User Registration - akeeba/panopticon GitHub Wiki

Akeeba Panopticon supports optional user self-registration. When enabled, new users can create their own accounts from the login page without requiring a Super User to manually create accounts for them.

Enabling Registration

User self-registration is disabled by default. To enable it, go to System Configuration and find the Registration section. Set User Registration to one of the two available modes:

  • Admin Approval. New users can register, but their accounts are blocked until a Super User or Administrator reviews and approves them.
  • Self-Approval (Email Activation). New users register and receive an activation email. They must click the activation link and provide their credentials to activate their account.

See the System Configuration page for full documentation of all registration options.

Registration Modes

Admin Approval

  1. The user fills out the registration form (name, username, email, password) on the login page.
  2. The new account is created in a blocked state.
  3. The user receives an email confirming their registration is pending approval.
  4. All users with Super User or Administrator privileges receive a notification email with the registrant's details and a link to the user management area.
  5. An administrator reviews the account and unblocks it by editing the user profile.
  6. Once unblocked, the user receives an approval email and can log in.

Self-Approval (Email Activation)

  1. The user fills out the registration form on the login page.
  2. The new account is created in a blocked state.
  3. The user receives an activation email containing a link and a security token.
  4. The user clicks the activation link (or navigates to it manually) and provides their username, password, and token.
  5. If the credentials and token are valid, the account is activated immediately and the user receives a confirmation email.
  6. If activation fails (wrong credentials or token), the attempt counter is incremented. After the maximum number of attempts is exceeded, or when the activation window expires, the account is automatically deleted and the user is notified.

Activation window: By default, users have 7 days to activate their account. This is configurable.

Maximum activation attempts: By default, users have 3 attempts to activate. This is configurable.

Stale registrations (those that exceed the activation window) are automatically cleaned up by a background task.

Security Features

CAPTCHA Providers

The registration form can include a CAPTCHA challenge to prevent automated registrations. Panopticon supports the following providers:

  • ALTCHA (self-hosted proof-of-work) — The default. Uses a cryptographic proof-of-work challenge that runs entirely on your server. No third-party API keys needed.
  • reCAPTCHA Invisible (Google) — Uses Google's reCAPTCHA v2 Invisible widget. Requires a site key and secret key from the Google reCAPTCHA admin console. Select the "Invisible reCAPTCHA v2" type when creating your keys.
  • hCaptcha — Uses hCaptcha's invisible mode. Requires a site key and secret key from the hCaptcha dashboard.
  • None — No CAPTCHA challenge. Not recommended for public-facing installations.

Configure the CAPTCHA provider and its API keys (where applicable) in the Registration section of System Configuration.

Forbidden Usernames

Panopticon includes a comprehensive built-in list of over 900 forbidden usernames to prevent abuse. This list includes common system terms (admin, root, administrator), HTTP status codes, CMS-related names, email service names, and other problematic usernames. This feature is enabled by default and can be toggled in the System Configuration.

You can also define a custom list of additional blocked usernames.

Email Domain Restrictions

You can restrict which email domains are allowed or disallowed for registration:

  • Allowed domains: If set, only email addresses from these domains will be accepted. Leave empty to allow all domains.
  • Disallowed domains: Email addresses from these domains will be rejected. Useful for blocking disposable email services.

Both lists accept comma-separated domain names.

Password Complexity

Registration enforces the same password security requirements as the rest of Panopticon:

  • Minimum length of 12 characters.
  • Complexity requirements enforced by the Complexify library.
  • Optionally checked against the Have I Been Pwned database of leaked passwords (if enabled in System Configuration).

Default Group

You can assign newly registered users to a default user group. This determines their initial permissions. If no group is selected (set to 0), the user will not belong to any group and will have no site-level permissions until an administrator assigns them.

Email Templates

The registration feature uses five email templates, all of which can be customised in the Mail Templates page. See the Mail Templates page for details on the available variables.

Template When sent
Registration Pending (Admin) Sent to the user when admin approval is required
Registration: Notify Admin Sent to administrators when a new registration awaits approval
Activation Email Sent to the user in self-approval mode with activation link
Registration Approved Sent to the user after account approval or successful activation
Registration Expired Sent to the user when their activation has expired