Forum OpenACS Development: Re: Elimination of email as center of OACS registration.

Collapse
Posted by Don Baccus on
Requiring e-mail may be rare yet we've rarely had complaints, so for a very large number of clients apparently it's not a problem.

Anyway .... bottom line is we need

1. to allow for the e-mail requirement for those who still like it.

2. to allow for arbitrary user names for those who like that and, as Lars points out, for working with external authentication servers.

3. if a site decides to allow for arbitrary user names it should still be possible to demand an e-mail address in order to allow for e-mail verification of registrations to cut down on bogus spamish registrations.

4. If we get rid of the unique e-mail restriction, doesn't this make it possible in scenario #3 for someone to set up one mail account with a 'bot answering it, then use that one mail account to register and verify an arbitrary number of users with login names like "a", "b", etc?  Imagine for instance that Greenpeace decides to move its discussion server from Zope to OpenACS, not entirely far-fetched since Bruno's been mumbling about it for over a year.  Greenpeace is an organization that's likely to be a target for vandals.  We need to think in these terms ...

Hi Don, good point (number 4), I think we should strive for keeping the email unique OR get acs-mail to only send an email once to a particular email address (let notification or the mailinglist manager handle this). In any case, in the scenario where we need it, we assume unique emails and will coordinate with Lars there.