Hi,
Just want opinions if my hack is valid, secure, or if there are any
loop-holes you see, or if there are improvements you might suggest:
The objective is to require users to confirm their email addresses
before they can login. This may be useful in intranet settings, not
public ones.
So, here's a psuedo-code step-by-step if you're interested. I've
implemented it and it seems to work well.
Files to modify:
1. includes\SpecialUserlogin.php
A) function AddNewAccount()
The system will log you in automatically without confirming your email
address. Add code here to refuse logins and force a $wgUser->logout() call.
Example:
if (!$u->isEmailConfirmed())
...show error message
...log user out
B) function processLogin()
The other step to cover is when the user tries a regular login by
clicking the login button. Again, do the same check as you did in part
A, but remove the logout() since that is not necessary (user is not
logged in yet).
2. LocalSettings.php
Have the following:
$wgGroupPermissions['*' ]['createaccount'] = true;
$wgGroupPermissions['*' ]['read'] = false;
$wgGroupPermissions['*' ]['edit'] = false;
$wgEmailAuthentication = true;
This requires users to log-in first before they can read or write.
3. index.php
We need to modify index.php because when a confirmation link is sent to
your email to verify your address, the system wants you to login first
in order to validate it! But you can't since your login is now rejected
after our modifications.
Look for this in index.php
if ( !is_null( $wgTitle ) && !$wgTitle->userCanRead())
This is what's preventing you from confirming your email address. Your
email confirmation link is going to Special:Confirmemail. Write a
function that parses your $_GET[title] for the string
Special:Confirmemail and returns true if it finds it. You can stuff the
function somewhere to keep the code neat...I temporarily stuffed it in
localsettings.php.
Then add your function to the line:
if ( !is_null( $wgTitle ) && !$wgTitle->userCanRead() &&
!areYouConfirmingEmail())
That's all folks. Hope it's correct, and useful, and bug free.
Comments, criticisms welcome.