In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Advanced Details Jump to Notes ] Wiki ]  Related Changesets ] View Simple ] Issue History ] Print ]
ID Category Type Reproducibility Date Submitted Last Update
0000949 [In-Portal CMS] Security feature request always 2010-12-13 11:14 2012-07-25 05:32
Reporter Dmitry View Status public Project Name In-Portal CMS
Assigned To alex Developer
Priority minor Resolution fixed Platform
Status closed   OS
  OS Version
ETA none Fixed in Version 5.2.0-B1 Product Version 5.1.1
  Target Version 5.2.0 Product Build
Time EstimateNo estimate
Summary 0000949: Change in user Email Validation process
Description Often these days there is a need to make sure User Email is validated. Current functionally (5.1.1) doesn't fully answer all the requirements.

Proposed solution is to ADD "EmailValidated" checkbox to user record (only admin can change it). On the Front-End that checkbox will be checked automatically, when user confirms it's email during registration or after the email change.

Below is description of actions that will take place for each of User Registration methods (Instant, Pending, Email Activation). Otherwise, it will become confusing.


New User Registration:

- Instant Registration - additional text needed to be added to the Registration Email Event which will say please click here to validate your Email address (only in case if Email field was entered).

- Pending - additional text needed to be added to the Pending Registration Email Event which will say please click here to validate (only in case if Email field was entered).

- Email Activation - automatically should mark the Email as verified once account is activated (once properly activated).


User Updated Email address:

1. Reset EmailValidated check-box

2. Send 2 emails:
 - to OLD email address - saying that an email on account has been changed - click here to UNDO the change if it's wasn't you.
 - to NEW email address - asking to click "here" to Verify the Email. However, NEW email will be UNDONE to old one if in case if User has clicked on UNDO the change + will be marked back as Verified.



NOTES:

a. Above functionality to be automatically activated if Email is present/entered

b. None of this Email Verification should trigger ANY sort of Disabling / Activating the account. What we can do is to ask Users to verify their Email (if it has not been) once they logged on Front-End.

c. In the future Admin will be able to filter our and PRUNE all old user with no email validated.
Steps To Reproduce
Additional Information How to implement UNDO e-mail change
-----------------------------------
1. create PrevEmails column (text, empty serialized array by default) in PortalUser table; will be serialized array of all user's email change attempts in format:
Array (
md5(emailchange_time1+user_id) => old_email1
md5(emailchange_time2+user_id) => old_email2
)
2. when user's e-mail is changed, then we add one more record to array in PrevEmails column and send a link with that hash (array key) to a user as undo link
3. when user clicks an undo link we can search for given MD5 string in that field using LIKE clause; when found we revert e-mail change and delete that record from array

Other stuff
-----------
Other stuff is pretty obvious and we have done it on some other projects already. I'll just copy-paste from there.
We also need to make sure, that user can't manually change EmailValidated column.



Also I think, that column should be called EmailVerified, since we verify that user owns a e-mail he typed on form. Email is already valid, since matches user@domain.tld format.

Tags No tags attached.
Reference Improved user Email Validation process
Change Log Message https://groups.google.com/d/topic/in-portal-dev/jXn8GSp34Rc/discussion
Estimate Points 2
Attached Files patch file icon email_validation_core_949.patch [^] (15,851 bytes) 2011-12-22 06:20 [Show Content]
patch file icon email_validation_theme_949.patch [^] (9,052 bytes) 2011-12-22 06:20 [Show Content]
patch file icon email_validation_core_v2_949.patch [^] (20,270 bytes) 2011-12-27 12:48 [Show Content]
patch file icon email_validation_theme_v2_949.patch [^] (9,232 bytes) 2011-12-27 12:48 [Show Content]
patch file icon email_validation_core_v3.patch [^] (26,907 bytes) 2012-01-03 11:00 [Show Content]
patch file icon email_validation_themes_v3.patch [^] (8,686 bytes) 2012-01-03 11:00 [Show Content]

