Registering - Force email confirmation?



  • Hey I'm about to go in Production in the next few days.
    I want to make sure that user verify their email address before being able to login.

    I checked "Require Email confirmation" in Admin panel Settings/User, but the user can still login in before he has clicked the link in the confirmation mail.
    Is there a way to not let the user login like that?
    Thanks



  • It will let them login. But nothing else. So they cant post or access anything that you've denied access to to registered members. Probably should be a check on login though. Or at least something that's checked every 10-15 seconds just in case someone verifies the email while logged in.



  • Oh oh I assumed they had access after login, good to know! [solved] 🙂



  • Sorry to hijack this post, but this advice isn't quite right?

    Nodebb doesn't differentiate between a confirmed or unconfirmed user, they both occupy the same "registered users" group.

    For example on my forums, I offer downloadable files that are only available to registered users, which is ok because guests can't view or download the files, but suppose someone uses a fictional email address? They gain access .... even though they haven't confirmed their address.

    Access control would work as expected if there was an "email confirmed" user group.

    Regards, Lee 😄



  • I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.

    While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.



  • This post is deleted!


  • @A-Former-User said in Registering - Force email confirmation?:

    I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.

    While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.

    I know it is an old topic, can anyone give some hints on how to create a group for registered users without email validation? Although this kind of users are not able to post, they can view topics just like the registered one while a guest cannot. 🤠



  • @guo said in Registering - Force email confirmation?:

    @A-Former-User said in Registering - Force email confirmation?:

    I'm going to bump this year old topic to see if it can get more attention. I really feel that NodeBB should differentiate between a registered user, and a user who still needs to validate their email.

    While these accounts can't post, they can access all sorts of content that I have open to regular user accounts. A work around would to be a secondary group, reward promotion and require something like an introduction post, but this is by no means the standard procedure on a forum.

    I know it is an old topic, can anyone give some hints on how to create a group for registered users without email validation? Although this kind of users are not able to post, they can view topics just like the registered one while a guest cannot. 🤠

    I dig into the code and try to avoid users without email validation from reading posts.
    In src/controllers/api.js, I made some changes as:

    apiController.getPostData = async function (pid, uid) {
    	const [userPrivileges, post, voted, userData] = await Promise.all([
    		privileges.posts.get([pid], uid),
    		posts.getPostData(pid),
    		posts.hasVoted(pid, uid),
    		user.getUserFields(uid, ['email:confirmed']), // add
    	]);
    	if (!post) {
    		return null;
    	}
    	Object.assign(post, voted);
    
    	const notConfirmed = meta.config.requireEmailConfirmation && !userData['email:confirmed']; // add
    
    	const userPrivilege = userPrivileges[0];
    	if (!userPrivilege.read || !userPrivilege['topics:read'] || notConfirmed) { // add
    		return null;
    	}
    
    	post.ip = userPrivilege.isAdminOrMod ? post.ip : undefined;
    	const selfPost = uid && uid === parseInt(post.uid, 10);
    	if (post.deleted && !(userPrivilege.isAdminOrMod || selfPost)) {
    		post.content = '[[topic:post_is_deleted]]';
    	}
    	return post;
    };
    

    But it is of no avail. I am a nodejs newbie, can anyone give some advises?


  • Admin Staff

    You will need to add it to the topic controller as well. https://github.com/NodeBB/NodeBB/blob/master/src/controllers/topics.js

    A better way to do this is to write a plugin and alter topics:read privilege to false if the email is not confirmed.

    I added 2 hooks for this in https://github.com/NodeBB/NodeBB/commit/d080c7b04c83a6c2925d8a61f26dc268829afdc2.

    Here is how it would be used in a plugin

    // this handles multiple users for a single privilege/category
    myPlugin.isUsersAllowedTo = async function (hookData) {
    	if (meta.config.requireEmailConfirmation && hookData.privilege === 'topics:read') {
    		const userData = await user.getUsersFields(hookData.uids, ['email:confirmed']);
    		hookData.allowed = userData.map((data, index) => hookData.allowed[index] && data['email:confirmed']);
    	}
    	return hookData;
    };
    
    // this handles single user for multiple privileges or categories
    myPlugin.isUserAllowedTo = async function (hookData) {
    	if (meta.config.requireEmailConfirmation) {
    		const emailConfirmed = await user.getUserField(hookData.uid, 'email:confirmed');
    		if (Array.isArray(hookData.privilege) && hookData.privilege.includes('topics:read')) {
    			const index = hookData.privilege.indexOf('topics:read');
    			hookData.allowed[index] = hookData.allowed[index] && emailConfirmed;
    		} else if (Array.isArray(hookData.cid) && hookData.privilege === 'topics:read') {
    			hookData.allowed = hookData.cid.map((cid, index) => hookData.allowed[index] && emailConfirmed);
    		}
    	}
    	return hookData;
    };
    


  • @baris Wow, thanks for your detailed input. 👍 Hope I can contribute to the community soon after.


Log in to reply
 

Suggested Topics

| |