Setting Up and Maintaining User Accounts

Nothing is more important to a community-driven site than users! As a site administrator, you want to make the process of obtaining a user account as easy and straightforward as possible, and make the communications that originate from your site friendly and informative.

Configuring User Accounts

Drupal offers three different ways to handle the creation of new user accounts, as well as complete control over the e-mail messages that are sent to people when they obtain a new account or when they forget their password.

User Registration Settings

To administer users, select administer> settings> users (admin/settings/user). On this page, the first group of radio buttons, labeled Public Registrations, determines how new users are added to the site. You have three choices:

Visitors can create accounts and no administrator approval is required: This is the default and the most suitable setting for a site where the goal is to make registration as open and easy as possible.

Visitors can create accounts but administrator approval is required: If you would like to have some control over who can have a user account, but you still want the process to be initiated by users visiting your site, you can choose this option. With this scheme, users are shown the same registration form as with the preceding option, and they are sent essentially the same welcome mail containing a password and links, with an additional message indicating that their account is currently pending approval. If they attempt to log in before approval has been granted, they are simply given the message "Sorry. Unrecognized username or password." Meanwhile, the site administrator has been sent an e-mail message indicating that a user has applied for an account with a link to that user's page. The administrator then has the chance to review the user's information and change the status from blocked to active. At the time of this writing, no further e-mail is sent to inform the new user of whether the account has been approved. A feature request (http:// has been submitted at to address this shortcoming.

Only site administrators can create new user accounts: With this option, anonymous visitors are not shown the Create New Account link in the login block. The path user/ register becomes off limits to everyone, including administrators, and returns a 403 error ("Access denied - You are not authorized to access this page") when accessed.

The administrator can create new users under the Drupal path admin/user/create. The form requires the administrator to enter a username, e-mail address, and password for the new user. No e-mail is sent to users created this way, so it is up to the administrator to initiate communication with the person who will be using the newly created account. New users can either be told the password chosen for them, or they can request a new password using their username and e-mail (under the path user/password).

If you would like to provide more information, instructions, or a greeting to people as a part of the user registration form, enter that text in the User Registration Guidelines field. The text that you add here will be shown at the time a visitor chooses to create a new site account.

User E-Mail Settings

In the two registration variants where users initiate the process of creating a new user account, Drupal will send a welcome e-mail message with account details and welcome text. Drupal also sends an e-mail message when users forget their password and request a new one. The User E-Mail Settings section of the admin/settings/user page allows you to customize the text and templates for these three messages. The site administrator can edit the text and subjects for all of these messages. Also, you can use a number of placeholder variables to represent dynamic information, as shown in Table 2-1. These variables will be replaced with the appropriate values at the time the e-mail is sent.

Table 2-1. Placeholders for User Welcome E-Mail

Placeholder Description

%edit_uri The absolute URL to the screen where users can edit their account information.

Equals %site plus the path user/{uid}/edit, where {uid} is the user's unique ID.

%login_uri An absolute URL to the screen where users can log in. Equals the base URL of the site, plus the path user/login.

%mailto The site's e-mail address.

%password The user's password. New passwords are generated randomly by Drupal.

%site The site name. Corresponds to the Name field of the General Settings section on the admin/settings page.

%uri The URL to your site.

%uri_brief A truncated version of the full URL to the site. It takes the form, or It is used in the welcome mail to illustrate how the new user's distributed authentication username looks. Distributed authentication is covered in Chapter 3.

y the administrator or chosen by the user.

User Pictures

The final section on the admin/settings/user page allows administrators to decide whether users can upload a small picture to become their online identity, or avatar, on the site. If you enable the Picture Support option, you must enter a value in the Picture Image Path field that points to the folder that will store the uploaded user pictures. This can be the pictures folder that Drupal created for you when you visited the admin/settings/user page for the first time, which is also the default value. You can also specify a path to a default picture, which will be shown in the case a user hasn't yet uploaded one.

Set the Picture Maximum Dimensions option in the form height X width to control the size of the avatars. Set the Picture Maximum File Size option to make sure the size of these files isn't too large.

Finally, you can write a message from the administrator in the Picture Guidelines field. This message will be shown to users along with the picture upload form. You can use this message to explain the purpose of the avatar picture, give instructions and guidance on how to prepare the image files, or detail restrictions that should be observed.

