Customizing Joomla 1.5 user registration process - joomla1.5

I am pretty new to joomla. I have been working on the maintenance of our company's website.
Coming to the issue, the website has a 2-step user registration process where users will fill up the registration form, once they submit, a verification mail will be sent to them with the activation link. Once they click on the activation link in their mail, they will be activated.
Now, since this is getting us a lot of junk users we want to change this process.
What we want to do is :
When a user wants to register, he will be asked for his email-id.
Once the email is provided and submitted, a mail will be sent to him along with the activation link.
After the activation link is clicked he is brought to the website for further registration.
Only after this, the user will be put in our database as a valid user.
So basically, first I want to check if the email is a valid one and only then proceed with registration because email-ids are very important for our business
Please help.
Thanks in advance,
Akshay

In the Database table where he will provide his email ID create a field namely "Status" that will only take Active and Inactive only. And you can use that to determine if user is active or not.

Related

Can you send a link to the specific page where a user resets their password via Keycloak's API?

We have a PHP/MySQL based User Management System and are integrating it with Keycloak version 16 where we will store users credentials.
Our application does not allow users to self register. We create user accounts on the system. When we do this we do NOT specify a password because we want users to set up their own password.
The current system sends 2 separate emails in 2 different circumstances regarding passwords:
If it's a completely new user who does NOT have an existing password, we send them a link to set up a password.
If it's an existing user who already has a password, the system allows them to reset it, e.g. if they forget their password and can't login.
Keycloak seems to cater for scenario (2) because the login forms have a forgotten password link which opens a form where the user can enter their email address and receive a link which lets them do (2).
Unfortunately it doesn't deal with scenario (1) very well and that's where our problem starts. This has been asked a while ago Send password forgotten mail but it seems that Keycloak didn't support this very well in 2020 and perhaps still doesn't now.
Our "workaround" to this was that we added custom email templates and a custom page (reference: Themes on https://www.keycloak.org/docs/latest/server_development/#emails) which includes wording that caters for both scenarios, e.g. "set your password" rather than "reset your (existing) password". The result of this is that our email and form now reads appropriately for both scenarios (1) and (2).
The problem
We want to be able to send a link to the user that allows them to set their initial password to cover scenario (1).
We know that this page exists because on the login page for Keycloak there is a link to the forgotten password form that handles scenario (2). However, the form requires the user to enter their email address and submit the form. The user then receives an email from Keycloak which contains a URL to the page where they can do this. The URL has the following format:
https://example.com/auth/realms/foo/login-actions/action-token?key=...
The key= contains a ~945 character token. Going to the URL above redirects to the form where the user can reset their password. This next URL does not contain a token but a cookie has been set in the browser - by the previous URL - which makes it functional:
https://example.com/auth/realms/foo/login-actions/required-action?execution=UPDATE_PASSWORD
We can't send either of these URLs to the user because the first one (containing key=) has no API method for us to find out what it is - it's only possible to generate this by going through the "forgotten password" step during login, in the browser.
The second URL (/login-actions/required-action...) won't work either because it relies on the previous URL (containing key=) setting the cookie in the browser. If you try and go to this second URL directly (i.e. bypassing the first URL) it will error.
So neither of these URLs will work because we can't find what the first one is programmatically, and we can't use the second one without knowing the first one.
I found https://lists.jboss.org/pipermail/keycloak-user/2018-October/015910.html and the suggestion is using the Keycloak API to trigger a password reset email. This works - sending an HTTP PUT request containing 'UPDATE_PASSWORD' along with the relevant user ID sends the user an email. The request endpoint has the format PUT /{realm}/users/{id}/execute-actions-email which is documented on the link above.
Up to here all is fine - the user gets an email. However, this email does NOT contain a link that goes directly to the "reset password" page! Instead it sends them an email containing the following text:
Your administrator has just requested that you update your account by performing the following action(s): Update Password. Click on the link below to start this process.
Link to account update
When the user clicks "Link to account update" it then shows them a web page like this:
It is only when they click on the link on this page (the one that says "click here to proceed" on the screenshot) that they arrive at the form where they can reset their password.
This is a really poor user experience because the user gets sent a (badly worded) email with a link to... a page with another link! It should just take them to the password reset page directly. What's more frustrating is the fact that Keycloak is clearly capable of generating/sending the exact email we'd like in this scenario: the one which gets sent when a user manually does a password reset via their browser.
So the problem seems that Keycloak's API doesn't support this incredibly important and common use-case of a user being able to set an initial password, in a user-friendly manner.
I am adding the js script in the template to automatically click "click here to proceed". It's ugly but at least the user doesn't see the page

