Add-ons
  1. Add-ons
  2. CONTRIB-1444

Authentication: Add option for admin to confirm email based self-registrations

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.9
    • Fix Version/s: None
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE
    • Rank:
      21430

      Description

      Per http://moodle.org/mod/forum/discuss.php?d=97938 there is a request to have the admin confirm a self-based registration. This could be implemented in one of two ways. Require a double confirmation or send the email confirmation notice to the system admin (or preferably a send confirmations to email address). So this would require two additional settings to the self-based registration. A yes/no Require Admin Approval option and a send confirmation email to admin. In order to actually confirm the email address, I think the user should have to confirm; however, they are not allowed to use the system until a second confirmation by the system admin. So upon confirmation an email would be sent to the admin with a link to finalize the confirmation and enable the account. Once enabled, a second email is sent to the user notifying them that the account is confirmed and ready to use. I do not think this will be too difficult to implement and would allow a nice combination of freedom to allow email based self-registration while limiting the threat of spam bots creating a bunch of accounts. Peace - Anthony

        Issue Links

          Activity

          Hide
          Peter Wallace added a comment -

          I would very much like to have this option.

          Another related option I would like is to have the equivalent of an enrollment key for creating accounts.

          Show
          Peter Wallace added a comment - I would very much like to have this option. Another related option I would like is to have the equivalent of an enrollment key for creating accounts.
          Hide
          Martin Dougiamas added a comment -

          I'm happy to have this implemented if people think it's useful (I see it has a lot of votes!), but is it really useful?

          My question is: will an admin actually be able to tell whether a new account is a spammer or not?

          If they are looking at the email address to tell this then they could use the automated domain filtering to avoid this manual work. Otherwise I think this would just be one of those measures that results in escalating admin workload to blindly approve all the email they'll start getting. Please tell me if you think it'd be useful anyway!

          I like the idea from Peter Wallace about a key to create accounts.

          Another one might be to rate-limit the amount of accounts that can be created from one IP address to 1 per 24 hours or something.

          Show
          Martin Dougiamas added a comment - I'm happy to have this implemented if people think it's useful (I see it has a lot of votes!), but is it really useful? My question is: will an admin actually be able to tell whether a new account is a spammer or not? If they are looking at the email address to tell this then they could use the automated domain filtering to avoid this manual work. Otherwise I think this would just be one of those measures that results in escalating admin workload to blindly approve all the email they'll start getting. Please tell me if you think it'd be useful anyway! I like the idea from Peter Wallace about a key to create accounts. Another one might be to rate-limit the amount of accounts that can be created from one IP address to 1 per 24 hours or something.
          Hide
          Jonathan Moore added a comment -

          I like the concept, although you make good points about this not always being effective other than to make work. I had always assumed an approval system would have an admin GIU with a series of check boxes and a select all option, rather than the email based interface suggested. I could see points for either or both though now that I have re-read this request.

          I think it could be a useful option for some administrators to have. Its not a fix all, but if it had good mass approval options it could still be useful for the right administrator to notice strange patterns in new registrations.

          Show
          Jonathan Moore added a comment - I like the concept, although you make good points about this not always being effective other than to make work. I had always assumed an approval system would have an admin GIU with a series of check boxes and a select all option, rather than the email based interface suggested. I could see points for either or both though now that I have re-read this request. I think it could be a useful option for some administrators to have. Its not a fix all, but if it had good mass approval options it could still be useful for the right administrator to notice strange patterns in new registrations.
          Hide
          Michael Buchanan added a comment -

          For my organization, I have a potential user base of 5,000 or so. Currently, only a fraction of that is registered. I like the idea of this feature because most of the time I would be able to tell immediately if the account creation request was valid just by looking at the email domain. If there was an email domain that I did not recognize, I could write back to that person and ask for additional proof or references that they had the right to register on the site (or put in a References field in the signup page.)

