Upload profile image at activation

[sooskriszta]

In view of #4128 and #2741 I propose the following flow:
fill out registration -> activate account -> upload avatar -> login
Upload avatar step will not be mandatory.

The power and importance of avatars can't be overemphasized. This flow will likely lead to the vast mojority of users uploading avatars. Additionally, it is fairly standard for social networks.

When I say it's fairly standard for social networks, I mean uploading avatar immediately upon activation is fairly standard. Most social networks (and many other sites) automatically log the user in when she clicks on the activation link, so a separate manual login step is not required.

Users aren't logged in when the account is activated. I'm not sure it's safe to change that behaviour (e.g. someone else somehow using your registration token).

Sorry, Paul, I didn't quite understand why it isn't safe to log the user in when he clicks on the activation link.

The majority of large sites I know actually have the user logged in at activation. From my experience with a site (non BuddyPress), 96% of users activate their account within 3 minutes of registration, 3% activate within 30 mts, and 90% of of those that don't activate within 30mts end up never activating.

The way one of the sites I know works is: When a user registers, he is logged in automatically. But since the account is not activated, he can't access any functionality. Upon clicking the activate link, the logged in user is taken to a basic profile info page, including uploading of profile image. If the user does not activate within 30mts, his connection/login is timed out. Then if he clicks on activation link after that, then he needs to log in after activating the account (theoretically, he can also log in before clicking on activate link...but such login still doesn't provide him access to functionality...and in practice few users who haven't activated within 30mts actually log in before clicking the activate link).

Another site I know distinguishes between first login and all other logins. After registering, user click on activate link. Then he has to log in. Upon login (first login) he is prompted to upload a profile photo, invite friends, etc.

I'm sure one of these workflow models could work for BuddyPress...

The majority of large sites I know actually have the user logged in at activation.

Can you name some examples? I tend to agree with Paul that it's not secure to do this kind of auto-login. The issue is this: users activate their accounts with an activation key, which is sent in plaintext in an email. For the "96%" of users that activate within a few minutes, there is not much of a security issue (because the activation keys are deactivated after being used). But for those few users who never actually click the link, it means that there is an unused activation key sitting out there, waiting to be exploited at any point by whoever happens to stumble upon the email (or even manages to guess the proper URL).

If you want auto-login on activation, it's pretty easy to do with a plugin. (The hook you'll want to look for is 'bp_core_activated_user', and the WP function is wp_set_auth_cookie()) In this case, I would recommend that your plugin also set a short expiration date for activation keys, so that after (say) an hour or a day, a user will have to have a new key generated and emailed. That'll greatly reduce the likelihood of compromise.

Facebook uses the "old BP" technique of uploading images on registration, before even sending out an activation link. If you click on activation link, you are already logged in.

hi5 has a similar method. When you click on activation link, you find that you are already logged in.

In Twitter, when you register, you are logged into your account (and you can add photos, edit profile, etc). Then an activation email is sent to you. If you click on activation email, you find yourself already logged in.

If you click on Activate link in Meetup, you find that you are already logged in.

etc.

But @boonebgorges, after your explanation, I understand your the security concerns a bit better. I think the 1st of the 2 workflows in my above message could be a good solution...

When I register for a BBPress site, I am logged in immediately (and my login times out in 30mts upon inactivity). But I don't have access to the major functions of the site. I receive an activation email. If I click on the activation email immediately, I find that I am already logged in, and am prompted to upload a profile picture.

If on the other hand, I am timed out, and then click on activation link, then after activation, I should be asked to log in manually. In that case, (because experience shows that % of people that fall in this category is so low) this should be a normal login, and user need not be prompted for any action.

Eitherway, I think the activation code should be short-lived. It should not last more than a couple of hours and definitely not longer than 1 day. After all, there's always the "resend activation email" fuctionality, which should always expire the old code and send a new one...

Thanks for the descriptions. My guess is that FB etc are actually logging you in based on cookies that are set during the registration process, *not* based on the activation key itself (a much more secure method, to be sure). I'd have to do some testing.

I think it's worth examining whether there are ways we can modularize the signup process, so that admins can decide on a case-by-case basis when/whether avatar upload is to take place. Moving this ticket to Future Release for further discussion.

I think many of the sites differentiate between activated login and inactive account login states.

When customer has not activated the account, (s)he can still log in, but can't use many of the site's functions. Upon activating, it becomes a full account.

Based on this, I agree, many of the above sites are probably not logging you in based on activation key. Instead, as an end-user you get that experience because you are already logged in (inactive login state)...these sites log you in immediately upon registration. What activation key does is that it changes your account status (and therefore privileges).

The purpose of the 'Version' field is to note the first version of BuddyPress where the issue in question was noted. There's no need to change it in this case - if anything, the version should be 1.5, which is the first version where the avatar upload was moved.

Any chance of this being sneaked into 1.7?

Any chance of this being sneaked into 1.7?

We're too far into development - most of the new feature development for 1.7 is already done. Let's talk about this when we start scoping 1.8.

Okidok.

P.S. Myspace ​http://vimeo.com/50071857

1.8 is on the roadmap ​https://buddypress.trac.wordpress.org/roadmap

Time to discuss?