V. Configure User Settings

The Collaboration Tools Installer has already changed some of these settings to make them more secure than the default Drupal configuration, but I recommend even stricter settings:

  1. Go to Administer->User management->User settings (/admin/user/settings)
  2. In User registration settings:
    • In Public registrations select Only site administrators can crate new user accounts (recommended at least during initial development) or Visitors can create accounts but administrator approval is required.

      Note: Stanford sites that will be using WebAuth should usually select Only site administrators can create new user accounts, since users with SUNet IDs will still be able to log in and have Drupal accounts automatically created for them.

    • Leave Require e-mail verification when a visitor creates an account enabled (checked)
    • If Visitors can create accounts but administrator approval is required was selected, include appropriate registration instructions and guidelines in User registration guidelines. This text will be displayed on the registration form. (Remember this option exists later if you add features such as Organic Groups and registration becomes more complicated.)
  3. In User e-mail settings most of the defaults can be left as is for now, but these should be changed immediately for security reasons:
    • In Welcome, new user created by administrator, delete everything from "to !login_uri using the following username and password" to "You may also log in" in the Body text, so that the edited text says "You may now log in by clicking on this link…". This both removes the security-challenged sending of passwords through email (by removing "password: !password") and makes the remaining text make sense.
    • Do the same in Welcome, no approval required: delete everything from "to !login_uri using the following username and password" to "You may also log in" in the Body text, so that the edited text says "You may now log in by clicking on this link…". Again, this both removes the security-challenged sending of passwords through email (by removing "password: !password") and makes the remaining text make sense.
  4. Don't forget to scroll down to the bottom and click the Save configuration button!