Description of problem: Users must verify their email address before performing any operations in the system. Users with unverified email addresses should be able to perform non-destructive reversible operations that do not have the capacity to harass other users. - allow signup process to complete without verifying email address - show a message at the top of the page warning that email is not verified. The message is shown until email is verified. - If user clicks "re-send activation email" several times (3 times), detect this and either offer to contact the admins, or automatically contact admins in the background. - show "(unverified)" next to username so that language coordinators can tell if someone is verified when they are adding a user to their team. Security - block funcitons that send emails such as contact admin, request to join language team, contact language team coordinators. This could be done by adding a role such as "email_verified" that is required to perform operations that send emails. - to allow data into the system from unverified users, we need a way to identify and remove data from a user who turns out to be malicious.
Rather than: "detect this and either offer to contact the admins or automatically contact admins in the background." We should show something like: Please verify your email address A verification email has been sent to email, follow the instructions included in the email to verify your account. Resend email | Update email address
Migrated; check JIRA for bug status: http://zanata.atlassian.net/browse/ZNTA-79