          I think the time savings in allowing the valid users to self-enroll would outweigh the pain in finding out if some addresses where authorized or not. That may be a naive assumption but there's my 2 cents

          Show
          Michael Buchanan added a comment - For my organization, I have a potential user base of 5,000 or so. Currently, only a fraction of that is registered. I like the idea of this feature because most of the time I would be able to tell immediately if the account creation request was valid just by looking at the email domain. If there was an email domain that I did not recognize, I could write back to that person and ask for additional proof or references that they had the right to register on the site (or put in a References field in the signup page.) I think the time savings in allowing the valid users to self-enroll would outweigh the pain in finding out if some addresses where authorized or not. That may be a naive assumption but there's my 2 cents
          Hide
          Mark Drechsler added a comment -

          I'm voting for this as even though I can see Michael's point of view about the relative administrative workloads - I think its a case of this being a useful function for some Moodle sites (including it would seem quite a few people who have already voted for the change).

          Show
          Mark Drechsler added a comment - I'm voting for this as even though I can see Michael's point of view about the relative administrative workloads - I think its a case of this being a useful function for some Moodle sites (including it would seem quite a few people who have already voted for the change).
          Hide
          Jeff Johnson added a comment -

          Mark's on the right track about this. This is a really inefficient way of dealing with spam, and if all legit users have the same email domain then the "Allowed email domains" setting takes care of that.

          But as a adjunct at three different schools, I use Moodle to centralize my LMS content. A second-tier approval process would be useful to make sure that I'm only enrolling my students rather than the whole world. That's where I see the virtue of this: a setting where (a) registrations need to be checked against a list of specific users, and (b) specific information is needed from the user-like the email address that they actually use as opposed to the institutional one that they ignore-that makes manual registration impractical.

          Of course, I'm not sure how widespread such needs are. That may be a pretty narrow need that makes a built-in solution more trouble than it's worth.

          Show
          Jeff Johnson added a comment - Mark's on the right track about this. This is a really inefficient way of dealing with spam, and if all legit users have the same email domain then the "Allowed email domains" setting takes care of that. But as a adjunct at three different schools, I use Moodle to centralize my LMS content. A second-tier approval process would be useful to make sure that I'm only enrolling my students rather than the whole world. That's where I see the virtue of this: a setting where (a) registrations need to be checked against a list of specific users, and (b) specific information is needed from the user- like the email address that they actually use as opposed to the institutional one that they ignore -that makes manual registration impractical. Of course, I'm not sure how widespread such needs are. That may be a pretty narrow need that makes a built-in solution more trouble than it's worth.
          Hide
          Jeff Johnson added a comment -

          My bad--I overlooked that Martin already pointed out the automated domain filtering.

          Show
          Jeff Johnson added a comment - My bad--I overlooked that Martin already pointed out the automated domain filtering.
          Hide
          Ray Lawrence added a comment -

          If implemented this should have the option to select account "approvers" who are not necessarily admins - see the new course request interface for how this should work.

          Show
          Ray Lawrence added a comment - If implemented this should have the option to select account "approvers" who are not necessarily admins - see the new course request interface for how this should work.
          Hide
          Andrew Binder added a comment -

          Placed my vote for this option. while I certainly would like to have "approvers" as Ray has noted or other ways to confirm beyond a simple email address. I see no reason that I could not simply email the requests that I do not know and confirm who they are as Micheal has noted. Currently we have our users going through a two step process one where they sign in to our phpbb forum site that has an administrative approval process. Moodle then looks to this phpbb database of user to allow access. It should would be nice to have only one step in this process. Andy

          Show
          Andrew Binder added a comment - Placed my vote for this option. while I certainly would like to have "approvers" as Ray has noted or other ways to confirm beyond a simple email address. I see no reason that I could not simply email the requests that I do not know and confirm who they are as Micheal has noted. Currently we have our users going through a two step process one where they sign in to our phpbb forum site that has an administrative approval process. Moodle then looks to this phpbb database of user to allow access. It should would be nice to have only one step in this process. Andy
          Hide
          Patrick Sennett added a comment -

          I heartily support this process / feature. It would help me by allowing us control over who could create accounts, and give us a chance to double check that they have set up their account properly and to immediately place them in their proper group (in my case, it's emergency medical services agency) at the outset. So two thumbs-up on this one.

