• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4896: Should email address be mandatory for (bulk) registration

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal New   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Hi, In bulkregistration when trying to add emails the values aren't registred when the users are created. And by the way I think that email should be a required field because otherwise you can't the other bulk tools like bulkresetpassword. Regards. Eric.

-- TWiki:Main/EricCharikane - 27 Oct 2007

I just manually tested bulk registration, using the TWikiUserMapping user mapper, and the email addresses are added to .htpasswd as expected. Bulk registration is working correctly.

I suspect you are expecting to see them in the user topic, but that is not where they are stored.

The point about the email field being mandatory in registration is a good one, but is not a critical release blocker so downgrading to Normal status. I changed the headline from "In bulkregistration when trying to add emails the values aren't registred when the users are created".

CC

Crawford, In fact the email address was mandatory in 4.1.2 but it has disappeared in 4.2. You are right, I looked in the .htpasswd and saw the email addresses for the bulk registred people. So no bug here. But Franckly I'm a bit surprised by the behaviour : I would expect that the extra fields (like email) used in the bulk registration process behave like the firstname and lastname that is to say being stored and list in the user topic otherwise this is not logical ! Why storing two values and not the others ? Then you need to do the job twice don't you ?

Regards, Eric

-- TWiki:Main.EricCharikane - 27 Oct 2007

The reason emails are not stored in public topics is exactly that - they are public. This is regarded as a security issue, so email addresses are no longer written to personal topics.

-- TWiki:Main.CrawfordCurrie - 28 Oct 2007

Hi Crawford, I understand the security issue in a public website when people register themselves, but for bulk registration, only admin will do that. Then we can trust that if an admin is filling some fields in a bulk registration process he knows what he is doing an expect to see all his fields in the user topic, no ? Regards, Eric

-- TWiki:Main.EricCharikane - 30 Oct 2007

Even with bulk registration the email addressed needs to go into the .htaccess file and NOT made visible in the topic.

Bulk registration must work like individual registration. If an admin bulk registers a load of people, why should their email addresses suddenly be exposed. He must give a valid email address also when emails are private because without those in .htaccess the user can never reset his password or be notified about anything.

The NewUserTemplate has this in it for the same reason.

 

| E-mail | %USERIN%NOP%FO{"%TOPIC%" format="$emails"}% |

 

which becomes

 

E-mail  

and depending on the configure setting {AntiSpam}{HideUserDetails} either anyone can see the info or only the admins and the user himself.

If the user want to display his email in public and often a disposible gmail account in the email field in the form, he can do this. Many register with one email address - the real one they want to keep safe, and put one in the form that they can later discard (if spamming gets too bad).

We had many long talks about this during the 4.0 development and the current design is the one that works the best and gives the best compromize between security and information.

So only remaining question is - should email address in bulk registration be mandatory - ie the registration fail if no email addresses are given. Are there any situations where this will be a problem? And can you bulk register without email addresses?

-- TWiki:Main.KennethLavrsen - 30 Oct 2007

 

 

Dear Kenneth, thank you for this deep explanation.

Frankly, In fact, I didn't notice before that when you register by yourself your email address didn't appear in your own form at first time !!.

So that said, I understand the security issue and fully agree with you, in public websites exposing an email must be a personal choice. I also agree with you when saying that the bulkregistration must behave like individual registration.

Now considering if email address should or not be mandatory in the bulkregistration process, here are my two arguments :

 

  • it is mandatory in the individual registration so if bulkregistration must behave like individual registration, email should also be mandatory;
  • having email mandatory in bulkregistration makes sure that people registred by bulk registration will be able to request a new password for first login, and also it gives the possibility to the admin to use bulkreset password to have and automatic notification of the credantials to the new users.

I may also suggest to add a notice in the bulkregistration topic if email becomes mandatory explaining that it is normal that the email address is not exposed in the user topic for security reason but stored in the appropriate .htpasswd file.

Best regards,Eric

-- TWiki:Main.EricCharikane - 07 Nov 2007

Just noticed that this was waiting for me. I have nothing further. It seems to me that Eric summarised it all fine and it seems reasonable that email addresses should be given when you bulk register people. But I can also see some alternative authentication schemes where the email address is fetches from an LDAP server so you cannot always assume that emails should be needed. But then why do you need to register in those cases.

I have never used bulk registration and I do not plan to work on resolving this bug myself so I will flip it to New again.

-- KennethLavrsen - 17 Mar 2008

ItemTemplate
Summary Should email address be mandatory for (bulk) registration
ReportedBy TWiki:Main.EricCharikane
Codebase 4.2.0
SVN Range TWiki-4.3.0, Fri, 12 Oct 2007, build 15261
AppliesTo Engine
Component

Priority Normal
CurrentState New
WaitingFor

Checkins

TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r9 - 2008-03-17 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback