Authentication Possible without Submitting or Reviewing of any Documents by the new users

[KarthikVV24-11-1999]

Accounts Used: Karthik, test2 Bug: Authentication possible without submitting documents Steps Followed:

1. Sign up for a new account and login into it
2. Do not upload any documents as prompted, and logout immediately
3. Login into an admin account
4. Ensure that no new documents are uploaded for this new User in the User Documents Tab
5. Search for the New User in the Manage Users tab and Authenticate Him/Her
6. Check the email for the User to receive an email that says that "Congratulations! Our team has reviewed your submitted documents, and we are delighted to inform you that your account has been successfully verified. You can now log in and enjoy the full range of services that RoutePals provides"

Expected Results: Admin should not be allowed to authenticate the user without reviewing any submitted documents

Private Zenhub Video

[shashankdatta]

Not a bug, thats the functionality, admin has all the rights to approve a user without a doc too.

But thank you for bringing this to our attention

[KarthikVV24-11-1999]

Again, it's an enhancement that You might want to consider here, because an admin, even though is of greater privilege in the application, should not have full rights to accept anyone as a user, without a recorded proof, especially because there maybe tens, if not hundreds, of admins to go through the application documents by an enormously large inflow of users, when the app really grows in scale, and not all of them may be actually trustworthy So, hence, to maintain the legitimacy of the application, I believe, letting users in without verification is not optimal

[shashankdatta]

True, but we are keeping the features simple and testable without the need for students to upload their personal files given the S3 free usage constraints. We just gave an insight of what could be a great feature but not necessarily a strict guardrail.

Many of our inspirations were from successful educational platforms like Coursera and edX started with basic verification before evolving to more stringent systems as they scaled.

Nevertheless, our django admin portal system already includes logs of the documents that are uploaded and when so we can def track the users pretty quickly, which helps maintain accountability even without document verification.

But I get your point, we will definitely consider it if it deems necessary as we reach the final stages of the project. Thank you for the peer review though, really appreciate it

On Fri, Nov 22, 2024 at 20:03 Venkata Karthik Vadlamudi < @.***> wrote:

Again, it's an enhancement that You might want to consider here, because an admin, even though is of greater privilege in the application, should not have full rights to accept anyone as a user, without a recorded proof, especially because there maybe tens, if not hundreds, of admins to go through the application documents by an enormously large inflow of users, when the app really grows in scale, and not all of them may be actually trustworthy So, hence, to maintain the legitimacy of the application, I believe, letting users in without verification is not optimal

— Reply to this email directly, view it on GitHub https://github.com/gcivil-nyu-org/fall24-monday-team4/issues/114#issuecomment-2495171197, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQKBP2VW47EWHMITQ5CAXPL2B7H7NAVCNFSM6AAAAABSIRQIHWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJVGE3TCMJZG4 . You are receiving this because you commented.Message ID: @.***>

[KarthikVV24-11-1999]

Thanks for your clarifications and insights Appreciate the effort in due diligence