More useful errors for users who have registered but not verified their email

[Christopher Allan Webber]

We should somehow warn users that they need to verify their email
before they can do anything.

We could do one of a few things:


-  When we redirect to login on pages that require an active user,
   include a GET parameter on the redirect to /auth/login/ like
   /auth/login/?needs\_verify\_email=true and display a warning that
   the reason that the user wasn't able to do something was because
   they need to verify their email
-  Put some text like "not verified" after the user's login name on
   each page?

In addition we should provide a means to resend the verification
email if it borked the first time, and maybe link to that.

[Aaron Williamson]

Django has a "messaging framework" that makes it easy to queue user
messages for later deliver. A similar system would be very useful
here: you'd stick the message "You have to verify your account to
view /foo/bar/" into the user's message queue in the view at
/foo/bar/ and then you'd pop the message off the stack at the
/auth/login/ view and display it to the user. (Or the base template
would display all unreviewed messages at every opportunity.)

I don't know if there's a general purpose user messaging framework
similar to Django's. One direction for exploration is RabbitMQ. At
its most basic, RabbitMQ can behave like a simple
`message delivery system <http://www.rabbitmq.com/tutorials/tutorial-one-python.html>`_.
It's actually much much more than a place for storing user
messages, though -- it's a robust task-queueing system. In that
sense it's a very heavyweight solution to the problem. But its
other uses may make it a valuable piece of infrastructure -- for
example, it could be used to queue media-conversion tasks to pass
to celeryd,
`like so <http://webcookies.org/2009/09/10/rabbitmq-celery-and-django/>`_.

Admittedly, I've never worked with RabbitMQ at all, so I may be
missing something that makes this a terrible suggestion.

[Christopher Allan Webber]

Okay, so yes, a messaging system is sounding like a better and
better idea.

[Aleksandar Micovic]

Okay, so there were about 3 of us on IRC who liked the idea of a
messaging system, but I didn't really get a feeling that there was
a concrete way that it was going to be tackled -- only that
everyone was on the same boat. :) In the meantime, until we get a
proper messaging system I've updated the require\_active\_login
decorator to redirect to an appropriate auth page. Here is the
commit from my branch:

[https://gitorious.org/\ :sub:`aleksandarmicovic/mediagoblin/aleks-mediagoblin/commit/28afb47ca82b0857aad546ef4cbf869de1ca95a5](https://gitorious.org/`\ aleksandarmicovic/mediagoblin/aleks-mediagoblin/commit/28afb47ca82b0857aad546ef4cbf869de1ca95a5)

We should also have an option to resend the verification email if
it hasn't arrived for some strange reason. I can see this getting a
little cumbersome as a message if we add this option, though (and
in general where a user might want to act upon a message). We'd
also have to have the message persist until the user activates
their email. To that end, maybe it isn't such a bad idea having a
dedicated page for this? We could even have a cute goblin looking
at a clock, tapping his foot, growing impatient waiting for the
email to arrive. :)

[Christopher Allan Webber]

Thanks Aleks; this looks like it's going in the right direction for
now. I guess a couple of things:


-  I think you're right about needing the verification email
   re-sending thing, and that that's a requirement before I can merge
   this even :)
-  The switch you've done here creates a separate problem: if
   there's no user logged in whatsoever, it tells them they need to
   verify their email!

Maybe here's what we should do instead:

::

            if request.user and request.user.get('status') == u'needs_email_verification':
                return exc.HTTPFound(
                    request.urlgen("mediagoblin.auth.verify_email_notice"))
            elif not request.user or request.user.get('status') != u'active':
                return exc.HTTPFound(
                    location="%s?next=%s" % (
                        request.urlgen("mediagoblin.auth.login"),
                        request.path_info))

[Aleksandar Micovic]

Argh, you're right. Should have caught that case. I've fixed it
here:

[https://gitorious.org/\ :sub:`aleksandarmicovic/mediagoblin/aleks-mediagoblin/commit/bcec749b52c287a6d361fd06bfbd833e03e5b478](https://gitorious.org/`\ aleksandarmicovic/mediagoblin/aleks-mediagoblin/commit/bcec749b52c287a6d361fd06bfbd833e03e5b478)

As for the resending of emails, since it's bad practice to keep
resending the same key over and over, I ended up actually adding a
new method to the User model to generate a new verification key.
You can see all of this here:

[https://gitorious.org/\ :sub:`aleksandarmicovic/mediagoblin/aleks-mediagoblin/commit/b93a6a229e1c7a7eef76e8322104912378f79a96](https://gitorious.org/`\ aleksandarmicovic/mediagoblin/aleks-mediagoblin/commit/b93a6a229e1c7a7eef76e8322104912378f79a96)

[Christopher Allan Webber]

Great... I merged this, made a couple of adjustments (gave a
separate message than the "register successful" page) and pushed
into master. Thanks aleksm!

[Elrond]

Looks like this went into 0.0.2

[Will Kahn-Greene]

The original url for this bug was ​http://bugs.foocorp.net/issues/314 .