2 replies to this topic

[Cris D.]

I started today on writing a snippet that allows users to enter themselves into the etomite_users_attributes table.

On form submission, a row is made in a etomite_member_registration table and an email is sent to the supplied email address with a link back to the site with the md5#, shortname, longname, phone, mobile, password etc in $_POST[] fields.

On arrival back at the site, the $_POST['shortname'], and $_POST['password'] and $_POST['md5hash'] fields are cross checked with the entry in the etomite_member_registration fields. If they match, the row is copied across to the etomite_user_attributes field, the temporary row is deleted, runSnippet performs an authenticate_visitor login and a success message returned: user added, and logged in.

I was thinking of an admin interface also that allows an admin member to trim the "awaiting verification" rows and also to add user roles or group permissions to the snippet so that they can be automatically added to the relevant users' table.

Questions:
1) Is there anything major that I have not considered from a security (or other) perspective that I should have?
2) Has anyone already written anything similar that I could use to save time or can think of an easier alternative to verifying and validating a user-added membership?

[Ralph]

Are you simply using user_attributes or are you also using the manager_users table...??? Unless I'm mistaken it sounds like you also want to have the ability to purge those entries which are never validated - something that wouldn't be to difficult to do, perhaps based on a time stamp... Depending on how busy this registration process will be you might even consider having the registration routine itself take care of the cleanup automatically after a pre-determined number of days...

[Cris D.]

Yes, you are right, I would have to save data to both tables when the link is validated. The clean-up routine is a good idea, I already have added timestamp to the temp table for sorting purposes which could be used for deleting purposes just as easily. I've been working on it and all is going well. I'm glad there isn't anything glaringly obvious security-wise that I overlooked...