PKP 2017 Sprint Report: New User Mediation
Three Sprint participants (Clinton, Rahul, and Svantje) worked on a new user mediation (or new user approval system) for OJS.
In OJS 2.4.8 and OJS 3.0.1, user registration is either all-or-nothing: journal managers decide whether users can self-register, or when the journal manager must register all users. A recurring request has been to allow mediated registration, where a user self-registers but is blocked from usage until the new account is approved. Interest in this workflow has increased with a rash of users self-registering simply for the sake of uploading inappropriate profile photos.
While one of the major drivers of this feature is preventing abuse of the public profile image, the general use-case of reviewing individual user accounts has been otherwise requested to deal with spam registrations which get by the (optional) existing new user validation tools of reCAPTCHA and email validation. As such, we opted to implement the user mediation feature over other options which would only address the profile photo abuse and which would require overly specific user permissions.
We spec’d this new feature to be:
- An optional setting
- Leveraging the existing concept of enabling/disabling users
- Defaulting new users to disabled
- With an on-screen message indicating the approval requirement at registration
- With notification to the approver regarding the new account
- With notification to the user when approval was completed
We pursued development efforts in OJS 2.4.8-x and OJS 3.0.x simultaneously. Since users exist at the site level, we added a setting “require_mediation” to the “security” section of config.inc.php. The existing getDisabled() / setDisabled() method of PKPUser was extended to support a bitmask of disabled reasons, including the legacy reasons of email validation and manual disabling. UI features were added to allow Journal Managers to see and respond to pending approvals. Notifications by email were not completed during the sprint. The work for both branches was attached to Issue 2681: https://github.com/pkp/pkp-lib/issues/2681
The application of user accounts at the site level muddles this concept slightly; once a user account is enabled or disabled within any one journal, the user’s status for all journals is affected. The legacy “disabled reason” field is not multilingual, and used to hold both the reason of being disabled because of email validation and because of manual action by the Journal Manager. This provides some unavoidable ambiguity when this setting is initially enabled.