[drupal-devel] [feature] Single step account creation and login

Uwe Hermann drupal-devel at drupal.org
Mon Sep 19 00:36:00 UTC 2005


Issue status update for 
http://drupal.org/node/4942
Post a follow up: 
http://drupal.org/project/comments/add/4942

 Project:      Drupal
 Version:      cvs
 Component:    user.module
 Category:     feature requests
 Priority:     normal
 Assigned to:  amanuel
 Reported by:  mathias
 Updated by:   Uwe Hermann
 Status:       patch (code needs review)

I agree with killes here. Asking the user to choose a password usually
results in _very_ insecure passwords. Give them random passwords per
default in order to keep most of the accounts secure. If a user then
changes the password to his pet's name, that's his problem...




Uwe Hermann



Previous comments:
------------------------------------------------------------------------

Sat, 03 Jan 2004 23:49:54 +0000 : mathias


Under special circumstances, i would like a new user to be able to
choose their own password and be automatically logged into the site
without needing to check their email. I feel this is necessary for my
ecommerce module, where after anonymous users are ready to "Proceed to
checkout", they need to create an user account to continue.  It is
tedious for the customer if they have to stop, check their email, log
into the site and then resume the checkout process.



I'm game to code this (if this has potential to be part of the core), i
just need some feedback on the best way to tweak user_register.




------------------------------------------------------------------------

Sun, 04 Jan 2004 06:18:07 +0000 : moshe weitzman

+1 for this. I don't think you will get much objection to this much
needed usability enhancement.




------------------------------------------------------------------------

Thu, 08 Jan 2004 05:48:40 +0000 : mathias

Attachment: http://drupal.org/files/issues/user.module-quick_acount.patch (7.11 KB)

This is a prototype patch to make sure i'm going in the right direction.
 I feel this patch is about 95% complete, the outstanding issue being
page redirection after quick-account creation. 


It introduces and new option under the user admin settings "Public
registrations" called "Visitors can create accounts and sign in
immediately.", allowing visitors to submit their own passwords upon
account creation.  This is important in an ecommerce site where a new
customer wants to the checkout process to be as easy and seamless as
possible.




------------------------------------------------------------------------

Thu, 08 Jan 2004 10:22:09 +0000 : moshe weitzman

i read through the patch. looks good to me. a few notes


- we should still send a password via email to users who choose their
ow password. with some text tweaking, we should be able to send the
same welcome email to 'generated password' registratants, and 'user
specified password' registrants.
- I think we need a setting for minimum length of a password. the
password textfield should inform users of this requirement.
- you don't actually relinquish control after saying "/* Let the
developer control where the user is redirected. */". i assume this part
isn't finished yet.


nice work.




------------------------------------------------------------------------

Thu, 08 Jan 2004 13:46:07 +0000 : flevour

Are there any anti-bot checks around, e.g. randomly generated images
that contain text or numbers to insert in a box?
Congrats for your work :p
// flevour




------------------------------------------------------------------------

Thu, 08 Jan 2004 13:54:19 +0000 : Bèr Kessels

I had another idea. that would be to filter all emailadresses (in
content too) into a link to the feedback module.


thus http://www.mysite.org/feedback/mailto/me/mysite.org


the feedback can then print a form that can send the message to
me at mysite.org.


Would this be a good feature or not?


Ber




------------------------------------------------------------------------

Thu, 08 Jan 2004 13:56:36 +0000 : Bèr Kessels

sorry folks. placed this in the wrong box. Was updating another feature,
and reading this one (to see if it was the same one) i then, by
accident, filled replyed here. :(


Ber




------------------------------------------------------------------------

Thu, 08 Jan 2004 16:49:56 +0000 : Dries

Showing an image with random generated text that a user is supposed to
copy, makes your website inaccessible for visually impaired: they can't
be read by a screen reader.




------------------------------------------------------------------------

Thu, 08 Jan 2004 17:07:02 +0000 : mathias

Responding to Moshe's comments:


- we should still send a password via email to users who choose their
own password. with some text tweaking, we should be able to send the
same welcome email to 'generated password' registratants, and 'user
specified password' registrants.



That is a good point. I'll update the patch.


- I think we need a setting for minimum length of a password. the
password textfield should inform users of this requirement.


Agreed. In my patch i checked to make sure the password was at least
six characters long, but this should be an element that can be tweaked
by the admin. It might be best to make this a global password length
system variable.


 - you don't actually relinquish control after saying "/* Let the
developer control where the user is redirected. */". i assume this part
isn't finished yet.


Yep, that's the part i'm still working on.  Thanks for the critical
eyes.




------------------------------------------------------------------------

Wed, 14 Jan 2004 04:31:06 +0000 : mathias

Attachment: http://drupal.org/files/issues/user_0.module-quick_acount.patch (7.95 KB)

The patch has been updated and is ready for final review, and commit.




------------------------------------------------------------------------

Wed, 14 Jan 2004 22:37:53 +0000 : Dries

Not sure.  Wouldn't it make more sense (and result in better/less code)
to let the user *always* choose his password and to introduce a admin
setting to control whether e-mail addresses should be validated by
e-mail?




------------------------------------------------------------------------

Sun, 15 Feb 2004 17:02:38 +0000 : moshe weitzman

moving out of patch queue until a cleaner implementation is submitted
... this feature is still quite valuable.




------------------------------------------------------------------------

Fri, 05 Nov 2004 19:21:49 +0000 : Nick Nassar

I agree with Dries that it makes a lot of sense to always let the user
choose her password. It's a pain to copy and paste in a randomly
generated password, then change it. Hash link based verification is
much easier.


That's really a seperate issue from an option to disable verification.




------------------------------------------------------------------------

Fri, 22 Jul 2005 22:11:42 +0000 : amanuel

Attachment: http://drupal.org/files/issues/user4.6.2.patch (4.25 KB)

Following Dries's suggestion, I have implemented a "Enable Email
Verification" option to user.module. The attached patch does the job.


With this patch the system by default will ask for a password. If Email
Verification is turned on in the settings, the system will send the
password via email.


$edit['destination'] is carried so as to allow the user to return where
they were (shopping cart etc.)


Any comments?


Amanuel




------------------------------------------------------------------------

Sat, 23 Jul 2005 05:48:08 +0000 : mathias

I want users to be able to enter their own passwords upon account
creation, but this patch still needs some work.


- The email verification checkbox in user admin settings is confusing.
I'm assuming that it applies to any of the selected registration
options? However when I select that only site admins can create new
user accounts, the accounts I create don't get any emails sent for the
user to verify. 


- When a user signs up and enters his/her own password I think they
should be logged in automatically rather than taken to a screen asking
them to click the login button. 


- User entered passwords aren't validated. We should check to make sure
they're at least six characters and verify the password strength level
to some degree (i.e. same characters, all lowercase letters.)




------------------------------------------------------------------------

Fri, 29 Jul 2005 05:09:30 +0000 : Steven

I agree with Dries. Random-generated passwords are hard to use. We
already have optional hash-link functionality on signup, so I think we
should always use it.




------------------------------------------------------------------------

Sun, 07 Aug 2005 17:02:45 +0000 : killes at www.drop.org

I actually disagree with Dries and Steven. I let firefox maintain all my
passwords and couldn't care less what my actual pw for any Drupal based
website is. If we let the user provide a password then I at least woudl
want to havd Drupal suggest one for me.







More information about the drupal-devel mailing list