Account management when the user has no password
- change password : not visible
- change email : visible but the form requires a password
- delete account : visible but the from requires a password
- change password : visible -> but rather 'Set password'
- change email : not visible or inactive
- delete account : not visible or inactive
#2 Updated by Benjamin Dauvergne over 3 years ago
- password change is forbidden
- user has no password
I think an implementation could be to add a new setting A2_CAN_CHANGE_PASSWORD and a new method to the user model named can_change_password() whose first implementation would just return the vaule of A2_CAN_CHANGE_PASSWORD, if A2_CAN_CHANGE_PASSWORD your patch is ok we keep it, if can_change_password() returns False we just do not show the password change forms. It should be combined we A2_CAN_RESET_PASSWORD (if A2_CAN_CHANGE_PASSWORD is False, whatever the value of A2_CAN_RESET_PASSWORD, it should be impossible to reset a password by mail).
Using a method on the User object should allow other frontends to return user models which do not allow resetting the password for whatever reason. My main use case if the LDAP backend where sometimes userPassword is not writable at all.
#3 Updated by Mikaël Ates over 3 years ago
- File 0001-Adapt-account-management-when-the-user-has-no-passwo.patch added
There is already the settings A2_REGISTRATION_CAN_CHANGE_PASSWORD and password_change_view is protected with @decorators.setting_enabled('A2_REGISTRATION_CAN_CHANGE_PASSWORD').
I think that you mean with "first implementation" that password change capability could be determined per user is a second step. If it is the case, maybe we could open another ticket for this feature and keep for the moment the way it works with the setting A2_REGISTRATION_CAN_CHANGE_PASSWORD.
#6 Updated by Mikaël Ates over 3 years ago
#8 Updated by Mikaël Ates over 3 years ago
- Status changed from Nouveau to Résolu (à déployer)
- % Done changed from 0 to 100
Appliqué par commit authentic2|2ba49444042e560ef1cba943c1fb6f7af00946c0.
#9 Updated by Mikaël Ates over 3 years ago
- Status changed from Résolu (à déployer) to En cours
Plutôt que de masquer les liens si l'utilisateur n'a pas de mot de passe il faut modifier les formulaires pour ne pas demander le mot de passe.
Lorsque #10802 sera implémenté, supprimer les conditions user.has_usable_password sur les liens modification de l'email et suppression de compte.