[development] User registration without *password*

[Samuel Charrington]

I followed the recent "user registration without email" thread
closely, as I'm about to start working on a related issue.

Prior to moving my site over to Drupal, I had implemented a
password-less registration system [1] for our downloads area that was
based on the user's email address. It basically worked like this:

1. When a user requested access to a 'protected' resource, we would
first check for a registration cookie. If the cookie is present, we
would send them on to the requested resource.
2. If no cookie is present we would throw up a registration lookup
form requesting their email address. When submit, we'd look for their
email address. If found, we'd set the cookie and forward them to the
requested resource.
3. If the email address isn't found, they would be asked to
'register', by providing an email address along with personal info
such as company name, address, phone, etc. Upon successful
registration we'd set a cookie and forward them to the requested
resource.

I'd like to implement a similar scheme for my Drupal-based site. One
option is to port over my existing code and tables and keep the
registration stuff separate from the Drupal system. However, it seems
like a more flexible approach would be to make each of these
registrants "users" in Drupal, allowing me to use Drupal features and
contrib modules for managing the resources and controlling access to
them.

I'm currently thinking I can accomplish most, if not all, of this by
hacking/patching the LoginToboggan module. I would need to modify it
to use an empty string for the password, customize the login form, and
suppress the confirmation email. I would use the it's Immediate Login
feature to create the users and put them into a "non-authenticated
role" I'd create called "registrant". My intention would be to leave
them there permanently. I'd also need to implement the ability to
forward the new user to the requested page.

I'm looking for an any thoughts on this approach, and any pointers if
it has been done already. If there are any gotchas I'll likely run
into, or if--for some reason that isn't yet apparent to me--this is
just a Bad Idea, I'd like to know that as well.

Also, if there is any broader interest in this type of functionality
let me know. I'm happy to work as closely with the LoginToboggan
maintainers as they would like, and would appreciate any help or
guidance they can offer.

Thanks,

Sam

[1] The use case here is a corporate/brochureware site where the
security of the resources is not a major concern, as they are
typically marketing materials. (Site security is still a concern, of
course.) It is  desirable to avoid requiring users to create/manage a
password, yet we'd like to somehow accomodate the repeat visitor.