demexp-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Demexp-dev] New registration /login protocol


From: David MENTRE
Subject: Re: [Demexp-dev] New registration /login protocol
Date: Fri, 13 Oct 2006 09:07:01 +0200

Hi Augustin,

2006/10/11, Augustin <address@hidden>:
1- new Drupal user, new/existing demex user.
***********

A person want to register at the drupal site and get/set up a demexp account
at the same time. A few more fields can be added later to allow the user to
make a request for a demexp account at the same time.
-> this is not coded yet, as the rest is sufficient for now.

Yes, the current procedure should be sufficient for now.

If I understood correctly, a new user should first create a Drupal
account and then ask for a demexp vote account. Correct?

2- existing Drupal user, existing demexp user.
***********

A Drupal user who already has a demexp account (this will be the most common
case for the first 40-ish Drupal users, because the current members will be
the firsts to register a Drupal account).
For them, they are asked to login (thereby proving they know the demexp
username and corresponding password). If the login is successful, the account
is put on hold, not yet activated.

YOU are sent an email. In this email, you have the Drupal user's email, their
demexp account name and an activation link with a  key.

Ok, that works (or /nearly/ works ;-).

If the email you have for the Drupal account is the same as the email you have
on file for the demexp account are the same, then you can use the validation
key yourself to activate their voting rights on the site. They will see the
difference next time they browse the site.
You may email them to tell them.

ok.

If the two emails are different, then you send the activation key with a nice
letter, to the email you have on file for the demexp account holder.
The user can then activate the account themselves.

Ok.

But what should I do for the first requester that has the wrong email
(i.e. not in my file)?

There is no confirmation screen when activating the account, but I should add
one.

You've added one, thanks.

Apart from husband & wife, and parents & children, I don't know anybody who
share their email regularly, and especially not with untrusted persons.
If we can verify the email is the same, or if the Drupal user can use the
confirmation key in the email you'll send them, then that's the best
authentication we can do at this stage.

I agree.

3- existing Drupal user, new demexp user.
***********

A Drupal user who does not have a demexp account yet (it will probably be the
most comment scenario when we become popular).
They can use the form online to ask for a demexp account.
When they submit the form, YOU will receive an email, with their email
address, their real, full name (which I do NOT store on the site!), and a
small comment with their PGP key is they have one.

Very nice design (the PGP/GPG key and the full name not stored).

You will also get a creation/activation key. You must be logged in into your
own Drupal account to use this key.

Yep.

By following the link, you will be asked to enter the demexp account name.
Submit and the account name is saved, and the voting rights are activated.
You must sent the user an email as usual with the password, etc.

Ok.

What should I do if i *don't* want to activate the account?


4- The email of the 'official demexp account manager' is configurable. This
person also needs a special right to be able to activate the account online.
David is this person today, the only one to have this right on the site but
can be someone else later.

Ok. At one point in the future, we will probably need several
'official demexp account managers' on Drupal. But we could use an
alias email for that.

5- The system is designed so that the 'official demexp account manager' does
not know which Drupal user they are activating the account for. So, later, an
'account manager' who does not have a direct access to the server, does not
need to know the real identity the drupal users. Their job is only to manage
demexp accounts.

Nice design.

6- This is important for what may be implemented much later.
Ketty read my mind earlier this week (or last week). My proposal for a more
secure account verification protocol, the proposal I said I would tell you
more about later, DID include setting up something that could become a third
party account verification system.... but I still don't want to talk about
details now (we still have much more urgent work to do).

Ok. This is interesting stuff where I don't know much.

7- Once setup, the demexp account name cannot be changed. (at least, not now).
I.E., it is set up and the account is activated when the identity is
verified, but then it stays the same. Without this activation, the user
cannot vote on the web.

That might be an issue (not sure). We will see. In the meantime, I
suppose it is possible to hack the database to fix such issue?

8- The same demexp user name can only be used once in the drupal site.

Ok.

9- When login in, users are given the choice between convenience, or security:
remember the password or not. Try the different options, and you will notice
several differences of behavior, even after you log out. I store the password
on the DB only if they ask me to. This option can be reverted later, and the
password will be deleted from the DB.

You mean, the demexp account password?

Once again, nice design.

10- Technically, I no longer use the profile.module for this. Its behavior was
a bit buggy, and not flexible enough for this. I have create my own
demexp_users table in the DB and handle it directly.

ok.

11- When browsing the site, reload the page so you download the updated
version of style.css.

ACK

Please, do try to test all options. Try entering the wrong username, the wrong
password, etc... If you do anything wrong, the system should handle it
properly.

I've started that. ;-)

Also, take good notice of all the English messages. If we want to translate
later on, the English strings must be stable, and clear enough. If we change
the English description in the code AFTER the translation has been done, the
translation will be lost.

How is the translation handled in Drupal?


Once again, many thanks for the hard work. There are some bugs to fixe
or small details to polish but overall the design and working seems
pretty functional to me.

Best wishes,
d.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]