Vanilla django auth + hn profile validation

[sierranevadan]

Should non HN users be allowed to create accounts? We can restrict this by keeping django account is_active = False until hn profile validation occurs.

[sierranevadan]

Will we allow people who don't validate their hn profile to use the site? if not, what purpose does hn profile validation serve? can i "steal" patio11 as my screen name for the site? if anyone can use it, then that means completely unaffiliated, non-HN people can use this site. or maybe people all get a randomly assigned username until they validate, then we change their username to their HN name? (another point, maybe "office hours for anything" is a separate startup. i.e. democratizing sharing of expertise, or "making consulting easy").

[ezl]

http://news.ycombinator.com/item?id=1579176 @sierranevadan -- I'm partial to restricting the service to HN users. Anyone can view office hours, but to create an account you have to validate by pasting some key in your HN profile once.

vanilla django registration, with User.is_active = False. If the user pastes the key in their hn profile we set is_active = True.

Its unclear to me whether ANYONE should be able to view office hours or just authenticated users. Maybe we show that the office hours exist and the skills of the person, but we leave out contact information and the username of the office hours holder unless they're authenticated.

[ezl]

After some discussion, its been decided that the way to approach this is to close the service to non-HN users for now.

Proposed registration: when a user clicks "register", they are taken to a page with a random key, an inputbox, and a submit button. user is asked to paste the key in their hn profile, type their HN username, and hit submit. we curl the page and verify that you are indeed said user. on success, you are prompted to enter your password, and account creation is copmlete.

this will also be the mechanism for reclaiming accounts if passwords are forgotten.

the registration mechanism is slighly unorthodox, but more suited to our needs for serving specifically the HN community.

[sierranevadan]

Can the "random key" be a URL (with a random parameter) that forwards to their hnofficehours profile? That way, it won't be just a random string in their HN profile.

[ezl]

@sierranevadan : i think thats a great idea.

we'd also only require that key to be there when we check it, after which it can be removed without consequence

[rz]

I like the idea of only requiring the key to be there when we check it. I'd rather not worry about the url that forwards, etc. The key can be removed from their profile as soon as our registration view completes.

[crccheck]

completed