Once avatar picture support has been enabled, a Picture section will be added to the user account edit page (user/uid/edit). The picture itself will appear on the user account page (user/ uid) and, depending on what theme is being used and how it is configured, on the content postings made by that user. Theme configuration is discussed in the "Configuring Themes" section later in this chapter.

Managing User Accounts

You have now chosen a user creation scheme that fits your needs. If you've allowed it, site visitors will begin setting up user accounts when they visit your site. Otherwise, you, as the administrator, will create the user accounts. Either way, several tasks are associated with maintaining user accounts. These tasks include password recovery, blocking users who abuse your site, and deleting defunct accounts.

User Account Creation

Any user with the Administer Users permission (see the "Controlling Access" section later in this chapter for more about permissions) can create new user accounts. The process of adding a new user is as simple as selecting administer> users > add user (admin/user/create) and providing a username, e-mail address, and password. As noted earlier, no mail is sent to the newly created user.

Note Form elements with asterisks are required fields and cannot be left blank.

The Drupal path to the user registration page is user/register. The typical way for an anonymous visitor to come to the registration page is via the user login block (see the "Using Blocks" section later in this chapter for details on enabling and configuring blocks). The user login block is activated by default and appears for any visitor who does not currently have an open session. It displays the links Create New Account and Request New Password. Clicking the Create New Account link takes you to the user/register page with text fields for Username and E-Mail Address. An invalid or duplicated e-mail address or a duplicated or forbidden username will prevent the creation of a new user.

Successful completion of the form will trigger an e-mail message to be sent from the Drupal server to the e-mail address that the user entered in the form. The e-mail will contain a welcome message, a randomly generated password, and links to various important pages back on the site. The user will need to log in using the password that was sent; at which point, it is advisable to immediately change the password to something easier to remember. This can be done on the user/uid page, where uid is the user's unique identification number.

Password Recovery

If a user forgets her password, she can use the Request New Password link (user/password) to have a recovery mail sent to her e-mail address. The mail will contain a one-time-only link to a page that allows her to enter a new password. The password will be set only if the page is accessed via the URL in the mail, as it will contain a unique hashed code that can be used by only that user and only one time.

■ Note Drupal does not store clear-text passwords in the database. Rather, every password is encrypted using the MD5 algorithm ( and the encrypted version of the password is stored Every time a user attempts authentication, the password he enters is encrypted using the same algorithm, and the product of encryption is compared with the encrypted version in the database. This means that passwords are unrecoverable. As the site administrator, you do not know users' passwords, not even by looking in the database. This is intended to offer a level of security and privacy for Drupal site users. The users' only recourse for lost, stolen, or forgotten passwords is to request a new password, via the Request New Password link, or to have the administrator manually create a new one by visiting the user's page and updating the password to something new.

User Status

Administrators (anyone with the Administer Users permission, in this case) are able to access and configure individual user accounts. You can see a list of users by selecting administer> users (admin/user). Clicking the Edit link for any of the users listed brings up the same form that the user herself uses to configure her account, with the addition of a couple administrative fields. The administrator is privy to all of the information and can even enter a new password. Note that the administrator cannot, under any circumstances, see the current password for a user.

In addition to the fields to which the user has access, administrators have access to two important user management tools: Status and Roles. Setting a user's Status to Blocked prevents the user from logging in to the site using that account. This should be used to deactivate accounts when users misbehave, fail to observe the site's guidelines, or use their account to introduce spam. A blocked user cannot log in and has no user account page (user/uid). The message given when a blocked user attempts to log in is "Sorry. Unrecognized username or password." No message is sent to alert a user that he has been blocked. If the user attempts to create a new user with the blocked name or password, the following messages are displayed:

The name blocked_name is already taken.

The e-mail address blocked_e-mail is already taken.

Note that the blocked user's posts on the site remain visible and intact. If the impetus for blocking the user was inappropriate content, the administrator will need to deal with the content separately. In general, it is advisable to block users and unpublish content rather than deleting it. This blocks the user from signing up with the same name or e-mail address and keeps the evidence of wrongdoing or bad behavior intact.

Was this article helpful?

0 0

Post a comment