- Relationships Relation Graph ] Dependency Graph ]
related to 0001188closed (5.2.0)alex Usage of current page title in navigation bar 

-  Notes
User avatar (0004287)
erik (manager)
2011-12-20 12:28

Some questions

1. What data must be in the undo link?
2. What data must be in the verify link?
3. Which e-mail can be undone - any, or only if it is more new than current e-mail?
User avatar (0004289)
alex (manager)
2011-12-21 02:37

1 - http://www.website.tld/my_account/restore_email.html?hash=564345dsfvdfg34tf34rggdf
2 - like current link on email activation, but template will be "my_account/verify_email.html"
3 - any e-mail in PrevEmails fields is older then current one, so the answer is "any"
User avatar (0004297)
erik (manager)
2011-12-22 06:21

Patches attached - needs testing
User avatar (0004301)
alex (manager)
2011-12-23 04:40

1. newly added e-mail events are not added in install_data.sql & upgrades.sql files (notice that there are no translatable columns in e-mail event insert sqls).

2. no upgrade code resulting in making all existing users with unverified e-mails (I think we should make all existing users with verified e-mails).

3. sql in UserHelper::restoreEmail method isn't property formatted (again).

4. you've added sql that sets EmailVerified = 1 to current user in UserHelper::validateUserCode method, why? Because of it any call to this method makes user's e-mail verified (e.g. during restoring his password)

5. variable $prev_emails is used before it's defined in u:sendEmailChangeEvent method.

6. names of new e-mail events are grammatically incorrect and should be:
- USER.EMAIL.CHANGE.UNDO
- USER.EMAIL.CHANGE.VERIFY

7. method u:sendStatusChangeEvent does directly change database, why not though user object at hand?

8. why create UserHelper:restoreEmail method if it's only used once? Tag u:RestoreEmail is pretty obvious name and it calls that method too.

9. could you please use approach, used in user registration with e-mail activation, where:
- tag placed on TPL in m_if performs a check
- ActivateUser tag is used to set user fields (EmailVerified field in this case)
User avatar (0004330)
erik (manager)
2011-12-27 12:49

Made changes by note 0004301
1. added in install_data.sql & upgrades.sql
2. made upgrade code
3. re-formatted sql in UserHelper::restoreEmail
4. My solution iz abandoned by 9. Yes, my refused solution allowed e-mail validation also in the "forgot password" process.
5. Fixed.
6. Changed words sequence
7. method u:sendStatusChangeEvent does directly change database, not through user object at hand - to avoid recursion. It is called from u:OnAfterItemUpdate method.
8. UserHelper:restoreEmail method is created, because this method is rarely used - so there is used "lazy initialization" principle to minimize average memory amount, consumed by system.
9. Code reorganized to the new approach.

V2 patches attached - needs testing.
User avatar (0004375)
alex (manager)
2012-01-03 11:01

What was not done (fixed by me):
--------------------------------
1. missing "la_fld_EmailVerified", "lu_error_VerificationCodeNotValid" phrases
2. options not defined for EmailVerified field
3. field EmailVerified wasn't added into grid/simple interface preset
4. please use autocomplete when writing a code, since there is no kDBBase::GetId method, but there is kDBBase::GetID method
5. non-approved user was able to login after performing e-mail verification
6. e-mail status wasn't set to "non-verified" on e-mail change
7. field EmailVerified update failed (old values stayed) in e-mail restoring process
8. e-mail change e-mails were sent on e-mail restore confirmation too


What done by Erik (not from task, but good to be done):
-------------------------------------------------------
1. fixes problem that u.register wasn't used in all registration related e-mails
2. instant registration had incorrect u.current object resulting sql error on auto-login attempt
User avatar (0004376)
alex (manager)
2012-01-03 11:02

Fix committed to 5.2.x branch. Commit Message:

Fixes 0000949: Change in user Email Validation process
Commit on behalf of Erik
User avatar (0005005)
alex (manager)
2012-07-25 05:32

Since 5.2.0 version was released.

