amondel2
commented
8 years ago I would like nothing to require e-mail validation, since one of the current project I am working on, there is no mail server. Overriding the register action of the RegisterController is easy enough to avoid e-mail if you just create this configuration option locally and then do an if/else case. The real security issues comes in with trying to make sure people can use the Forgot Password functionality. I am going to work around that by using challenge questions and as a fall back if they forget the challenge questions then tell the user to e-mail an admin.
Ignoring the issues with Forget Password there are four use cases where email validation comes into the picture. Validation on registration only, Never use e-mail validation, Validation for both registration and forgot password, and l validation on Forget Password only.
One option would be to make two properties like you have suggested. grails.plugin.springsecurity.register.requireEmailValidation=True/False (default True) grails.plugin.springsecurity.forgot.requireEmailValidation=True/False (default True)
The issue comes in if there are new e-mail validation flows added in the future, then we have to keep adding new properties. The other option would be a generic configuration property named grails.plugin.springsecurity.requireEmailValidation which would be a list of flows where you want e-mail enabled. The default would be grails.plugin.springsecurity.requireEmailValidation= [REGISTRATION, FORGOT]. Then if more e-mail flows are added in the future, the list of Values would be updated. For my use-case of never wanting e-mail I would make the config an empty list or null, which not matter how many new flows where added would never use e-mail. Applications using the default additionally wouldn’t need to make any changes. It would cause each application that wanted a partial e-mail validation to consider e-mail validation if a new flow was added and e-mail validation would be disabled until it was added since you were overriding the plugin default config, this maybe a good until since each developer can evaluate if the application warrants having e-mail validation turned on.
In circling back to the Forgot Password I think by default it should not allow password rests if e-mail validation is disabled. I would think you want to tell users to email some address that you can put in by customizing a view or would require the developer to override the controller action with an alternate flow (as I am doing).
I would want Burt/Graeme to weight in before I made a Pull request to determine how they would envision such a feature, if they would even accept a Pull request for it.
ddelponte
It appears that email validation for new users is required. This is not ideal for development and testing. It would be very helpful to be able to control this feature via a configuration. For example: grails.plugin.springsecurity.register.requireEmailValidation=True/False (default True)