Instead of allow user to set password and login immediately, user will required to activate the account. I think this will be a better approach for registration and as well better effort to fight spam. As i think, assigning the a less permission role will be less practical because you will need to evaluate what access to be given to people/spam that had registered but not activated.

-> disabled
-> Set password & Immediate login
-> Set password & activation required

Comments

hunmonk’s picture

hunmonk commented
Status: Active » Closed (works as designed)

this has been discussed before, but i will briefly reiterate here:

if the user has already given you their user name and password, there is no reason not to log them in -- a site administrator should be saavy enough to properly configure the access permissions so that the immediately logged in user has the proper amount of site permissions.

a small argument can be made that having the option to set a password and not log a user in gives another level of access control -- first the user is anonymous, then they are pre-auth, then auth. is that additional level of control worth complicating the UI and the code further? at this point i don't think so -- i believe the current functionality serves most sites well, and i would need to see a greater demand for that functionality in order to support it in code.

of course you are always welcome to hack your own custom version of the module to add that feature -- that's the beauty of open source software. :)

Foodster’s picture

Foodster commented

Thanks for the heading up hunmonk, and explain althought it has been discussed before. Sorry, for not seeing that. For those who had missed the dicussion, you may check here http://drupal.org/node/57623 (please kindly read the previous discussion as hunmonk is a very nice guy and he gets enough trouble explaning here already. Sorry )

My logic is, (/me thinking really hard so that i can convice myself and hunmonk for this feature) In most site setup will required registration before able to post anything. Goto #1, if you agree. Goto #2, if you disagree

#1 so i also assume that most setup will only give permission to member who had validated the account (email validation link) to post at the site (after the registration using LoginToboggan). Goto #3, if you agreed. Goto #4, if you disagree

#2 If the site allow to do anything before registering then what is the whole point of the registration? (enligthen me please)

#3 So do you think it will be confusing for the user, for that point they are registered but not able to post anything yet. (I am not refering the elite web user but somehow targeting the user that don't even know how to change the password after the password auto-generated by drupal core module.) That's also the reason why we want the user to set their own password.

#4 If user able to post after the registration without the activation link, then it defect the purpose of having the activation as you already has the access/permission without activation. (unless there is other permissions that i didn't think of)

if the goal of validation is to prevent bot registration, then we've already got that covered with the email validation step.

hunmonk’s picture

hunmonk commented

it's possible that you don't understand how to configure the module to do what you're suggesting. here's a brief layout:

  1. create a new role, pre-auth, which has the exact same permissions as the anonymous user, or whatever level of permissions that you want them to have _before_ they are validated
  2. in logintoboggan settings, set that role as the "Non-authenticated role", and select "Set password & Immediate login"
  3. set your auth user perms so that users can post content, or whatever level of access that you want to give them.

now, when a user registers, they get a nice message that says "A validation e-mail has been sent to your e-mail address. In order to gain full access to the site, you will need to follow the instructions in that message." it seems pretty clear to me what that means... ;)

now even though they are logged in, they do _not_ have the access perms of the auth user -- that's the whole point of the pre-auth role! as soon as they validate their account, _then_ they get auth user permissions. as far as i can tell this handles all of your objections -- and it's something the module does today. :)

please correct me if i'm wrong!

mandrew182’s picture

mandrew182 commented

I have the same problem.

1. Registration page should contain password field - I am using ogintoboggan module.
2. User should confirm own e-mail - click on link in the letter.
3. User can login the site only after e-mail confirmation.

Have you any implementations?

Foodster’s picture

Foodster commented

Hi Mandrew,

you could just follow what have been suggested by hunmonk, in the previous post.

marking as "won't fix" for now, but feel free to reopen if you can list some valid use cases for me to consider... - hunmonk