[drupal-devel] [geeklog-devel] Re: Geeklog 1.3.12 - the next steps

[Michael Jervis]

> I guess my main gripe with this is that it may break a few 
> layouts that expect usernames to be short. And it requires 
> changes in some of Geeklog's templates, which is always a bit 
> of a pain for our users.

Perhaps the best compromise is to use $remoteusername if it's unique, and
append @$Service (enlarging the field) if it isn't. I suspect in most cases
it will be unique. Some cases it won't be, but I expect the main use of this
is for people like me who run small personal sites with the odd bit of
popular content that people might occasionally want to login to post to but
not register with. As my registered (local) user base is tiny, the
uniqueness is not too much of a problem.

Or perhaps just use their $remoteusername in all cases and let geeklog user
id uniqueness and a slight confusion work...
 
> The only 2 remotely similar options you have are to remove a 
> user from the All Users and Logged-in Users groups (which 
> will give them an error message when they try to log in) or 
> to assign them an empty password (which you can't do from 
> within Geeklog) so that they are treated as non- approved members.

Perhaps better user status is more important at this stage than remote
authentication.
 
> >0 - Banned.
> >1 - Awaiting Activation
> >2 - Awaiting Approval
> >3 - Active
> >
> Someone actually pointed out to me the other day that you can 
> easily sign up someone else for a Geeklog site and that they 
> would then get notices, e.g. those sent from the "Mail Users" 
> admin panel, which would, from the victims point of view, 
> look like you're spamming them.
> 
> So "activation" could also mean "has logged in as least once" 
> (or would that be a separate status?) and the options for 
> emailing users should default to only let you email "active" users.

I was thinking that we could have email account activation as an option like
it is with phpbb, vbulletin etc. I now realise that the password is emailed,
so yes, the way you suggest would be best. When an account is created it is
created at status 1 or 2. 1 if admin approval of accounts is not required, 2
otherwise. When an admin approves an account it moves to 1. When a user
first logs in it moves to 3. When a user banned it moves to 0. So I think
renumbering:

0 - banned
1 - Awaiting Approval - New accounts
2 - Awaiting Activation - New accounts that have been approved
3 - Active - New accounts, approved and logged in.

If admin approval isn't enabled, then new accounts go straight to 2.
 
> I guess I don't have to point out that all this has to be 
> carefully implemented and thoroughly tested to avoid security 
> issues ...

Oh, can't we just do a sloppy hack and hack it into all live geeklog
instances? Just for a laugh like... ;-)

Geeklog's security is sorely missed (by me).
 
> When you allow a few thousand people (how many members does 
> blogger.com
> have?) to suddenly log in to your site, there's bound to be a 
> few that you may want to ban ...

But, at current, they can still register and post and not be banned. We
don't suddenly make the site more open for trolls. Well, ok just a LITTLE
more open.

Perhaps bans first, then remote auth?

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3030 bytes
Desc: not available
Url : http://drupal3.drupal.org/pipermail/development/attachments/20050504/ea4dbebe/smime.bin