XF 1.3 How people who register through Facebook can change their email?

[Moshe1010]

Let's say users who register to my forum have invalid Facebook email, so they are entered to the bounced user group. When these users try to change their email through the UserCP, it says:

"Your email cannot be changed while your account does not have a password. Request a password be emailed to you" (the last sentence is an hyperlink).

Now questions:
1. How can the user receive a password if the email is invalid?

2. If the user is changing his email address on Facebook, does it change it on the forum as well? (automatically)

3. When users register through Facebook, they don't enter any password, so why does it ask them to choose a password in the UserCP? If they do choose password, does it mean they can login both ways: through Facebook and through the regular log-in? (with their username/email and the new password)

Thanks.

 

[Paul B]

If the email is invalid then you will need to reset the email or password for them in the ACP.

Changing the email address on Facebook does not change it on the forum, if an email address has been explicitly entered.

When registering via Facebook, login is controlled via the FB API so they don't have a password stored in the forum DB.
If they then create a password, it separates the logins so they can log in to the forum and Facebook independently.

 

[Moshe1010]

If the email is invalid then you will need to reset the email or password for them in the ACP.

How would I know? I'm not going manually check every night if people are in the bounced email user group. Even if they are, I have no idea who's coming from Facebook and who's not. I have dozens of these every day, it would be a pain checking each and every one of them. And even if I reset their email, I don't know to which one. I have no way to get in touch with the person

Changing the email address on Facebook does not change it on the forum, if an email address has been explicitly entered.

People who register with Facebook don't enter their email address on the registration forum. Actually, they can't enter it even if they want to. It takes their email address from their Facebook account.

When registering via Facebook, login is controlled via the FB API so they don't have a password stored in the forum DB.
If they then create a password, it separates the logins so they can log in to the forum and Facebook independently.

So it brings us to square one. How people who have invalid email address through Facebook can register to my forum?
Why the userCP option to change their email address says:
"Your email cannot be changed while your account does not have a password. Request a password be emailed to you"
It's a misleading phrase since they can't receive any emails. In addition, if creating a password to their user breaks the Facebook Connect thing, then what's the point to register from Facebook at the beginning? The entire point of Facebook registration is to save time and hassle registering to the forum.

 

[Mike]

It doesn't break anything. They can still login via Facebook.

But it does stand that, like any other user forgetting their password, changing it requires access to their associated email account. It's the only way to really verify ownership. If the email is invalid in this case, another approach would need to be taken (which would usually involve them contacting you and you making a judgement call).

 

[Moshe1010]

It doesn't break anything. They can still login via Facebook.

They can, but it puts them in the bounced user group right on the first email that is sent to them from the system. So it makes their account useless since they can't comment or open new threads until they change their email (which they can't, at least without my help which many new users wouldn't bother and leave the forum).

which would usually involve them contacting you and you making a judgement call

Why not letting them the option to change their email via UserCP and confirm the new email address?

 

[Mike]

Well, there's really nothing to prevent that from happening down the line. An email can of course become invalid and the situation is really the same.

Changing the email address on the account is tantamount to changing the owner. If I sat down at your computer, opened your forum and changed your email to mine, I'd have the keys to control your account. This is why a password is required (and why a password is required to change a password). It confirms ownership.

 

[Moshe1010]

Well, there's really nothing to prevent that from happening down the line. An email can of course become invalid and the situation is really the same.

Changing the email address on the account is tantamount to changing the owner. If I sat down at your computer, opened your forum and changed your email to mine, I'd have the keys to control your account. This is why a password is required (and why a password is required to change a password). It confirms ownership.

So what prevents users who register through Facebook to enter a password as well when they register just for cases like this, but keep connecting without a password (or with it, as they wish)?

 

[Mike]

I'm pretty sure it's generally frowned upon (if not against the terms) to ask for a password at registration when integrating. But regardless, it's one of those aspects of trying to keep the registration process simpler.

 

[Moshe1010]

I'm pretty sure it's generally frowned upon (if not against the terms) to ask for a password at registration when integrating.

Tried to dig right now on Facebook's terms, I can't find anything about requesting a password during registration.
https://developers.facebook.com/policy/#login

But regardless, it's one of those aspects of trying to keep the registration process simpler.

I agree, but not being able to change an email address at the beginning or along the line without a help of an admin is not really good for our forum health, especially one that gets a lot of traffic through Facebook.

I have dozens users getting deleted every week because of this (I have auto-delete users that aren't approved on registration after 10 days, including Facebook). These users don't bother coming back to the forum since the registration process didn't really work for them. The phrase that says what I've noted before doesn't help for this either - it's confusing users since they can't really create a password with a wrong/inactive email address..