Add functionallity to User create


(Pablo) #1

We want to add to the “user create” the functionality to send password to the user and auto generate the password like in other web system.
Now you must put a password and that is not a good security practice.
Resume:

  • add send password by email to validate email
  • auto generate password (admin doesn’t know it)

(Cédric Krier) #2

There is a fundamental flaw in sending password by email because it is clear text.
I think the flaw can be mitigated if it is a one-time password that is sent with an expiration date.
Also sending email will be an option only once issue3553 will be implemented because it should be transactional.

I think this should not only limited to the wizard but also to the form. The administrator should be able to reset a password in case the user forgot it.


(Cédric Krier) #3

Indeed I think we could use the session. This mean that the user/password should be checked against the real password but also against the active session.

Also I think the workflow to reset the password will be to remove the current one and just send a session by email. Then when the user login, we have a wizard to set the password if the user has no password.
We could also have on the client side a way to request to reset the password and sent it by email but in this case we should not clear the password because it could become a way to denial the user.


(Pablo) #4

@ced I agree with all your comments: one-time password and the “The administrator should be able to reset a password in case the user forgot it”.
Maybe it will be useful that the user can recovery password without the administrator. Thanks


(Pablo) #5

There is a module of Nantic that maybe is usefull for the development: https://bitbucket.org/nantic/trytond-password_expiry


(Luis Falcon) #6

Hi Pablo

Make Tryton PAM[1] aware would nice. I wrote a proposal[2] some weeks ago.

Bests !

1.- https://www.netbsd.org/docs/guide/en/chap-pam.html
2.- https://bugs.tryton.org/msg24736


(Cédric Krier) #7

With the customizable login process, the default login process could check if there is a password set for the user and if not request the one send by email. So we don’t need to use a session but just a generated password stored in a separate table which expire quickly.


(Cédric Krier) #8

I have made an implementation of this feature at https://bugs.tryton.org/issue7037


(Pablo) #9

Great! we will test it


(Cédric Krier) #10

This topic was automatically closed after 13 days. New replies are no longer allowed.