Non-activated members shouldn't block one from registering once again

[Defcon0]

Hello,

in our daily work it's often the case that some of the page visitors register, don't activate and after some time try to register again with the same mail address. Of course, the activation email had been thrown away already... Now the email field throws an error that the mail address has already been taken.

In my opinion, this shouldn't be. Wouldn't it be better if one could register again, get a new activation code and mail?

Bye Defcon0

[bezin]

This would be a huge usability improvement +1

[asaage]

@Defcon0 consider the following case:
The member was de-activated by admin for some reason.

[Defcon0]

Then maybe a new field like "banned" could be useful? Of course this field would have to be widely used in Contao.

[asaage]

i am not shure if the activation-link expires - if that's the case the user should get auto-deleted via a cron-hook or something similar. that feature would solve your issue i guess.
The "banned" field could indeed be useful.
I will link #7176, #3421 and #7113 to see who joins the dicussion.

[leofeyer]

It should be as simple as resending the activation mail if the account already exists and still has an activation token assigned. @contao/developers /cc

[Defcon0]

I think this should also do it, thanks!

[discordier]

@leofeyer I agree. If the user already exists, resend the activation mail.
I wonder, however, if the user should be updated in the database then or if the new data shall be discarded (username, password, ...).

[Defcon0]

I'd say, the db should be updated, since this new data is the one to be the latest in the users mind :)

[Toflar]

Resending the activation e-mail should be enough. If they cannot remember their username they cannot get the activation e-mail and if they forgot the password there is the possibility for a password forgotten functionality.

[leofeyer]

I wonder, however, if the user should be updated in the database then

Of course not. If the submitted data does not exactly match the existing data, we must assume that it is not the same person trying to register.

[Defcon0]

Mhm, but where's the danger with that taking into account that a possible attacker needs to have access to the email address of the victim?

[leofeyer]

Imagine two employees of an agency, both trying to register with the same username e-mail address (info@agency.com). But one time it is "Dona Evans" and the next time "John Smith".

At least the username, the e-mail address and the name have to match IMHO.

[asaage]

Resending the activation e-mail makes sense to me.
Updating the database would happen before the activation-link can be clicked - and therefore allows manipulation of userdata - am i right?
I still would prefer expiring activation-links and auto-deletion of not-activated members.

Besides that, an aditional toggle-icon in the BE-member-listing should be added for the "Allow login" field since Deactivate: no and Allow login: yes is not the same in the current concept.

[leofeyer]

Implemented in contao/core-bundle@01d315f.