Open dannywillems opened 7 years ago
@vasilisp Any idea? @canonici?
I don't remember discussing this with @canonici, but my understanding of the code is that we want to prevent registering with the same e-mail multiple times without ever following the activation link. Maybe to prevent automated "bombing" of a certain e-mail address (and associated saturation of our DB)? Looks reasonable, but I am not sure how we are supposed to call preregister_handler
.
I don't know about preregistering. @pwbs was working on revamping the activation link system back then and we only had one way to handle activation keys. The problem was that if a user adds an email to his account, the server sends an activation link to the provided email, but as you can see in
add_email_handler line 367 in os_handlers.eliom:
send_action_link ~autoconnect:true msg Os_services.main_service
We validate the email and autoconnect the user if he clicks on the activation link, thus if a user mistyped the email he wanted to add and didn't pay attention, we can end up in a scenario where someone else can gain access to his account.
So I think that what we want would be more like this:
send_action_link ~autoconnect:false msg Os_services.main_service
or
send_action_link msg Os_services.main_service
Any user clicking on the activation link would validate the email but would still have to connect to gain access to the account.
Currently, when autoconnect
is true (and the key is still valid):
If the key is not valid anymore, the value of autoconnect
has no effect.
While implementing multi-email, there was an idea about "preregistering". @canonici could you explain what was your idea?
For the moment, there are some functions around the concept of preregistering but not really used.