# Restrict
user creation to
mydomain0.com/mydomain1.com
function fnAbortNonMyDomainHook($user, $message) {
global $wgRequest;
$email = $wgRequest->getText( 'wpEmail' );
$emailSplitList = split("@", $email, 2);
if ( $emailSplitList[1] != "mydomain0.com" &&
$emailSplitList[1] != "mydomain1.com" ) {
$message = "The only allowed e-mail domains are
mydomain0.com and
mydomain1.com";
return false;
}
return true;
}
This will not work: a (valid) email address like
'"bob@example0.com"@evil.com' (including the double quotes, not
including the single quotes) will pass, even though it's not actually
supposed to.
This is true and one can make a regex that will match the end of the string
but I was thinking that one could force the user to confirm email before login
in addition to the regex check as noted here:
ki-19/
One could also prompt for just the username and not the domain and then send
an email confirmation and abort the login if the account is not confirmed.
Mark W.