Forum OpenACS Development: OIDs optional in current Postgres - whose idea was it to use them for email confirmation anyway...

I wondered why there was such a dodgy hack in the email-confir.tcl
file (in /register/), it turns out that OIDs (the rowid of postgres)
are now optional - and the data model sql file obviously doesn't
request it.

My thoughts are:

1) Security? Who needs security anyway? (Sarcasm? Who needs sarcasm?)

2) Let's make it general between oracle & postgres

Off the top of my head, what's say I add a column to users called
user_magic_num that gets allocated a  6 digit (say) random number, and
for pseudo-security jobs like email verification, we use a number
which is  the random number concatenated to the user_id (to ensure it
is unique).

Since I need something working by the morning, I'm going to figure out
how to turn OIDs on - but let me know what you people think.

I'm stupid - OIDs are optional, but enabled by default.

The problem is that postgres doesn't give us a rowid-like number for views (like cc_users).

I have hacked the cc_users select definition to include "u.oid as ora_rowid" and used that. It's dodgy...

Mark, AFAICS we inherited the code from the oracle version and I suppose OIDs were used in the sake of consistency between the Oracle and PostgreSQL version of the toolkit.

Using a random token is a better alternative for several reasons. Here's what Gilbert Wong has to say: "I only made a few changes in the acs-subsite user pages. Most of the changes are HTML layout changes. The major change in the TCL/SQL code is the addition of a random token (and column to track it) to supplement the user email verification process. The reason I modified it was because the oid/rowid is a constant in the database and when people change their email addresses, there is no easy way to verify that the email address is still valid. So I added the random token and changed the basic-info-update page to check for a change in the email address. If it was changed, I toggle the user verified column (can't remember the exact column name) to false, log out the user, generate a secret token, and email the confirmation link. So a smart user cannot easily fool the email verification system. I also had to change the registration end too."

You might want to contact Gilbert ( Please,  post back here when you resolve this.

Yeah, I need to upload those changes.  I will have to take the original OpenACS code and integrate my changes, since I heavily modified the original code in acs-subsite (register, user, etc.) and added some other junk not useful to other people :)  I still check the row_id (oid or whatever was there before), but I added a secret token to the check.  I guess I can take out the oid completely.  Anyway, if I have some time this weekend, I'll try to put together a tarball with the changes...
Are you using Oracle or Postgres? Under Postgres, you don't get OIDs on views (whereas under Oracle you do get rowid on views) so how did you handle this?

I modified cc_users to have a column "u.oid as ora_rowid" and modified the query to look at ora_rowid.

postgresql.  I believe I did a join on the users table.  I submitted some patches a while ago which should have made fixed the queries in the postgres version.