          Show
          Patrick Sennett added a comment - I heartily support this process / feature. It would help me by allowing us control over who could create accounts, and give us a chance to double check that they have set up their account properly and to immediately place them in their proper group (in my case, it's emergency medical services agency) at the outset. So two thumbs-up on this one.
          Hide
          Daren Afshar added a comment -

          I with most of you. This feature may seem redundant to some but is absolutely necessary. If implemented as an option, whomever does not need not simply needs not use it.

          Show
          Daren Afshar added a comment - I with most of you. This feature may seem redundant to some but is absolutely necessary. If implemented as an option, whomever does not need not simply needs not use it.
          Hide
          Daren Afshar added a comment -

          By the way, it's been almost a year since this was first posted. Any update on IF and WHEN this will actually be implemented?

          Show
          Daren Afshar added a comment - By the way, it's been almost a year since this was first posted. Any update on IF and WHEN this will actually be implemented?
          Hide
          Anthony Borrow added a comment -

          Daren - My impression was that this will not be implemented in Moodle core; however, if someone would like to provide a patch I would be happy to put it in CONTRIB where folks could use it as a patch. If there is no objection, I am going to move this to CONTRIB so that there is some clarity about where this code would go. Peace - Anthony

          Show
          Anthony Borrow added a comment - Daren - My impression was that this will not be implemented in Moodle core; however, if someone would like to provide a patch I would be happy to put it in CONTRIB where folks could use it as a patch. If there is no objection, I am going to move this to CONTRIB so that there is some clarity about where this code would go. Peace - Anthony
          Hide
          Anthony Borrow added a comment -

          Petr - I am going to leave this assigned to you for now; however, feel free to re-assign to Nobody and we will wait and see if someone provides a patch that I can put in to CONTRIB. Peace - Anthony

          Show
          Anthony Borrow added a comment - Petr - I am going to leave this assigned to you for now; however, feel free to re-assign to Nobody and we will wait and see if someone provides a patch that I can put in to CONTRIB. Peace - Anthony
          Hide
          Stephen Glanville added a comment -

          Hi Folks,

          My 2 Bobs worth....

          I think this option is generally a good idea...however, without diminishing other's requests for having a double confirmation process, I am more interested in an option for Admin to receive a notification email whenever there is a new registration. It would appear to me that such an option would be more simple to implement and serves a similar purpose. i.e. The admin still has to be present to check either that a new registration has occurred or that one requires confirmation. Even with a simple notification, if I consider the new registration dubious I can still unconfirm/delete the account manually...which is effectively the same process as a second confirmation without necessity for further email configuration and therefore more complicated server-side security protocols.

          Re: Admin Notification of New Registrations via email - There is a line of code (mentioned in a forum post in 2008 here - http://moodle.org/mod/forum/discuss.php?d=92958), which I have tried...but given that my installation is not sending confirmation emails (for details see my post here - http://moodle.org/mod/forum/discuss.php?d=141695#p644809), I have no way of verifying it's efficacy...yet.

