This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Best approaches for managing spam accounts in Dev Portal?

Posted on 01-31-2017 12:25 PM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Hi, I have a Dev Portal that is open to the world.

Currently I want to limit user registration to "invited domains": We have specific licensees that use the APIs, and I want to allow registrations of developers if and only if they have an email address from one of those domains.

I have an email domain whitelist module that is working for that purpose.

But, there are still some accounts registering with fake email addresses from those valid email domains. Specifying FakeUser@ValidDomain.com allows the initial user registration to succeed, though the verification email (with the confirmation link) is never successfully sent, because the email address is invalid.

For those accounts, I want to remove them after some time. Let's say 3-5 days.

From googling around, I learned that the LoginToboggan module includes a setting that allows the deletion of never activated users after a certain period. It looks like this in the admin panel (admin > Configuration > System > LoginToboggan)

4273-logintoboggan-developer-portal.png

But based on analysis done by my friend @Anil Sagar , it seems that the devconnect module purposefully disables the view / change of this setting in the admin panel. I can understand why, sort of... The devconnect module changes the way user registration is done and does not want the LT module to conflict.

But without that part of the LT module, people who use the devportal must resort to manually performing the job of purging never-validated users.

How do other people handle this?

What's the best approach?

I have an idea to produce a super simple module that presents a very simple admin panel that allows just this one setting. It would not provide all of the flexibility of LoginToboggan, but rather, just the one capability of removing users who have never activated, if their accounts were more than N Days old. It would hook cron, and do the clean up periodically.

And it will not use a database delete, because that would prevent the hooks from running, that would clean up other things. Especially in the devportal I think it would be important for the hooks to run, so that the devportal can invoke the API call to remove the developer account from Edge.

I'd like feedback on this idea, and suggestions on better approaches or improvements.

2 0 121
Topic Labels
0 REPLIES 0