That's not exactly what our system does, because we go through
some weird checks for pre-approved sets of email address
(government and such) and what type of user they are (supplier).
But what happened is that we had an open site with no email
verification for a few months. Then we added email verification,
and the way we did that is that we simply updated the state of all
existing users in the DB to need_email_verification.
Now, we had custom login scripts, so our scripts handled that
new state, but I am 99% sure that the generic OpenACS login
scripts would do the right thing, too.