          Thanks

          Stephen Glanville

          Show
          Stephen Glanville added a comment - Hi Folks, My 2 Bobs worth.... I think this option is generally a good idea...however, without diminishing other's requests for having a double confirmation process, I am more interested in an option for Admin to receive a notification email whenever there is a new registration. It would appear to me that such an option would be more simple to implement and serves a similar purpose. i.e. The admin still has to be present to check either that a new registration has occurred or that one requires confirmation. Even with a simple notification, if I consider the new registration dubious I can still unconfirm/delete the account manually...which is effectively the same process as a second confirmation without necessity for further email configuration and therefore more complicated server-side security protocols. Re: Admin Notification of New Registrations via email - There is a line of code (mentioned in a forum post in 2008 here - http://moodle.org/mod/forum/discuss.php?d=92958 ), which I have tried...but given that my installation is not sending confirmation emails (for details see my post here - http://moodle.org/mod/forum/discuss.php?d=141695#p644809 ), I have no way of verifying it's efficacy...yet. Thanks Stephen Glanville
          Hide
          Chris Collman added a comment -

          I would like a specific email address to be notified when there is a self registration. This is not about spam but more about a loose level of security. On several sites I work with, we would task someone with checking on 0 to 10 self registrations a week.

          There are different kinds of support. At least I would like to see $supportuser email go to someplace that an administrator can change it. Perhaps similar to the Course request pulldown.

          I would like to see support user field/pulldown under security>notifications. This is also the logical place to perhaps have a check box for "email supportuser after self enrolment request" and "email supportuser after self enrolment request confirmed".

          I do note the feature in 1.9.9+ where site administration>users>bulk user actions> advanced >"first access is after" will create a filter, then someone can perform a download in text, ods or excel. There is no date, or reprinting of the parameter on the download. This is an issue and someone has to be told to do it on a periodic basis, then keep track of who they already checked.

          I am not a big fan of hacking moodlelib.php code. But realize this is the beauty of Moodle.

          Chris

          Show
          Chris Collman added a comment - I would like a specific email address to be notified when there is a self registration. This is not about spam but more about a loose level of security. On several sites I work with, we would task someone with checking on 0 to 10 self registrations a week. There are different kinds of support. At least I would like to see $supportuser email go to someplace that an administrator can change it. Perhaps similar to the Course request pulldown. I would like to see support user field/pulldown under security>notifications. This is also the logical place to perhaps have a check box for "email supportuser after self enrolment request" and "email supportuser after self enrolment request confirmed". I do note the feature in 1.9.9+ where site administration>users>bulk user actions> advanced >"first access is after" will create a filter, then someone can perform a download in text, ods or excel. There is no date, or reprinting of the parameter on the download. This is an issue and someone has to be told to do it on a periodic basis, then keep track of who they already checked. I am not a big fan of hacking moodlelib.php code. But realize this is the beauty of Moodle. Chris
          Hide
          Anthony Borrow added a comment -

          For those watching CONTRIB-1444, Petr has assigned this to nobody which means it is open season for whoever might be willing to provide a patch that implements the desired functionality. If you are interested in giving it a shot just let me know. I'm happy to give suggestions, help test, etc. but it is unlikely that I will have time to write the patch. Peace - Anthony

          Show
          Anthony Borrow added a comment - For those watching CONTRIB-1444 , Petr has assigned this to nobody which means it is open season for whoever might be willing to provide a patch that implements the desired functionality. If you are interested in giving it a shot just let me know. I'm happy to give suggestions, help test, etc. but it is unlikely that I will have time to write the patch. Peace - Anthony
          Hide
          Anthony Borrow added a comment -

          p.s. - I've assigned this to myself just to keep it on the radar but I will not be working on creating a patch and will happily re-assign to whomever wishes to write the patch.

          Show
          Anthony Borrow added a comment - p.s. - I've assigned this to myself just to keep it on the radar but I will not be working on creating a patch and will happily re-assign to whomever wishes to write the patch.
          Hide
          Helen Foster added a comment -

          Anthony, since this issue has lots of votes, I'm wondering whether it should be changed from a contrib issue to an MDL one, so that we can consider adding the feature to a future version of Moodle?

          Show
          Helen Foster added a comment - Anthony, since this issue has lots of votes, I'm wondering whether it should be changed from a contrib issue to an MDL one, so that we can consider adding the feature to a future version of Moodle?
          Hide
          Ray Lawrence added a comment -

          As the "Admin" in Moodle 2 is now somewhat different to previous versions it's more important that approvers can be selected individually or by role. See the course requests model.

