Add functionallity to User create

pablovannini · March 9, 2016, 4:27pm

We want to add to the “user create” the functionality to send password to the user and auto generate the password like in other web system.
Now you must put a password and that is not a good security practice.
Resume:

add send password by email to validate email
auto generate password (admin doesn’t know it)

ced · March 9, 2016, 8:46pm

There is a fundamental flaw in sending password by email because it is clear text.
I think the flaw can be mitigated if it is a one-time password that is sent with an expiration date.
Also sending email will be an option only once issue3553 will be implemented because it should be transactional.

I think this should not only limited to the wizard but also to the form. The administrator should be able to reset a password in case the user forgot it.

ced · March 11, 2016, 8:19am

Indeed I think we could use the session. This mean that the user/password should be checked against the real password but also against the active session.

Also I think the workflow to reset the password will be to remove the current one and just send a session by email. Then when the user login, we have a wizard to set the password if the user has no password.
We could also have on the client side a way to request to reset the password and sent it by email but in this case we should not clear the password because it could become a way to denial the user.

pablovannini · March 11, 2016, 6:43pm

@ced I agree with all your comments: one-time password and the “The administrator should be able to reset a password in case the user forgot it”.
Maybe it will be useful that the user can recovery password without the administrator. Thanks

pablovannini · April 17, 2016, 3:32pm

There is a module of Nantic that maybe is usefull for the development: https://bitbucket.org/nantic/trytond-password_expiry

meanmicio · April 20, 2016, 3:59pm

Hi Pablo

Make Tryton PAM[1] aware would nice. I wrote a proposal[2] some weeks ago.

Bests !

1.- https://www.netbsd.org/docs/guide/en/chap-pam.html
2.- Message 24736 - Tryton issue tracker

ced · April 29, 2016, 1:21pm

With the customizable login process, the default login process could check if there is a password set for the user and if not request the one send by email. So we don’t need to use a session but just a generated password stored in a separate table which expire quickly.

ced · December 29, 2017, 6:11pm

I have made an implementation of this feature at Issue 7037: Add reset password - Tryton issue tracker

pablovannini · December 29, 2017, 8:35pm

Great! we will test it

ced · March 9, 2018, 5:00pm

This topic was automatically closed after 13 days. New replies are no longer allowed.