[aur-dev] [PATCH] Let the user verify their email address
On registering and updating an email address, the user has to type their email address twice. Do not allow autocomplete and pasting in the verification field. Fixes FS#45792. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> --- web/html/account.php | 17 +++++++++-------- web/html/register.php | 6 +++--- web/lib/acctfuncs.inc.php | 12 +++++++++--- web/template/account_edit_form.php | 11 +++++++++++ 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index adc2542..3452af3 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -32,10 +32,10 @@ if ($action == "UpdateAccount") { list($success, $update_account_message) = process_account_form( "edit", "UpdateAccount", in_request("U"), in_request("T"), in_request("S"), - in_request("E"), in_request("P"), in_request("C"), - in_request("R"), in_request("L"), in_request("I"), - in_request("K"), in_request("PK"), in_request("J"), - in_request("ID"), $row["Username"]); + in_request("E"), in_request("E2"), in_request("P"), + in_request("C"), in_request("R"), in_request("L"), + in_request("I"), in_request("K"), in_request("PK"), + in_request("J"), in_request("ID"), $row["Username"]); } } @@ -79,7 +79,7 @@ if (isset($_COOKIE["AURSID"])) { if (can_edit_account($row)) { display_account_form("UpdateAccount", $row["Username"], $row["AccountTypeID"], $row["Suspended"], $row["Email"], - "", "", $row["RealName"], $row["LangPreference"], + $row["Email"], "", "", $row["RealName"], $row["LangPreference"], $row["IRCNick"], $row["PGPKey"], $PK, $row["InactivityTS"] ? 1 : 0, $row["ID"], $row["Username"]); } else { @@ -115,9 +115,10 @@ if (isset($_COOKIE["AURSID"])) { if (!$success) { display_account_form("UpdateAccount", in_request("U"), in_request("T"), - in_request("S"), in_request("E"), in_request("P"), in_request("C"), - in_request("R"), in_request("L"), in_request("I"), in_request("K"), - in_request("PK"), in_request("J"), in_request("ID"), $row["Username"]); + in_request("S"), in_request("E"), in_request("E2"), in_request("P"), + in_request("C"), in_request("R"), in_request("L"), in_request("I"), + in_request("K"), in_request("PK"), in_request("J"), in_request("ID"), + $row["Username"]); } } else { diff --git a/web/html/register.php b/web/html/register.php index 9c5c1cc..483bc5e 100644 --- a/web/html/register.php +++ b/web/html/register.php @@ -21,7 +21,7 @@ echo '<h2>' . __('Register') . '</h2>'; if (in_request("Action") == "NewAccount") { list($success, $message) = process_account_form( "new", "NewAccount", in_request("U"), 1, 0, - in_request("E"), '', '', in_request("R"), + in_request("E"), in_request("E2"), '', '', in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK")); @@ -29,13 +29,13 @@ if (in_request("Action") == "NewAccount") { if (!$success) { display_account_form("NewAccount", in_request("U"), 1, 0, - in_request("E"), '', '', in_request("R"), + in_request("E"), in_request("E2"), '', '', in_request("R"), in_request("L"), in_request("I"), in_request("K"), in_request("PK")); } } else { print '<p>' . __("Use this form to create an account.") . '</p>'; - display_account_form("NewAccount", "", "", "", "", "", "", "", $LANG); + display_account_form("NewAccount", "", "", "", "", "", "", "", "", $LANG); } echo '</div>'; diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index f718a77..942b7f8 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -47,6 +47,7 @@ function html_format_pgp_fingerprint($fingerprint) { * @param string $T The account type of the displayed user * @param string $S Whether the displayed user has a suspended account * @param string $E The e-mail address of the displayed user + * @param string $E2 The e-mail address of the user, verification field * @param string $P The password value of the displayed user * @param string $C The confirmed password value of the displayed user * @param string $R The real name of the displayed user @@ -60,7 +61,7 @@ function html_format_pgp_fingerprint($fingerprint) { * * @return void */ -function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="", +function display_account_form($A,$U="",$T="",$S="",$E="",$E2="",$P="",$C="",$R="", $L="",$I="",$K="",$PK="",$J="",$UID=0,$N="") { global $SUPPORTED_LANGS; @@ -78,6 +79,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="", * @param string $T The account type for the user * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user + * @param string $E2 The e-mail address for the user, verification field * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user @@ -91,7 +93,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="", * * @return array Boolean indicating success and message to be printed */ -function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$P="",$C="", +function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$E2="",$P="",$C="", $R="",$L="",$I="",$K="",$PK="",$J="",$UID=0,$N="") { global $SUPPORTED_LANGS; @@ -114,10 +116,14 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$P="",$C="", $editor_user = null; } - if (empty($E) || empty($U)) { + if (empty($E) || empty($E2) || empty($U)) { $error = __("Missing a required field."); } + if ($E != $E2) { + $error = __("Entered email addresses do not match."); + } + if ($TYPE != "new" && !$UID) { $error = __("Missing User ID"); } diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 0aadb9d..1c1c1ab 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -72,6 +72,11 @@ <input type="text" size="30" maxlength="64" name="E" id="id_email" value="<?= htmlspecialchars($E,ENT_QUOTES) ?>" /> (<?= __("required") ?>) </p> + <p> + <label for="id_email_verify"><?= __("Verify Email Address") ?>:</label> + <input type="text" size="30" maxlength="64" name="E2" id="id_email_verify" autocomplete="off" value="<?= htmlspecialchars($E2,ENT_QUOTES) ?>" /> (<?= __("required") ?>) + </p> + <?php if ($A == "UpdateAccount"): ?> <p> <label for="id_passwd1"><?= __("Password") ?>:</label> @@ -136,3 +141,9 @@ </p> </fieldset> </form> +<script> +var verify_field = document.getElementById('id_email_verify'); +verify_field.addEventListener('paste', function (e) { + e.preventDefault(); +}, false); +</script> -- 2.5.0
* Marcel Korpel <marcel.korpel@gmail.com> (Mon, 17 Aug 2015 00:54:54 +0200):
+<script> +var verify_field = document.getElementById('id_email_verify'); +verify_field.addEventListener('paste', function (e) { + e.preventDefault(); +}, false); +</script>
Note that this (ugly) hack currently does not work in Firefox, it allows copy-pasting anyway, making this verification completely useless.
On Mon, 17 Aug 2015 00:54:54 +0200 Marcel Korpel <marcel.korpel@gmail.com> wrote:
On registering and updating an email address, the user has to type their email address twice. Do not allow autocomplete and pasting in the verification field.
Please, do NOT forbid pasting in any field! Some of us (many, perhaps?) use information managers for passwords, usernames, and emails that paste or type such things in for us, specifically so that we do not get things wrong typing them in ourselves. -- ~Celti
* "Patrick Burroughs (Celti)" <celti@celti.name> (Sun, 16 Aug 2015 15:59:38 -0700):
On Mon, 17 Aug 2015 00:54:54 +0200 Marcel Korpel <marcel.korpel@gmail.com> wrote:
On registering and updating an email address, the user has to type their email address twice. Do not allow autocomplete and pasting in the verification field.
Please, do NOT forbid pasting in any field! Some of us (many, perhaps?) use information managers for passwords, usernames, and emails that paste or type such things in for us, specifically so that we do not get things wrong typing them in ourselves.
I completely understand your frustration, I really hate it, too, but to let someone confirm their email address allowing copy-pasting would make the check useless. Then we can just drop this patch and live with FS#45792. Any thoughts on this?
On Sun, Aug 16, 2015 at 7:04 PM, Marcel Korpel <marcel.korpel@gmail.com> wrote:
* "Patrick Burroughs (Celti)" <celti@celti.name> (Sun, 16 Aug 2015 15:59:38 -0700):
On Mon, 17 Aug 2015 00:54:54 +0200 Marcel Korpel <marcel.korpel@gmail.com> wrote:
On registering and updating an email address, the user has to type their email address twice. Do not allow autocomplete and pasting in the verification field.
Please, do NOT forbid pasting in any field! Some of us (many, perhaps?) use information managers for passwords, usernames, and emails that paste or type such things in for us, specifically so that we do not get things wrong typing them in ourselves.
I completely understand your frustration, I really hate it, too, but to let someone confirm their email address allowing copy-pasting would make the check useless. Then we can just drop this patch and live with FS#45792.
Any thoughts on this?