          Show
          Ray Lawrence added a comment - As the "Admin" in Moodle 2 is now somewhat different to previous versions it's more important that approvers can be selected individually or by role. See the course requests model.
          Hide
          Anthony Borrow added a comment -

          Helen - I think this started out as a MDL issue and was switched to CONTRIB in the hopes of writing a patch similar to what I did for the forum approval patch. I've not time to work on this at the moment but I can see where arguments can be made on either side. It may be worth a discussion in the forums to determine whether it is really helpful or not. I'm open to do whatever is most beneficial to the community. After a bit of discussion, then perhaps HQ can determine whether or not to include it. Peace - Anthony

          Show
          Anthony Borrow added a comment - Helen - I think this started out as a MDL issue and was switched to CONTRIB in the hopes of writing a patch similar to what I did for the forum approval patch. I've not time to work on this at the moment but I can see where arguments can be made on either side. It may be worth a discussion in the forums to determine whether it is really helpful or not. I'm open to do whatever is most beneficial to the community. After a bit of discussion, then perhaps HQ can determine whether or not to include it. Peace - Anthony
          Hide
          Minh-Tam Nguyen added a comment -

          Something of this sort has come up for us as well:
          We would like to allow our teachers to create accounts for specific trusted people. For instance, if a Lecturer has scheduled an industry partner to come in and teach for a couple of sessions, the teacher should be allowed to make an account, or vouch for the new account in a way or another, without the administrator having to get involved.

          My thinking so far is that there could be a user account creation form that all (or a subset of) authenticated users could use. They could enter the details of the person they would like to have an account, and an email with the details would be sent to newly invited user. The user could then finalise the account creation process by clicking a link and choosing a password.

          Cheers,
          Minh-Tam

          Show
          Minh-Tam Nguyen added a comment - Something of this sort has come up for us as well: We would like to allow our teachers to create accounts for specific trusted people. For instance, if a Lecturer has scheduled an industry partner to come in and teach for a couple of sessions, the teacher should be allowed to make an account, or vouch for the new account in a way or another, without the administrator having to get involved. My thinking so far is that there could be a user account creation form that all (or a subset of) authenticated users could use. They could enter the details of the person they would like to have an account, and an email with the details would be sent to newly invited user. The user could then finalise the account creation process by clicking a link and choosing a password. Cheers, Minh-Tam
          Hide
          Dicker Bub added a comment -

          I would really appreciate an inbuilt solution to this task; also in v2. of moodle!

          Show
          Dicker Bub added a comment - I would really appreciate an inbuilt solution to this task; also in v2. of moodle!
          Hide
          Nyle Landas added a comment -

          Most of our users are LDAP but they do not come from the same domain. They are coming from any domain their email is hosted on. As such I can't restrict to domains. We also have small groups of frequently changing users that are not in our x.500 tree(LDAP). As such having them self-register is very, very handy. The recommended feature above would be great. Have them register with the system, confirm their email and then the admin gets notified to actually confirm their account. It would be amazing if the email to the admin could include direct links to confirm or delete the account.

          Show
          Nyle Landas added a comment - Most of our users are LDAP but they do not come from the same domain. They are coming from any domain their email is hosted on. As such I can't restrict to domains. We also have small groups of frequently changing users that are not in our x.500 tree(LDAP). As such having them self-register is very, very handy. The recommended feature above would be great. Have them register with the system, confirm their email and then the admin gets notified to actually confirm their account. It would be amazing if the email to the admin could include direct links to confirm or delete the account.
          Show
          Derek Chirnside added a comment - News on this, hot off the press: https://moodle.org/mod/forum/discuss.php?d=97938#p948391 https://github.com/hrimhari/moodle-auth_emailadmin -Derek
          Hide
          Marcin Stanowski added a comment -

          That's what I was waiting for so long. Well, I installed it and tested and it works as it should, no errors. But now, something bugs me, why nobody is mentioning it. I really thought it is a uniquely important feature and now nobody cares about it and it is not even in the official plugin database. Is there something wrong with that?

