Forum OpenACS Q&A: Groups -- the public, unregistered users, permissions

The forums package has a constraint that the user_id stored in the table as the author of the message must exist in the users table. So although the user_id passes the security check, it will cause a referential integrity violation when the attempt to store the message is made.

I will work on some instructions to make these changes to the data model. This seems like a general enough request that perhaps it should be a built in option.

If you will accept submissions from unregistered users, you will want to add some other form of control to prevet abuse.

For some reason forums does not redirect to login right when you attempt to post. Perhaps that is to encourage registration. That is, if you have already typed your message maybe you are more inclined to create an account than if you are presented with the registration screen before typing your message.

If not allowing annonymous posting what would you expect the behavior to be?

I suspect we should always tell the user the consequences of aborting the registration process.

That's a very good question with more then one answer. Q: Which answer is the best? A: The one the user expects.

Of course, the users don't always get what they want because these are difficult problems to many different expectations. As an admin of one of these sites, we naturally want easy unlimited flexibility -- so don't listen to me 😊 Seriously, what should the behavior be? What's best in a forum that requires login? The quick and simple answer is: Don't give unregistered users the choice to post at all.

Personally, however, it doesn't bother me when I'm asked to set up an account after I've invested in writing a reply, because the topic obviously interests me and I can always (or usually) give them a fake email address from http://www.spamgourmet.com/ (disposable email address! btw) if I don't trust the site.

So it seams to me that it's okay to let unidentified users to compose a post before asking them to login, however, the user should be warned, probably on the "confirm" step, that login will be required after they confirm. "If you don't log in, your post will not be published" (or requires approval...which is another thing and probably the subject of another thread even *).

Considering all, I think that when the system is set to allow the public to post, the user would be given a radio button choice as they confirm the post, to either login/register or to "post anonymously."

Actually, here's how it would work in a perfect world (I'm not saying this is practical on OpenACS or that the system needs to allow this easily.) Ideally, the system would only ask the user for information when necessary. An unregistered user clicks "post" or "reply" and lands on the form. The form would include an optional field asking for email address because the system is attempting to discover who this user is. The Confirm page would then ask for either a password if the email is already a user, or the user would be given the radio button choice to either post anonymously or "join". If the user gave what appears to be a valid email address, they would be opted into: I want to join and post. If the user left the email field blank then they would be opted to: I want to post anonymously.

Yellow or Red highlighted text is good, visually, for setting the users attention. I'm probably going to add that warning on top of all the confirm pages because the user isn't scrolling down in long posts to see the confirm button. I give the bold tag a different class in my css file to highlight things.

* As an admin of community sites, I would want anonymous contributions to post immediately when the community is small, however, if it became a problem, or when the community grows, I may want anonymous posts to require a moderator approval before appearing -- like the ACSnews module is configured. That delay would be the price that the user pays for posting anonymously. I would only want to toggle it to moderator or login required if we were getting spammed or harassed.

If we did, how would we do it? Create a special 'Anonymous Coward' user, or use the existing 'Unregistered Visitor' person with person_id 0?

I guess if we use person_id 0, then we'll have to figure out another way of granting site-wide admin than granting permissions on object 0. Or maybe that wouldn't be a problem, actually.

/Lars

Right, but does object_id 0 have to be a user. Would it be better to allow forums posters to be a person instead of a user (which would include all users)?

I brought this up in another thread. Right now creation user of acs_objects has no restriction, so you can put any integer in there. Forums_messages specifically references the users table.

Lars,

Sure, once we figure this out, it will be simple enough to enable the feature in forums and general comments. The work I am doing on general comments will allow anonymous posting (if enabled by the administrator.)