Forum OpenACS Development: OIDs optional in current Postgres - whose idea was it to use them for email confirmation anyway...

My thoughts are:

1) Security? Who needs security anyway? (Sarcasm? Who needs sarcasm?)

2) Let's make it general between oracle & postgres

Off the top of my head, what's say I add a column to users called
user_magic_num that gets allocated a  6 digit (say) random number, and
for pseudo-security jobs like email verification, we use a number
which is  the random number concatenated to the user_id (to ensure it
is unique).

Since I need something working by the morning, I'm going to figure out
how to turn OIDs on - but let me know what you people think.

Using a random token is a better alternative for several reasons. Here's what Gilbert Wong has to say: "I only made a few changes in the acs-subsite user pages. Most of the changes are HTML layout changes. The major change in the TCL/SQL code is the addition of a random token (and column to track it) to supplement the user email verification process. The reason I modified it was because the oid/rowid is a constant in the database and when people change their email addresses, there is no easy way to verify that the email address is still valid. So I added the random token and changed the basic-info-update page to check for a change in the email address. If it was changed, I toggle the user verified column (can't remember the exact column name) to false, log out the user, generate a secret token, and email the confirmation link. So a smart user cannot easily fool the email verification system. I also had to change the registration end too."

You might want to contact Gilbert (https://openacs.org/shared/community-member.tcl?user_id=5597). Please,  post back here when you resolve this.

I modified cc_users to have a column "u.oid as ora_rowid" and modified the query to look at ora_rowid.