Last modified: 2005-10-10 08:16:00 UTC
I suggest changing our signup process so that any email
addresses submitted will be verified in a way similar to Mailman's
opt-in process. (Users not giving an email address obviously
should remain unaffected.) This verification procedure should
also be triggered/required if/when users submit an email address
later and with any change to the email address.
It's only a minor inconvenience to users signing up and it's
probably best practice to do it.
Dear friends, e-mails returned with failure because of the header
item "Return-path: <email@example.com>" should be processed in
the "system" too. This should disable the "email tis user" function
and prompt to these users during login to go trough the e-mail
verification again. If a feedback could be given to the sender it
would be great.
I think, the blocker can be justified after a recent discussion with Brion about
a certain scenario with temp.passwords mailed to not-yet-authenticated address.
Disclaimer, because I am not fully sure, if the scenario can be exploited to
hijack an account:
In case that I was over-reacting, pls. apologize and silently remove the blocker.
I don't see any way you could hijack an account using the temp password
mechanism - you'd have to already have control of the account to set the
password, authenticated or not. But I wasn't party to this discussion, so I
won't touch anything here.
We already have this functionality; it's a configuration issue.
Been there for some time. Resolving FIXED.
Please mention where? Becuase I sure in the heck don't see anything for it
It's configured during MediaWiki installation, in the email options section.
(In reply to comment #7)
> It's configured during MediaWiki installation, in the email options section.
see also switch $wgEmailAuthentication and documentation (see