GDPR re-permission email

looking for a little advice on HTML emails and GDPR re-permission.
With the new GDPR regulations I have to create an email to send out to an existing list requesting their consent to continue contacting them.
My intention is to have an 'I'm in' button in the email, which when clicked takes the user to another page/url which has a simple form on it requesting the users email address and checkbox for them to tick to opt in.
My question is can I achieve this another more simple way. For example in the email itself when the user clicks the 'I'm in' button, can a post submission be made automatically with their email address, that gets sent to clients email, and they then just get re-directed to a standard success message. Is something like this possible? It would save having to create a form somewhere and make the process easier for the user.
I don't normally do HTML emails so I'm a little unsure - any help on this would be greatly appreciated, thanks in advance
Yes, you could embed their email in the query string of the URL and then have a webapp at that URL pick up their email from the querystring and process it. Obviously you'd need to code the webapp side accordingly.
E.g:
I'm in!
If you can still send an email to the user, the collection of consent can be quite simple. It will be sufficient to send each user an email containing a link to accept the newsletter (e.g. "Yes, I want to receive the newsletter"). The email should also contain the terms and conditions of the service, and the privacy policy. What come next can be either automated, or handled manually.
The best option would be to automate the process. This can be done in multiple way, the simplest being with a customized link for each user pointing to a website capable of interpreting the data transmitted by the link itself. To achieve this result, the link contained in each email should contain an identification code - which should be anonymized where possible - so that it will be possible to link the new consent to each user. In this way, when the user clicks the link, he or she will be taken to the website. At that point, the backend will be able to collect the code passed by the link, identify the user and, finally, re-subscribe the user to the newsletter.
In practical terms, in the email there could be a link with a value to be passed as a `GET« parameter:
Yes, I want to receive the newsletter
The server-side logic could be as follows (in PHP synthax):
// re-subscribe.php
$uuid = $_GET['uuid'];
$user = getUserByUUID($uuid); // assumed function that gets the user infos by a UUID
subscribeUser($user); // assumed function that re-subscribes user to the newsletter
echo 'Thank you!'
This could even be accomplished manually, provided that a link tracker service/tool is used.
In this – less ideal – case, in the email there should only be a single clickable link, the one required to express consent (e.g. "Yes, I want to receive the newsletter"). This link could take the user wherever deemed most appropriate. What matters, in this case, is the ability, through the tracker service/tool, to know which users have clicked the link. As long as there is only one link in the email, this would inform us that the user has expressed his or her consent, and thus we could manually re-subscribe them to the newsletter. In this case, the link to the terms and conditions and to the privacy policy should be included as static text, and not as an actual clickable link.
For more info, check out our blog post, inspired by this question, at blog.autoprivacy.eu/2018/05/newsletters-after-gdpr-existing-and-new.html

PHP: Account creation AFTER e-mail verification

I'm building a website with a login and registration system where the users' information will be stored on a database. I'm implementing a standard e-mail verification step after the account creation. The process is the following: An account is created, but has a 'verified' flag set to False. Then, an e-mail is sent to the user with a link to verify the account. Finally, after the user clicks the link, the 'verified' flag is set to True.
This should be sufficient, but it got me thinking. What happens to the unverified accounts? Someone could set up millions of unverified accounts that fill up my database storage space and available usernames. This could be problematic.
Is there a way to build a similar system in which the account would only be stored in the database AFTER the verification?
One way to solve your "Problem" would be to use a Capchta at the registration and/or to delete all not-activated accounts when the registration date is further ago than x days.
You could encrypt all information of the registration in the verification link, instead of storing that information in a new user account.
When the user clicks the registration link, you would decrypt that information and create the account.
To keep the verification URL as short as possible, this would require to minimize the amount of information you request during registration. I would suggest to ask for the E-Mail only and to request all the other attributes on the verification page.

How do I add a generated unique link into an email which will lead to an encrypted page?

Allow me to better explain: the company I work for work alongside holiday camps etc and want to add a link into the booking confirmation email which will take them through to a web page (which can only be accessed through the unique link) to sign up to our service.
What we need is to be able to have an automatically generated link within the email which can then be used to access the page and stop any random person signing up that happens to have a link.
Any info or suggestions would be welcome, even a jumping off point to research further would be fantastic- cheers!

User email activation after email change in Joomla User profile

Today I faced the following problem:
I registered a new user on my Joobla 1.6 site
activated the account by link from an activation email
After login as the new user I've changed my email to a made up one ( foo#bar.bar )
Joomla's reaction was: 'ok no problem, e-mail seems to be fine, lets save it then'
The only two things Joomla checked was whether the e-mail was written correctly and whether it was in use by a different user.
Why isn't Joomla sanding the same activation e-mail to the new e-mail in order to change it in an user's profile? Is there something I should know?
This looks as if that very important functionality was missing in the profile editing component.
How do I make it working without editing core files?
EDIT:
I've writed a plugin which sorts this out: http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/18139
Well if you want a way to sort this out then try this:
Write your own authentication plugin that uses the onBeforeStoreUser event. Here you check the user email validates correctly whenever they change their email address.
Should you want to you can deactivate the user's account, and then send them a new activation email with link. Have a look the com_users code to see how the registration is dealt with in terms of new users registering and the sending of the activation email. You can pretty much copy the code from there.
Example code for you plugin:
onBeforeStoreUser($user, $isnew) {
if (!$isnew) {
// grab code from com_users to generate activation email
// part of the code makes an activation sequence
// sql to inject this seq into the users account
$db = JFactory::getDBO();
$db->setQuery('
UPDATE #__users
SET activation = '.$db->quote($activation_code)).'
WHERE id='.$user->id.'
);
$db->query();
// send activation email
}
}
Maybe it would be a good thing to also validate old mail account before caring for the new one.
Explanation:
I get a user and password, I log in , I change mail from real owner to mine, I have stolen the account and now can activate it with my mail.
If we validate both old and new mails , we are assuring the new mail is valid and also the change was requested by the original owner.
The activation email is just that - an activation method. This is intended to satisfy user information collection laws for countries like the States, where it is necessary to have users confirm they own "this" email address when they signup. This ensures they themselves are the ones signing them up. This is the purpose of the activation emails.