I guess my main gripe with this is that it may break a few layouts that expect usernames to be short. And it requires changes in some of Geeklog's templates, which is always a bit of a pain for our users.

Perhaps the best compromise is to use $remoteusername if it's unique, and append @$Service (enlarging the field) if it isn't. I suspect in most cases it will be unique. Some cases it won't be, but I expect the main use of this is for people like me who run small personal sites with the odd bit of popular content that people might occasionally want to login to post to but not register with. As my registered (local) user base is tiny, the uniqueness is not too much of a problem. Or perhaps just use their $remoteusername in all cases and let geeklog user id uniqueness and a slight confusion work...

The only 2 remotely similar options you have are to remove a user from the All Users and Logged-in Users groups (which will give them an error message when they try to log in) or to assign them an empty password (which you can't do from within Geeklog) so that they are treated as non- approved members.

Perhaps better user status is more important at this stage than remote authentication.

...

0 - Banned. 1 - Awaiting Activation 2 - Awaiting Approval 3 - Active

Someone actually pointed out to me the other day that you can easily sign up someone else for a Geeklog site and that they would then get notices, e.g. those sent from the "Mail Users" admin panel, which would, from the victims point of view, look like you're spamming them.

So "activation" could also mean "has logged in as least once" (or would that be a separate status?) and the options for emailing users should default to only let you email "active" users.

I was thinking that we could have email account activation as an option like it is with phpbb, vbulletin etc. I now realise that the password is emailed, so yes, the way you suggest would be best. When an account is created it is created at status 1 or 2. 1 if admin approval of accounts is not required, 2 otherwise. When an admin approves an account it moves to 1. When a user first logs in it moves to 3. When a user banned it moves to 0. So I think renumbering: 0 - banned 1 - Awaiting Approval - New accounts 2 - Awaiting Activation - New accounts that have been approved 3 - Active - New accounts, approved and logged in. If admin approval isn't enabled, then new accounts go straight to 2.

I guess I don't have to point out that all this has to be carefully implemented and thoroughly tested to avoid security issues ...

Oh, can't we just do a sloppy hack and hack it into all live geeklog instances? Just for a laugh like... ;-) Geeklog's security is sorely missed (by me).

When you allow a few thousand people (how many members does blogger.com have?) to suddenly log in to your site, there's bound to be a few that you may want to ban ...

But, at current, they can still register and post and not be banned. We don't suddenly make the site more open for trolls. Well, ok just a LITTLE more open. Perhaps bans first, then remote auth? Mike