Streamlining Account Requests

Leon Smith leon.p.smith at
Wed Sep 5 18:12:55 CEST 2012

On Wed, Sep 5, 2012 at 9:57 AM, Duncan Coutts <duncan.coutts at>

> In the new server the security is a little better, but we still want
> to have a manual step to grant uploader rights.

Well, my impression is that the new server has a number of incomplete
features that we are ignoring for now,  and that we are adopting
essentially the same model as before.   In particular the per-package
upload groups have been disabled as we aren't importing the old accounts
and have no way to initially populate the groups.    And personally, I'm ok
with leaving this functionality disabled for the indefinite future.

However,  I do think we need to streamline the account request process.   I
have a pretty good idea of what I would like to have for LtU,  which might
also be a good starting point for hackage.  Basically:

1.  An account request form,  that would require a username,  a private
email address,  a private comment to the administrators,   and some public
profile information.   The profile information is there mostly because
spammers love to put stuff in there that would identify themselves as
spammers.    (But this might not be a huge problem on the new hackage?
The web form might still attract spam, however.)   Even so, I do think some
kind of minimalistic profile would be nice to provide for accounts.

2.  An email confirmation system.   The private email address would
generally need to be confirmed before an adminstrator would review the

3.  A administrator page that lists outstanding requests with links to
sub-pages to review each individual request.

4.  Each sub-page would include all relevant information with respect to
the request on one page:
      A.  Username,  private email, private comment,  and public profile
      B.  IP address and User-Agent header associated with both the request
and confirmation
      C.  Link to a google search on the email address
      D.  Comments and evaluations by other administrators

5.  Administrators would have the ability to classify the request,  as well
as give a level of certainty of that classification.   This would only be
for communication with other administrators as well as to collect data that
we might someday apply some machine learning techniques to.   Approval or
rejection would be a separate process.

6.  That the system would automatically send an email once an request is

This would be a great system for LtU,  I don't know how well it would also
fit hackage.   However the phrase "beggars can't be choosers" comes to
mind;  I'm not very good at web dev,  and I have plenty of other things on
my plate.

I did get a PostgreSQL schema put together for my system this weekend,  and
a very minimal start on a Snap web app as a proof of concept.   My idea for
integration,  if this basic approach eventually gets to production,  would
be to use Data.Acid.Remote to create accounts inside the existing server.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the cabal-devel mailing list