As far as I am concerned, do whatever you want. Lastpass overrides the autocomplete=off setting, anyway. -- Eli Schwartz
On Sun 16 Aug 2015 19:24 -0400, Eli Schwartz wrote:
On Sun, Aug 16, 2015 at 7:04 PM, Marcel Korpel <marcel.korpel@gmail.com> wrote:
* "Patrick Burroughs (Celti)" <celti@celti.name> (Sun, 16 Aug 2015 15:59:38 -0700):
On Mon, 17 Aug 2015 00:54:54 +0200 Marcel Korpel <marcel.korpel@gmail.com> wrote:
On registering and updating an email address, the user has to type their email address twice. Do not allow autocomplete and pasting in the verification field.
Please, do NOT forbid pasting in any field! Some of us (many, perhaps?) use information managers for passwords, usernames, and emails that paste or type such things in for us, specifically so that we do not get things wrong typing them in ourselves.
I completely understand your frustration, I really hate it, too, but to let someone confirm their email address allowing copy-pasting would make the check useless. Then we can just drop this patch and live with FS#45792.
Any thoughts on this?
As far as I am concerned, do whatever you want. Lastpass overrides the autocomplete=off setting, anyway.
I'd prefer not to add ugly javascript hacks that only work in one or another browser that only serves to babysit users.
On Mon, 17 Aug 2015 at 02:42:31, Loui Chang wrote:
On Sun 16 Aug 2015 19:24 -0400, Eli Schwartz wrote:
On Sun, Aug 16, 2015 at 7:04 PM, Marcel Korpel <marcel.korpel@gmail.com> wrote: [...]
I completely understand your frustration, I really hate it, too, but to let someone confirm their email address allowing copy-pasting would make the check useless. Then we can just drop this patch and live with FS#45792.
Any thoughts on this?
As far as I am concerned, do whatever you want. Lastpass overrides the autocomplete=off setting, anyway.
I'd prefer not to add ugly javascript hacks that only work in one or another browser that only serves to babysit users.
Agreed, we should not dictate whether the user can copy-paste data or not. The duplicate field makes it clear that it is important to get the email address right. If a user decides to bypass the check, so be it. I wonder whether, instead of (in addition to?) this patch, we should add a notice that getting the email address right is very important and that you will be locked out without any chance to recover if you make a typo.
* Lukas Fleischer <lfleischer@archlinux.org> (Mon, 17 Aug 2015 04:12:32 +0200):
On Mon, 17 Aug 2015 at 02:42:31, Loui Chang wrote:
On Sun 16 Aug 2015 19:24 -0400, Eli Schwartz wrote:
On Sun, Aug 16, 2015 at 7:04 PM, Marcel Korpel <marcel.korpel@gmail.com> wrote: [...]
I completely understand your frustration, I really hate it, too, but to let someone confirm their email address allowing copy-pasting would make the check useless. Then we can just drop this patch and live with FS#45792.
Any thoughts on this?
As far as I am concerned, do whatever you want. Lastpass overrides the autocomplete=off setting, anyway.
I'd prefer not to add ugly javascript hacks that only work in one or another browser that only serves to babysit users.
Agreed, we should not dictate whether the user can copy-paste data or not. The duplicate field makes it clear that it is important to get the email address right. If a user decides to bypass the check, so be it.
Phew, actually I'm glad you dislike this stupid behaviour.
I wonder whether, instead of (in addition to?) this patch, we should add a notice that getting the email address right is very important and that you will be locked out without any chance to recover if you make a typo.
I'm more in favour of a message only, entering email addresses twice is a nuisance and if you can copy-paste the data, it doesn't serve a purpose other then to frustrate a user (I fear lots of people don't understand the meaning of the same field twice). Instead showing a notice seems better to me, though it doesn't look that nice: https://ptpb.pw/em7S.png Suggestions?
On Mon 17 Aug 2015 09:53 +0200, Marcel Korpel wrote:
I'm more in favour of a message only, entering email addresses twice is a nuisance and if you can copy-paste the data, it doesn't serve a purpose other then to frustrate a user (I fear lots of people don't understand the meaning of the same field twice).
Instead showing a notice seems better to me, though it doesn't look that nice: https://ptpb.pw/em7S.png
Looks good to me.
participants (5)
-
Eli Schwartz
-
Loui Chang
-
Lukas Fleischer
-
Marcel Korpel
-
Patrick Burroughs (Celti)