Email confirmation: user account restriction #3300
Description
8/19/2016: Phase I of confirm email is issue #2170. Phase II will introduce consequences / restrictions for users who do not confirm their email address, such as not receiving email notifications.
This issue was made a while ago after #2170 [email confirmation] was successfully merged in 4.5.1. It can potentially be very helpful going forward with support for sensitive data as outlined by Harvard's Information Security Policy.
Currently, we have no options to "restrict" accounts that have not confirmed their email address. Recall also that institutional accounts are "re-confirmed" upon each login, as the user's status is a nullable timestamp column authenticateduser.emailconfirmed. This is because we entrust institutional accounts' auth providers with the responsibility of securing their institutional inboxes 🤓
Next steps forward would be to define as a team what restrictions to levy on accounts with unverified email addresses. Consider:
- User restrictions
- Installation configurations [do we want all institutions to have this? just Harvard? on/off switch?]
- User/admin workflows
- Existing bugs
The appropriate user access guidelines linked above are a healthy resource to refer to so that we can maintain the best direction towards v5.0 and iron out any known bugs prior to merge.
Related baggage: #3407 When users convert their account from the "Username/Email and Password" to the "Institutional Log In" option, they receive a confirmation email with no link