Two-step ActivationView runs activate() on HTTP GET

[djramones]

Altering database state on GET requests is frowned upon. (Django, for example, is already deprecating logout via GET.)

Besides being a matter of HTTP spec compliance, there is a known issue with email services preprocessing/crawling links in the email body, causing one-time links to be invalidated before the user gets to click them. For django-registration this has been reported in a comment on closed issue #104.

My workaround for this currently is to simply tell the user in activation_complete.html, if ActivationError code == "already_activated", that their email service could have done this and that they can already log in. At the infra level perhaps folks could also run some bot/crawler countermeasures on the activation URL path, though that's a bit more involved.

The proper fix I think is to run activate() only on POST, like what Django's DeleteView does. GET should only present a form/button, and the user needs to click to confirm activation. This also presents an opportunity for customizations like requiring a captcha solve, though I guess it's also a backwards-incompatible change.

Sorry if this is a duplicate issue, the closest report I found is #104.

[ubernostrum]

This is a thing I've been thinking about for a while, but any solution has to wait for a major version bump due to being backwards-incompatible, so I'm going to leave this open as a reminder for when the 4.0 release is being planned.

[MSP-Stev]

I have the same problem, but its caused by security software. The mail will be checked and the url is scanned for potential risks.

PS: I have also received registration emails where you have to enter a code, so nothing new :)