Magnus Hagander <magnus@hagander.net> writes:
> On Wed, Jul 12, 2017 at 4:16 PM, Greg Stark <stark@mit.edu> wrote:
>> The big question though is whether to still require a community id at
>> all. If we just let anyone log in via Google and create a placeholder
>> account on demand if one doesn't exist then you shouldn't have to go
>> through the "create an account" step at all. And you shouldn't have to
>> remember a new userid at all.
> The point of the create an account step would be if somebody has a pg
> account under something@somewhere.com and logs in using
> mygoogle@somewhere.com they should at least get a notification before we
> create the new account. But we should make doing that trivial, as in a
> pre-filled-out signup form with the info from google/whatever and just a
> "click here to confirm" box.
I'm wondering about the security implications of this --- would it mean
that anybody with a google account could, eg, spam our wiki?
I don't mind reducing barriers to entry when we can, but recent experience
says that there has to be some barrier :-(
regards, tom lane