Item4896: Should email address be mandatory for (bulk) registration

Hi, In bulkregistration when trying to add emails the values aren't registred when the users are created. And by the way I think that email should be a required field because otherwise you can't the other bulk tools like bulkresetpassword. Regards. Eric.

-- TWiki:Main/EricCharikane - 27 Oct 2007

I just manually tested bulk registration, using the TWikiUserMapping user mapper, and the email addresses are added to .htpasswd as expected. Bulk registration is working correctly.

I suspect you are expecting to see them in the user topic, but that is not where they are stored.

The point about the email field being mandatory in registration is a good one, but is not a critical release blocker so downgrading to Normal status. I changed the headline from "In bulkregistration when trying to add emails the values aren't registred when the users are created".

CC

Crawford, In fact the email address was mandatory in 4.1.2 but it has disappeared in 4.2. You are right, I looked in the .htpasswd and saw the email addresses for the bulk registred people. So no bug here. But Franckly I'm a bit surprised by the behaviour : I would expect that the extra fields (like email) used in the bulk registration process behave like the firstname and lastname that is to say being stored and list in the user topic otherwise this is not logical ! Why storing two values and not the others ? Then you need to do the job twice don't you ?

Regards, Eric

-- TWiki:Main.EricCharikane - 27 Oct 2007

The reason emails are not stored in public topics is exactly that - they are public. This is regarded as a security issue, so email addresses are no longer written to personal topics.

-- TWiki:Main.CrawfordCurrie - 28 Oct 2007

Hi Crawford, I understand the security issue in a public website when people register themselves, but for bulk registration, only admin will do that. Then we can trust that if an admin is filling some fields in a bulk registration process he knows what he is doing an expect to see all his fields in the user topic, no ? Regards, Eric

-- TWiki:Main.EricCharikane - 30 Oct 2007

Even with bulk registration the email addressed needs to go into the .htaccess file and NOT made visible in the topic.

Bulk registration must work like individual registration. If an admin bulk registers a load of people, why should their email addresses suddenly be exposed. He must give a valid email address also when emails are private because without those in .htaccess the user can never reset his password or be notified about anything.

The NewUserTemplate has this in it for the same reason.

| E-mail | %USERIN%NOP%FO{"%TOPIC%" format="$emails"}% |

which becomes

E-mail

and depending on the configure setting {AntiSpam}{HideUserDetails} either anyone can see the info or only the admins and the user himself.

If the user want to display his email in public and often a disposible gmail account in the email field in the form, he can do this. Many register with one email address - the real one they want to keep safe, and put one in the form that they can later discard (if spamming gets too bad).

We had many long talks about this during the 4.0 development and the current design is the one that works the best and gives the best compromize between security and information.

So only remaining question is - should email address in bulk registration be mandatory - ie the registration fail if no email addresses are given. Are there any situations where this will be a problem? And can you bulk register without email addresses?

-- TWiki:Main.KennethLavrsen - 30 Oct 2007

Dear Kenneth, thank you for this deep explanation.

Frankly, In fact, I didn't notice before that when you register by yourself your email address didn't appear in your own form at first time !!.

So that said, I understand the security issue and fully agree with you, in public websites exposing an email must be a personal choice. I also agree with you when saying that the bulkregistration must behave like individual registration.

Now considering if email address should or not be mandatory in the bulkregistration process, here are my two arguments :

• it is mandatory in the individual registration so if bulkregistration must behave like individual registration, email should also be mandatory;
• having email mandatory in bulkregistration makes sure that people registred by bulk registration will be able to request a new password for first login, and also it gives the possibility to the admin to use bulkreset password to have and automatic notification of the credantials to the new users.

I may also suggest to add a notice in the bulkregistration topic if email becomes mandatory explaining that it is normal that the email address is not exposed in the user topic for security reason but stored in the appropriate .htpasswd file.

Best regards,Eric

-- TWiki:Main.EricCharikane - 07 Nov 2007

Just noticed that this was waiting for me. I have nothing further. It seems to me that Eric summarised it all fine and it seems reasonable that email addresses should be given when you bulk register people. But I can also see some alternative authentication schemes where the email address is fetches from an LDAP server so you cannot always assume that emails should be needed. But then why do you need to register in those cases.

I have never used bulk registration and I do not plan to work on resolving this bug myself so I will flip it to New again.

-- KennethLavrsen - 17 Mar 2008

Emails are needed for more than registration. They are used for mail notification, and are an essential part of closing the communication loop with the user. So I also don't plan to do anything about this. No action.

-- CrawfordCurrie - 29 Jun 2010