- Related Changesets
In-Portal CMS: 5.2.x r14973
Timestamp: 2012-01-03 11:02:03
Author: alex
Details ] Diff ]
Fixes 0000949: Change in user Email Validation process
Commit on behalf of Erik
mod - /in-portal/branches/5.2.x/admin/system_presets/simple/users_u.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/admin_templates/users/users_edit.tpl Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/english.lang Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/install_data.sql Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/install_schema.sql Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/upgrades.sql Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/helpers/user_helper.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/users/users_config.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/users/users_event_handler.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/users/users_tag_processor.php Diff ] File ]
Themes :: Advanced: 1.2.x r14972
Timestamp: 2012-01-03 11:01:31
Author: alex
Details ] Diff ]
Bug 0000949: Change in user Email Validation process
mod - /themes/advanced/branches/1.2.x/_install/english.lang Diff ] File ]
add - /themes/advanced/branches/1.2.x/platform/my_account/restore_email.tpl File ]
add - /themes/advanced/branches/1.2.x/platform/my_account/verify_email.tpl File ]

- Issue History
Date Modified Username Field Change
2012-07-25 05:32 alex Note Added: 0005005
2012-07-25 05:32 alex Status resolved => closed
2012-01-03 11:02 alex Changeset attached 5.2.x r14973
2012-01-03 11:02 alex Note Added: 0004376
2012-01-03 11:02 alex Status reviewed and tested => resolved
2012-01-03 11:02 alex Fixed in Version => 5.2.0-B1
2012-01-03 11:02 alex Resolution open => fixed
2012-01-03 11:02 alex Assigned To !COMMUNITY => alex
2012-01-03 11:01 alex Changeset attached 1.2.x r14972
2012-01-03 11:01 alex Note Added: 0004375
2012-01-03 11:01 alex Assigned To alex => !COMMUNITY
2012-01-03 11:01 alex Status needs testing => reviewed and tested
2012-01-03 11:00 alex File Added: email_validation_themes_v3.patch
2012-01-03 11:00 alex File Added: email_validation_core_v3.patch
2012-01-03 10:38 alex Relationship added related to 0001188
2011-12-27 12:49 erik Note Added: 0004330
2011-12-27 12:49 erik Assigned To erik => alex
2011-12-27 12:49 erik Status needs work => needs testing
2011-12-27 12:48 erik File Added: email_validation_theme_v2_949.patch
2011-12-27 12:48 erik File Added: email_validation_core_v2_949.patch
2011-12-23 04:40 alex Note Added: 0004301
2011-12-23 04:40 alex Assigned To alex => erik
2011-12-23 04:40 alex Status needs testing => needs work
2011-12-22 06:21 erik Time Estimate Removed 2 =>
2011-12-22 06:21 erik Note Added: 0004297
2011-12-22 06:21 erik Assigned To erik => alex
2011-12-22 06:21 erik Developer => erik
2011-12-22 06:21 erik Status needs work => needs testing
2011-12-22 06:20 erik File Added: email_validation_theme_949.patch
2011-12-22 06:20 erik File Added: email_validation_core_949.patch
2011-12-21 02:37 alex Note Added: 0004289
2011-12-20 12:28 erik Note Added: 0004287
2011-12-18 22:22 Dmitry Assigned To => erik
2011-12-18 22:22 Dmitry Status active => needs work
2011-12-18 15:28 Dmitry Priority normal => minor
2011-10-22 05:38 alex Estimate Points => 2
2011-09-27 04:07 alex Time Estimate Added 2
2011-09-26 04:45 alex Additional Information Updated View Revisions
2011-09-23 21:28 Dmitry Target Version Icebox => 5.2.0
2010-12-13 11:14 Dmitry Target Version => Icebox
2010-12-13 11:14 Dmitry New Issue
2010-12-13 11:14 Dmitry Reference => Improved user Email Validation process
2010-12-13 11:14 Dmitry Change Log Message => https://groups.google.com/d/topic/in-portal-dev/jXn8GSp34Rc/discussion



Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker