Auto confirm existing users

    General Discussion
    3 Votes
    1 Posts
    1278 Views
    A

    So is there a reliable way to set all current members as account confirmed, so they don't have to confirm their accounts, but all new members do?

  • O

    Can't get Emailer (Local) working with Exchange SMTP server

    General Discussion
    1 Votes
    3 Posts
    2764 Views
    A

    @optimus ACP > Advanced > Logs. Should get a message about sending email X to uid Y. E.G test email to uid 1 etc.

  • D

    Email Notification Support

    General Discussion
    0 Votes
    12 Posts
    6409 Views
    scottalanmillerS

    @julian said:

    That's a shame, really, because Outlook (and Outlook Express) was just so terrible at managing email. I got my parents switched off of that years ago though, so haven't looked at Thunderbird since.

    These days nearly everyone uses web mail. Whether it is Zimbra or OWA, the quality of webmail has gotten so good that rarely do you want to do anything else except on your mobile devices. And if you want to go offline, Exchange uses to expect to go to Outlook and Zimbra has its own client too. The number of "working offline on non-mobile devices IMAP users" are dwindling. Thunderbird and Evolution cover that gap pretty well.

Copyright © 2023 NodeBB | Contributors