In this video we will create a new role that LoginToboggan will grant to users who have not yet authenticated their account. This will effectively limit their permissions until they click the verification link we email to them. We'll also configure LoginToboggan to automatically delete user accounts that have not been verified after a specified amount of time.

Creating a new role

  • Go to "People => Permissions => Roles" (admin/people/permissions/roles)
  • Name: Non-authenticated
  • (Add role)
  • Operations: edit permissions
  • Permissions:
    • [x] View comments
    • [x] View published content
    • [x] Article: Create new content
  • (Save permissions)

Now, we can go back and configure the Non-authenticated role options in LogonToboggan.

  • Go to "Configuration => System => LoginToboggan" (admin/config/system/logintoboggan)
  • Non-authenticated role: Choose "Non-authenticated" (Non authenticated users will be assigned this role. Once the user has been validated, this role will be removed and they will be considered an "authenticated user". Note that you should not change this after initially setting it up because you may unintentionally delete valid user accounts.)
  • Delete unvalidated users after: 1 week (This will automatically delete users who do not validate their account by clicking the link they receive via email. This will effectively delete accounts created by spam bots, so your database won't fill up with invalid accounts. Note that you should not change this after initially setting it up either because you may unintentionally delete valid user accounts. There is more information about these caveats in the install.txt file for this module.)
  • [x] Immediate login (If you have enabled the "Set password" option above, enabling this will immediately log a user in when they create an account. Note that they will only have the permissions granted to the Non-authenticated role until they do authenticate their account.)
  • (Save configuration)

Now I'll create another test user.

If we checkout the "People" page, we'll see the new user, and that they have the Non-authenticated role. And now that we've configured LoginToboggan to utilize this role, when we go to the "Permissions" page, you'll see that the "Non-authenticated" role does not have all of the permissions that the "Authenticated User" role has. And in fact, it doesn't even have all of the permissions that the "Anonymous User" role has. For example, both the Anonymous and Authenticated user roles have permission to use the Filtered HTML text format, but someone with the "Non-authenticated" role will not have access to that. So, keep that in mind when you create your permissions. You may want to at least grant all of the permissions that anonymous users have.

Before we move on, let's click the validation link in our email to make sure the Non-authenticated role is removed from our test user.

It is! So, we're ready to move on.

In the next video, we're going to take a look at the last remaining settings on the LoginToboggan configuration page, including redirecting users on registration and confirmation, providing a login form on 403 access denied pages, displaying a simple "Log in successful" message, and requiring a minimum password length.