Project

General

Profile

Development #10658

Account management when the user has no password

Added by Mikaël Ates almost 4 years ago. Updated over 3 years ago.

Status:
Fermé
Priority:
Normal
Assignee:
-
Category:
-
Target version:
2.2.0
Start date:
14 Apr 2016
Due date:
% Done:

100%

Patch proposed:
Yes
Planning:
No

Description

If the user has no password :
  • change password : not visible
  • change email : visible but the form requires a password
  • delete account : visible but the from requires a password
Maybe we could change that in :
  • change password : visible -> but rather 'Set password'
  • change email : not visible or inactive
  • delete account : not visible or inactive

0001-Adapt-account-management-when-the-user-has-no-passwo.patch View (27.1 KB) Mikaël Ates, 29 Apr 2016 05:01 PM

Associated revisions

Revision 2ba49444 (diff)
Added by Mikaël Ates over 3 years ago

Adapt account management when the user has no password (fixes #10658).

History

#1 Updated by Mikaël Ates almost 4 years ago

  • File 0001-Adapt-account-management-when-the-user-has-no-passwo.patch added
  • Patch proposed changed from No to Yes

#2 Updated by Benjamin Dauvergne almost 4 years ago

There are deployment where we cannot allow people to change their password at all, I would like a difference:
  • password change is forbidden
  • user has no password

I think an implementation could be to add a new setting A2_CAN_CHANGE_PASSWORD and a new method to the user model named can_change_password() whose first implementation would just return the vaule of A2_CAN_CHANGE_PASSWORD, if A2_CAN_CHANGE_PASSWORD your patch is ok we keep it, if can_change_password() returns False we just do not show the password change forms. It should be combined we A2_CAN_RESET_PASSWORD (if A2_CAN_CHANGE_PASSWORD is False, whatever the value of A2_CAN_RESET_PASSWORD, it should be impossible to reset a password by mail).

Using a method on the User object should allow other frontends to return user models which do not allow resetting the password for whatever reason. My main use case if the LDAP backend where sometimes userPassword is not writable at all.

#3 Updated by Mikaël Ates over 3 years ago

  • File 0001-Adapt-account-management-when-the-user-has-no-passwo.patch added

There is already the settings A2_REGISTRATION_CAN_CHANGE_PASSWORD and password_change_view is protected with @decorators.setting_enabled('A2_REGISTRATION_CAN_CHANGE_PASSWORD').

I think that you mean with "first implementation" that password change capability could be determined per user is a second step. If it is the case, maybe we could open another ticket for this feature and keep for the moment the way it works with the setting A2_REGISTRATION_CAN_CHANGE_PASSWORD.

#4 Updated by Mikaël Ates over 3 years ago

  • File deleted (0001-Adapt-account-management-when-the-user-has-no-passwo.patch)

#5 Updated by Mikaël Ates over 3 years ago

  • File deleted (0001-Adapt-account-management-when-the-user-has-no-passwo.patch)

#7 Updated by Benjamin Dauvergne over 3 years ago

Ack.

#8 Updated by Mikaël Ates over 3 years ago

  • Status changed from Nouveau to Résolu (à déployer)
  • % Done changed from 0 to 100

#9 Updated by Mikaël Ates over 3 years ago

  • Status changed from Résolu (à déployer) to En cours

Plutôt que de masquer les liens si l'utilisateur n'a pas de mot de passe il faut modifier les formulaires pour ne pas demander le mot de passe.
Lorsque #10802 sera implémenté, supprimer les conditions user.has_usable_password sur les liens modification de l'email et suppression de compte.

#10 Updated by Mikaël Ates over 3 years ago

  • Target version set to 2.2.0

#11 Updated by Mikaël Ates over 3 years ago

  • Status changed from En cours to Fermé

Conditions supprimées dans #10802.

Also available in: Atom PDF