Allura doesn't currently require an email address for user registration. There should be an option to require it. We have an option called
auth.require_email_addr which is enforced on the /auth/preferences page, so we could use the same setting to control how user registration works.
Users should be in a 'pending' state (new flag) initially, and system should send a password verification email (similar to what we already do on /auth/preferences). After that email is verified, user is no longer pending.
We will have to update many places in the code to check the new 'pending' state. Probable best to search everywhere users are searched by 'disabled' or
someuser.disabled is checked, and determine if the pending flag needs to be checked too. Since pending users shouldn't be allowed to do anything yet.
Log in to post a comment.