          Show
          Marcin Stanowski added a comment - That's what I was waiting for so long. Well, I installed it and tested and it works as it should, no errors. But now, something bugs me, why nobody is mentioning it. I really thought it is a uniquely important feature and now nobody cares about it and it is not even in the official plugin database. Is there something wrong with that?
          Hide
          Derek Chirnside added a comment -

          Marcin, the person to ask may be Anthony Borrow.
          There is an approval process, Felipe refers to it in his post that he is waiting for this to complete, that he is still waiting for approval. Sometimes these things just get bumped off the priority list. I did check the plugins database, I cannot find it there yet.

          -Derek

          Show
          Derek Chirnside added a comment - Marcin, the person to ask may be Anthony Borrow. There is an approval process, Felipe refers to it in his post that he is waiting for this to complete, that he is still waiting for approval. Sometimes these things just get bumped off the priority list. I did check the plugins database, I cannot find it there yet. -Derek
          Hide
          Anthony Borrow added a comment -

          It would be nice if the creator of the plugin would consider adding it to Moodle Plugins. To that end, I created https://github.com/hrimhari/moodle-auth_emailadmin/issues/1 to see if they might be interested. If not, perhaps someone might be willing to use the existing code as a starting place and take on the responsibility of maintaining it; however, I like to give the author the first opportunity. Peace - Anthony

          Show
          Anthony Borrow added a comment - It would be nice if the creator of the plugin would consider adding it to Moodle Plugins. To that end, I created https://github.com/hrimhari/moodle-auth_emailadmin/issues/1 to see if they might be interested. If not, perhaps someone might be willing to use the existing code as a starting place and take on the responsibility of maintaining it; however, I like to give the author the first opportunity. Peace - Anthony
          Hide
          Anthony Borrow added a comment -

          Just an update that I did find the plugin that was submitted - https://moodle.org/plugins/view.php?plugin=auth_emailadmin - and there are a few minor issues that I would like to see cleaned up before we make it available to the larger Moodle community via Moodle Plugins. So currently it is sitting with the plugins that need some more work prior to approval. Hopefully Felipe will be willing/able to make the fixes and upload a new version for review. Peace - Anthony

          Show
          Anthony Borrow added a comment - Just an update that I did find the plugin that was submitted - https://moodle.org/plugins/view.php?plugin=auth_emailadmin - and there are a few minor issues that I would like to see cleaned up before we make it available to the larger Moodle community via Moodle Plugins. So currently it is sitting with the plugins that need some more work prior to approval. Hopefully Felipe will be willing/able to make the fixes and upload a new version for review. Peace - Anthony
          Hide
          Felipe Carasso added a comment -

          Hi all,

          Sorry for the inconvenience.

          The pending issues that had been mentioned on the plug-in review by Anthony from December should now be solved.

          I hope this functionality will be useful to you

          Best regards,
          Felipe

          Show
          Felipe Carasso added a comment - Hi all, Sorry for the inconvenience. The pending issues that had been mentioned on the plug-in review by Anthony from December should now be solved. I hope this functionality will be useful to you Best regards, Felipe
          Hide
          Felipe Carasso added a comment -

          Hi all,

          I thought you might like to know that the plug-in is now available here:

          https://moodle.org/plugins/view.php?plugin=auth_emailadmin

          Best regards,
          Felipe

          Show
          Felipe Carasso added a comment - Hi all, I thought you might like to know that the plug-in is now available here: https://moodle.org/plugins/view.php?plugin=auth_emailadmin Best regards, Felipe

            Dates

            • Created:
              Updated:

              Development