dannywillems
commented
7 years ago @vasilisp Any idea? @canonici?
Open dannywillems opened 7 years ago
dannywillems
commented
7 years ago @vasilisp Any idea? @canonici?
vasilisp
commented
7 years ago I don't remember discussing this with @canonici, but my understanding of the code is that we want to prevent registering with the same e-mail multiple times without ever following the activation link. Maybe to prevent automated "bombing" of a certain e-mail address (and associated saturation of our DB)? Looks reasonable, but I am not sure how we are supposed to call preregister_handler.
canonici
commented
7 years ago I don't know about preregistering. @pwbs was working on revamping the activation link system back then and we only had one way to handle activation keys. The problem was that if a user adds an email to his account, the server sends an activation link to the provided email, but as you can see in
add_email_handler line 367 in os_handlers.eliom:
send_action_link ~autoconnect:true msg Os_services.main_serviceWe validate the email and autoconnect the user if he clicks on the activation link, thus if a user mistyped the email he wanted to add and didn't pay attention, we can end up in a scenario where someone else can gain access to his account.
So I think that what we want would be more like this:
send_action_link ~autoconnect:false msg Os_services.main_serviceor
send_action_link msg Os_services.main_serviceAny user clicking on the activation link would validate the email but would still have to connect to gain access to the account.
pwbs
commented
7 years ago Currently, when autoconnect is true (and the key is still valid):
If the key is not valid anymore, the value of autoconnect has no effect.
While implementing multi-email, there was an idea about "preregistering". @canonici could you explain what was your idea?
For the moment, there are some functions around the concept of preregistering but not really used.