Closed enewe101 closed 9 years ago
If users login without their email validated, they are forwarded to a page saying they need to validate their email. They can initiate a new email to be sent to do validation.
Any posts, whether ajax or normal syncronous posts, will be rejected by the server if the logged in user is doesn't have a validated email.
In all the places where Tooltips are given saying "you must login" for non-logged in users, analogous tooltips are given saying "you must validate your email" for users that are logged in without email validated.
Attempting to view pages that require login, when logged in but with invalid email, causes redirection to the page saying they need to validate their email.
Testes ensure that all login-required posts and views prevent access / processing for users without validated email.
Right now, when a new user signs up, an email is sent out to the email that they provided with a special link, which, when clicked, proves that they really have access to the email account they gave. Initially the
UserProfile
entry for that user hasemail_validated == False
, and clicking it sets it toTrue
. But, there's no enforcement if a user withemail_validated==False
tries to sign in.Here is what should happen instead. If a user provides valid credentials but has
email_validated == False
, they should not be logged in using the auth middleware. They should instead be redirected to a page that allows them to resend the confirmation email.