I've just set up a community site, which utilises logintoboggan.

I had it set for immediate login/choose own password, but I have hit a 'security' / spammer snag...

I had a spammer entering information into a 'personal info' field within his account (you can imagine the type of horrible stuff).

I had several options:

(1) eliminate this info field from registration. Ok, but account can still be accessed and edited, but it might eliminate auto registrations from spam engines. Yes, I could get rid of it altogether, from the user account, but I really don't wish to do that.

(2) stop "immediate login option"in order for site admin verification process to work more thoroughly.

This is the option I've chosen. However, this means that the innovative redirect pages: on registration and on confirmation don't work. Also, the site admin, no longer receives an authentication link, but only an email informing him of new account, which must be edited. But its really the redirect pages I miss.

(3) get rid of logintoboggan; never really considered this because I like the l/t js links rather than ugly login block

I also tried continuing with immediate login and denying access to the user to content etc, using access control. Ironically, the only thing the waiting-authentication user could do was access his account... and therefore go ahead and post spam in the personal info section!!

If there is another workaround, I haven't found it. Is this a login-toboggan problem? Yes, in that the spammer problem compromises the excellent usefulness of logintoboggan.

possible solutions?

Any suggestions / features that could solve this? It's really taken the edge of the registration process, which I was trying to make as intuitive and informative as possible. Missing the redirect pages.

  • One solution would be for account access to be denied to "awaiting authentication" users. That would only require all personal fields to be eliminated from registrations.
  • Another useful innovation would be for the registration process to send an email confirming site admin authentication.

Thnx
jbc

Comments

hunmonk’s picture

Status: Active » Closed (won't fix)

this sounds out of scope for this module.

my suggestion is to write a module that allows access control to a user's own account by role.