securesocial
securesocial copied to clipboard
jaliss
One-step user registration
This pull request creates another registration controller, that works in parallel with the old one, without breaking it. It allows users to register in one step, but marked as non-verified, later they can verify their account by following a link send in a verification email.
These are changes in the code:
- Moves old registration controller inside "registration" package
- Creates a new registration controller that creates the User in one step
- Creates an action for email verification
- Add views for the new actions/emails
- Adds methods for new views, in Mailer and TemplatePlugin (without breaking backward compatibilty)
- Adds a state field in Identity trait, to hold the state of email verification
- Adds configuration options to choose the registration method
- Changes "SecuredAction" to prevent users with non-verified email
I have to note that this feature was implemented by one of our trainees, then reviewed by me. You can see her original changes here
Todo: We are planning to change the SecuredAction (or extend it) to take additional parameters, to allow non-verified users in specific pages, or even allow (recent) non-verified users only.
Hi @tabdulradi
Thanks for your contribution. I did a quick look and would need to see this in more detail but here are my first comments:
- The registration flow leaks user information (error saying the email is taken). The default flow prevents that.
- Adding Active SocialUser might to be needed. Since the change in SecuredAction line 86 does a filter on the result, it really would be the same if your UserService.find method would return None for inactive users.
- As of your planned changes to SecuredAction please consider using an Authorization object as an alternative. That would allow your users to access certain pages: in the implementation of that object you could check if the user is active or not. If you make UserService.find return your own model that should be easy. Eg:
case class WithActiveState extends Authorization {
def isAuthorized(user: Identity): Boolean {
user match {
case myUser: MyUserClass => myUser.isActive
case _ => // did not get a MyUserClass instance, log/handle error. Should not happen.
}
}
}
Thanks for your reply,
- I think we can remove the validation on email field. Then take a decision, either we should send a welcome/validation email, or send instructions email. We will work on it by next week.
- UserAwareAction uses UserService.find method too, so returning None for inactive users will prevent us from allowing Inactive users to access specific pages in the future.
- Thanks for the note. We will take this into consideration.
@jaliss are you going to integrate this feature into securesocial in the near future?
Hi @jaliss . Are you interested in integrating this feature into SecureSocial? I need it for my project so I'm currently updating it to the latest code in master, and doing some small improvements. Shall I create a new pull request when I'm done? Thanks for your hard work on this great framework.
+1 for the great works!
Is there any conclusion this would eventually be pulled or not?
@jaliss I understand that saying the email is taken might leak some user information, but it seems really few sites didn't do that. I feel this feature is essential to have, and it's developer's call to use it or not.
by the way, it seems one of the user in list in securesocial's user list, carambla, is using one step registration https://carambla.com/register
