Email confirmation: user account restriction #3300
Comments
|
Today is @bsilverstein95 's last day with us (sniff!) so I'm going to unassign him from this issue. Thanks for all the help with #2170! |
pdurbin
added
Help Wanted: Code
Mentor: pdurbin
Feature: Notifications
and removed
Help Wanted: Code
Mentor: pdurbin
labels
pdurbin
added
the
User Role: Superuser
bsilverstein95
added this to the 5.0 - DataTags and Support for Sensitive Data milestone
bsilverstein95
changed the title
|
thanks! this feature would help with security and verification of users upon sign up, like other web services offered we need to be able to verify users via e-mail verification otherwise users can create accounts on behalf of others or use fake accounts. Not ideal in terms of the possible risks this leaves us open to. |
|
+1 on an on/off setting to require email validation to be able to sign in |
|
To focus on the most important features and bugs, we are closing issues created before 2020 (version 5.0) that are not new feature requests with the label 'Type: Feature'. If you created this issue and you feel the team should revisit this decision, please reopen the issue and leave a comment. |
8/19/2016: Phase I of confirm email is issue #2170. Phase II will introduce consequences / restrictions for users who do not confirm their email address, such as not receiving email notifications.
This issue was made a while ago after #2170 [email confirmation] was successfully merged in 4.5.1. It can potentially be very helpful going forward with support for sensitive data as outlined by Harvard's Information Security Policy.
Currently, we have no options to "restrict" accounts that have not confirmed their email address. Recall also that institutional accounts are "re-confirmed" upon each login, as the user's status is a nullable timestamp column
authenticateduser.emailconfirmed. This is because we entrust institutional accounts' auth providers with the responsibility of securing their institutional inboxes 🤓Next steps forward would be to define as a team what restrictions to levy on accounts with unverified email addresses. Consider:
The appropriate user access guidelines linked above are a healthy resource to refer to so that we can maintain the best direction towards v5.0 and iron out any known bugs prior to merge.
Related baggage: #3407 When users convert their account from the "Username/Email and Password" to the "Institutional Log In" option, they receive a confirmation email with no link
The text was updated successfully, but these errors were encountered: