Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOCIALACCOUNT_EMAIL_REQUIRED False with ACCOUNT_EMAIL_VERIFICATION mandatory leads to "stuck" users #3146

Open
riconnon opened this issue Aug 27, 2022 · 8 comments
Open

SOCIALACCOUNT_EMAIL_REQUIRED False with ACCOUNT_EMAIL_VERIFICATION mandatory leads to "stuck" users #3146

riconnon opened this issue Aug 27, 2022 · 8 comments

Comments

@riconnon
Copy link
Contributor

If using the following settings:

ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
ACCOUNT_EMAIL_REQUIRED = True
SOCIALACCOUNT_EMAIL_REQUIRED = False

Users are able to signup with a social account, then not provide an email address, but will still be expected to verify their non-email address.
I think it would make sense for ACCOUNT_EMAIL_VERIFICATION to indicate that it is required iff the user has an email address, but not otherwise.
@derek-adair
Copy link

A rare valid bug!!!

I disagree w/ the users suggestion here. These are conflicting settings and allauth should probably detect this and throw a warning.

@derek-adair
Copy link

@pennersr looks like we have some kinda spam bot here? Dunno what this facebook link is about.

Repository owner deleted a comment Aug 19, 2023
Repository owner deleted a comment Aug 19, 2023
@riconnon
Copy link
Contributor Author

@derek-adair
fwiw the configuration I would like is that a user must provide a valid email and verify it if they do not setup any kind of social auth during signup

@flange-ipb
Copy link

Isn't the SOCIALACCOUNT_EMAIL_VERIFICATION configuration option addressing exactly this issue?

@riconnon
Copy link
Contributor Author

SOCIALACCOUNT_EMAIL_VERIFICATION seems to require that all users must verify an email, which they cannot if they did not provide one.

@derek-adair
Copy link

derek-adair commented Sep 22, 2023
edited

I am trying to understand what your specific use case for this configuration is, could you elaborate why you feel the need to verify emails if they do not sign up w/ social? It seems like you should either rely on it being verified or not.

Also I need to understand exactly what state the user is in before I would change my mind on this one (not that it matters, @pennersr is the final say i'm just the triage monkey).

For example, I can imagine if you'd like to accept social logins that do not have emails then the user should be prompted to add an email, not verify one.

@riconnon
Copy link
Contributor Author

The use-case is to avoid trivial account signup "spam".
In the case of a social account I'm offloading the handling of that to the third-party provider, but if they signup directly I want the email verification to raise the bar a little on how easy it is to repeatedly signing up.

@derek-adair
Copy link

I'm not asking "why verify email addresses for direct signups". I'm asking why not verify email for both social signups AND direct signups? If "spam" is your concern than it would seem important that your 3rd party services provide you with an email address you can verify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@derek-adair @riconnon @flange-ipb