[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Demexp-dev] New registration /login protocol
[Demexp-dev] New registration /login protocol
Wed, 11 Oct 2006 21:53:46 +0800
Hello David and all,
I completely rewrote the official account registration part.
I have uploaded the updated module. I hope that what I have done is enough for
Your main concerns were twofolds:
1) not have several Drupal users with the same demexp account.
2) make sure that the the Drupal account holder is the same as the person who
asked for the demexp account. We don't know whether it is their real name,
but we can at least make sure it is the same person.
3) You suggested adding a few fields in the Drupal registration form to ask
for / enter the demexp account at the same time. This is a good idea, and it
is possible, but I may implement this only in stage 2 (what I implemented
below took me enough time as it is!).
There are different scenarios:
1- new Drupal user, new/existing demex user.
A person want to register at the drupal site and get/set up a demexp account
at the same time. A few more fields can be added later to allow the user to
make a request for a demexp account at the same time.
-> this is not coded yet, as the rest is sufficient for now.
2- existing Drupal user, existing demexp user.
A Drupal user who already has a demexp account (this will be the most common
case for the first 40-ish Drupal users, because the current members will be
the firsts to register a Drupal account).
For them, they are asked to login (thereby proving they know the demexp
username and corresponding password). If the login is successful, the account
is put on hold, not yet activated.
YOU are sent an email. In this email, you have the Drupal user's email, their
demexp account name and an activation link with a key.
If the email you have for the Drupal account is the same as the email you have
on file for the demexp account are the same, then you can use the validation
key yourself to activate their voting rights on the site. They will see the
difference next time they browse the site.
You may email them to tell them.
If the two emails are different, then you send the activation key with a nice
letter, to the email you have on file for the demexp account holder.
The user can then activate the account themselves.
There is no confirmation screen when activating the account, but I should add
Apart from husband & wife, and parents & children, I don't know anybody who
share their email regularly, and especially not with untrusted persons.
If we can verify the email is the same, or if the Drupal user can use the
confirmation key in the email you'll send them, then that's the best
authentication we can do at this stage.
3- existing Drupal user, new demexp user.
A Drupal user who does not have a demexp account yet (it will probably be the
most comment scenario when we become popular).
They can use the form online to ask for a demexp account.
When they submit the form, YOU will receive an email, with their email
address, their real, full name (which I do NOT store on the site!), and a
small comment with their PGP key is they have one.
You will also get a creation/activation key. You must be logged in into your
own Drupal account to use this key.
By following the link, you will be asked to enter the demexp account name.
Submit and the account name is saved, and the voting rights are activated.
You must sent the user an email as usual with the password, etc.
A few more interesting points:
4- The email of the 'official demexp account manager' is configurable. This
person also needs a special right to be able to activate the account online.
David is this person today, the only one to have this right on the site but
can be someone else later.
5- The system is designed so that the 'official demexp account manager' does
not know which Drupal user they are activating the account for. So, later, an
'account manager' who does not have a direct access to the server, does not
need to know the real identity the drupal users. Their job is only to manage
6- This is important for what may be implemented much later.
Ketty read my mind earlier this week (or last week). My proposal for a more
secure account verification protocol, the proposal I said I would tell you
more about later, DID include setting up something that could become a third
party account verification system.... but I still don't want to talk about
details now (we still have much more urgent work to do).
7- Once setup, the demexp account name cannot be changed. (at least, not now).
I.E., it is set up and the account is activated when the identity is
verified, but then it stays the same. Without this activation, the user
cannot vote on the web.
8- The same demexp user name can only be used once in the drupal site.
9- When login in, users are given the choice between convenience, or security:
remember the password or not. Try the different options, and you will notice
several differences of behavior, even after you log out. I store the password
on the DB only if they ask me to. This option can be reverted later, and the
password will be deleted from the DB.
10- Technically, I no longer use the profile.module for this. Its behavior was
a bit buggy, and not flexible enough for this. I have create my own
demexp_users table in the DB and handle it directly.
11- When browsing the site, reload the page so you download the updated
version of style.css.
Please, do try to test all options. Try entering the wrong username, the wrong
password, etc... If you do anything wrong, the system should handle it
Also, take good notice of all the English messages. If we want to translate
later on, the English strings must be stable, and clear enough. If we change
the English description in the code AFTER the translation has been done, the
translation will be lost.
So, please suggest a better wording in English, where it is necessary.
Because we and the world need to change.
Intimate Relationships, peace and harmony in the couple.
Revolutionary Psychology, White Tantrism, Dream Yoga...
Condorcet, Approval alternative, better voting methods.
- [Demexp-dev] New registration /login protocol,