Allow podmins to optionally require email sign-up verification


(goob) #1

I know that some people are against the idea of diaspora* forcing people to provide a valid email address or to confirm their real identity in any way.

But is there a reason why podmins should not be able to configure their individual pod to require a valid email address?

I ask because this was raised recently by a podmin whose pod has been the target of a sustained campaign of spam/spoof account sign-ups. Their concern seems valid; if a pod is being targeted in such a way, or if a podmin is more comfortable with requiring email confirmation, why should they not be able to protect their pod or reduce the amount of maintenance required to keep on top of such accounts?

I think this woul be a good option in the pod configuration. It should be set to FALSE by default, to be enabled only if the podmin requires it.

Whether or not the pod requires email verification could be exposed in the node-info, so that Pod Uptime and the Federation stats site could show whether or not email is required when someone is choosing a pod.


(Flaburgan) #2

We need a way to verify e-mail address anyway, to avoid writing to no existing ones. I’d say that feature is not here because it has to be built, not because we don’t want it :wink:


(Dennis Schubert) #3

Fun fact: the feature is already here, because you need to verify your email address when changing email addresses.

I’m all for it. :slight_smile:


(Deus Figendi) #4

As long it is optional and there are some pods one can use anonymous/pseudonymous I’m very fine with this.
It should also be communicated if the mail address is required or not; so I don’t need to try around until I find an anonymous pod.


(goob) #5

@deusfigendi, thanks for making that point. I intended to include the suggestion that this information would be included in the node-info so that Pod Uptime etc can list it. I’ve just added that to my original post; thank you again.


(Benjamin Neff) #6

Me too, as a podmin it’s very handy to have a working contact address for the case that something is wrong with an account. Also it would reduce bounces a lot.

Email-verification should always be necessary, not only on change, but maybe we can allow podmins to make emails optional so they aren’t required on sign-up.


(David Thiery) #7

I was just coming here to request this very thing. I’ve been noticing a LOT of bot accounts lately, all with invalid email addresses.


(goob) #8

Great stuff!

As the feature is already in the code, hopefully it won’t be difficult to extend it to act on sign-ups. As there’s an increasing issue with bots at the moment, does anyone feel like taking this on for inclusion in 0.7.9.0?


(Benjamin Neff) #9

Well it is partly in the code, it’s used to verify emails when somebody changes it, and until it’s verified the old email is still used. But sadly that can’t just be switched on for registrations. It needs to be defined what happens when a user doesn’t verify it. If there should be an option so podmins can turn the verification off, that needs to be added too and diaspora needs to allow to add no email (instead of forcing the user to enter a fake one).

Since I just froze 0.7.9.0 it’s too late anyway, but I also don’t know if anybody has the time to do it for the next release.