[Wikitech-l] Require Email Validation before login hack

Hi, Just want opinions if my hack is valid, secure, or if there are any loop-holes you see, or if there are improvements you might suggest: The objective is to require users to confirm their email addresses before they can login. This may be useful in intranet settings, not public ones. So, here's a psuedo-code step-by-step if you're interested. I've implemented it and it seems to work well. Files to modify: 1. includes\SpecialUserlogin.php A) function AddNewAccount() The system will log you in automatically without confirming your email address. Add code here to refuse logins and force a $wgUser->logout() call. Example: if (!$u->isEmailConfirmed()) ...show error message ...log user out B) function processLogin() The other step to cover is when the user tries a regular login by clicking the login button. Again, do the same check as you did in part A, but remove the logout() since that is not necessary (user is not logged in yet). 2. LocalSettings.php Have the following: $wgGroupPermissions['*' ]['createaccount'] = true; $wgGroupPermissions['*' ]['read'] = false; $wgGroupPermissions['*' ]['edit'] = false; $wgEmailAuthentication = true; This requires users to log-in first before they can read or write. 3. index.php We need to modify index.php because when a confirmation link is sent to your email to verify your address, the system wants you to login first in order to validate it! But you can't since your login is now rejected after our modifications. Look for this in index.php if ( !is_null( $wgTitle ) && !$wgTitle->userCanRead()) This is what's preventing you from confirming your email address. Your email confirmation link is going to Special:Confirmemail. Write a function that parses your $_GET[title] for the string Special:Confirmemail and returns true if it finds it. You can stuff the function somewhere to keep the code neat...I temporarily stuffed it in localsettings.php. Then add your function to the line: if ( !is_null( $wgTitle ) && !$wgTitle->userCanRead() && !areYouConfirmingEmail()) That's all folks. Hope it's correct, and useful, and bug free. Comments, criticisms welcome.