Fossil Forum

Testing Email Alerts

Testing Email Alerts

(1) By Dan Barbarito (danbarbarito) on 2018-07-31 14:16:50 [link] [source]

Can someone reply to this so I can see how the email alerts work?

Site note: I think self-registered accounts should have to confirm their email address. Not sure if that's implemented or not, but I think it would cut down on spam/trolling.

(2) By Richard Hipp (drh) on 2018-07-31 14:43:11 in reply to 1 [source]

Right now, the "email address" you enter when you self-register does not set you up with email alerts. Setting up email alerts is an additional step, and there is a confirmation process when you go through that extra step.

Probably this is an area where it would be good to improve the interface.

Some Technical Details:

The self-registration creates an entry in the USER table. USER table does not have a field to hold the email address. (We could change that, but it would require everybody to run "fossil rebuild" and would seriously complicate syncing of user information between older and newer versions of Fossil.)

The email notifications are handled by a separate SUBSCRIBER table.

There is no one-to-one relationship between USERs and SUBSCRIBERs. Someone can be a USER but not a SUBSCRIBER. Or someone can be a SUBSCRIBER (sign up for email notification) without being a USER.

Right now, self-registration only creates a USER table entry. But I suppose it could be enhanced to also automatically create a SUBSCRIBER table entry, and go through the subscriber verification process. (Anybody want to volunteer to work on this :-))

(3) By Dan Barbarito (danbarbarito) on 2018-07-31 14:46:23 in reply to 2 [link] [source]

I'm getting email notifications now after configuring Email Alerts on the page you go to after clicking Logout on the top right (maybe this link can be changed to say Profile instead of Logout). I did not have to confirm my email address to get the notifications though.

(4) By Warren Young (wyetr) on 2018-08-01 17:18:29 in reply to 2 [link] [source]

Am I understanding correctly that the /register page asks for an email address it does not store or even use before throwing it away?

I think the expectation, generated by the great many sites that work this way, is that you'll get an email shortly after clicking Register, and that until you validate your email, you won't be allowed to post at all, even with moderator approval.

Whether this actually cuts down on spam or not is secondary to the preexisting expectation. Fossil needs a good reason to violate the Principle of Least Astonishment here.

Internally, I think you can do this by not applying the "3" capability until after the user validates their email address.

(5) By Tontyna (tontyna) on 2018-10-24 09:38:52 in reply to 2 [link] [source]

> Right now, self-registration only creates a USER table entry.

But since [4c43f2cd] it also requires the SUBSCRIBER table -- input verification in register_page() tries to avoid duplicate email addresses (stored in SUBSCRIBER)

The SUBSCRIBER table isn't created by fossil init, it's created when Email Notifications are turned on the first time.

If you dont want/need email alerts but want self-registration you must one-time-enable a (dummy) Email Notification Configuration to prevent

Database error: no such table: subscriber SELECT 1 FROM subscriber 
WHERE semail='' AND suname IS NOT NULL AND sverified    

on the /register page.

(6) By anonymous on 2018-11-06 19:10:39 in reply to 1 [link] [source]

accounts should have to confirm their email address

I am against this.

It would require:

  • the user to operate an SMTP server or signing up for a third-party account
  • Fossil to operate an SMTP server or use a third-party one and keep an updated list of temporary email providers.

Besides I think anything that involves unsigned clear-text electronic postcards without envelopes is a privacy nightmare.

(7) By Warren Young (wyoung) on 2018-11-06 19:37:09 in reply to 6 [link] [source]

The requirements you're against are irrelevant in this thread, the topic of which is email alerts, so the presence of SMTP on both ends is a given already. Fossil doesn't require that you confirm your email address if you don't get email alerts, nor can I think of a good reason for it to do so. Unlike the OP, I don't see that confirming your email address reduces the incidence of spam: spammers can generate and confirm arbitrary numbers of fake email accounts.

As for the "privacy nightmare," the Fossil forum feature was created to serve the needs of the Fossil and SQLite projects, which present their forum on a public web site, so there's no point worrying about the lack of privacy in standard SMTP.

If you want Fossil forums to turn into a crypto-nerd private messaging system, that seems like a wholly separate topic worth taking up in a new thread. I'd suggest that you bring along concrete suggestions for ways to make that work. Bonus points if your scheme discourages spammers, trolls, etc.

For example, I think a moderation feature can work in a purely anonymous system. We don't have to know who a comment came from in order to reject it. If a nuisance poster can't get his messages through, he's likely to stop posting eventually unless it's actually a bot.

I suspect if you've created a crypto-nerd paradise, you'll want stronger anti-bot protections than the ones currently provided.

(8) By Warren Young (wyoung) on 2018-11-06 20:28:23 in reply to 7 [link] [source]

Clarification: verifying your email address when signing up for Fossil email alerts doesn't give a useful signal to Fossil forums about that account's likelihood to send spam to the forum, but it does prevent malefactors from signing other people's email addresses up for email alerts, presumably in order to harass them.

That is, if we did away with email address verification in this forum, the forum could be used to send "spam" to arbitrary email addresses, if you define that as "unwanted and unsolicited email."

(9) By bohwaz on 2018-11-12 20:34:50 in reply to 8 [link] [source]

Yes you need to validate an email address before sending messages to it, as if you don't you will quickly get your SMTP server blacklisted by the likes of GMail, Hotmail etc. as they will identify that you are trying to send emails to non-existing addresses, something that spammers are known to do.