? ? ? Success

User tests: Successful: Unsuccessful:

avatar RickR2H
RickR2H
12 Aug 2015

With this PR it is possible to switch the reset username and password option off in com_users and mod_login.

How to test:
Go to Users -> Manage and click the Options button on the top right op the screen

image1

Turn the 'Allow User Registration' and 'Enable reset options' on and off. Check if the user registration, reset username an reset password checkboxes are turned on and off.

image2

Because hiding the links doesn't disable the working of links, they request for both links could be sent anyway. To check if the URL's don't work anymore, first enable the "Enable reset options" switch and click the reset username and password link. Copy both links to a text document. Disable the "Enable reset options" and paste both links in the browser. There should be an 404 error indication that a reset is not possible.

avatar RickR2H RickR2H - open - 12 Aug 2015
avatar RickR2H RickR2H - change - 12 Aug 2015
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 12 Aug 2015
Labels Added: ? ?
avatar joomla-cms-bot joomla-cms-bot - change - 12 Aug 2015
Labels Added: ? ?
avatar zero-24 zero-24 - change - 13 Aug 2015
Labels Added: ?
avatar RickR2H
RickR2H - comment - 13 Aug 2015

Thanks @Bakual for the feedback! Changes added in the new commit!

avatar Bakual
Bakual - comment - 13 Aug 2015

Thanks.
I think you may want to have a check as well where the actual reset is performed. You're doing the checks currently only for showing the views. But someone could easily fake the form and send the request anyway. If you really want to prevent users from resetting their passwords, you need to prevent the execution of the code in the controller.

avatar RickR2H
RickR2H - comment - 14 Aug 2015

@Bakual I look into that!

avatar RickR2H
RickR2H - comment - 14 Aug 2015

@Bakual I added the check for both links in the controller. Hopefully it's the right way of implementing. I also udated the test instructions.

avatar Bakual
Bakual - comment - 14 Aug 2015

@RickR2H Looks fine, except that you forgot the default values for allowReset :)

avatar RickR2H
RickR2H - comment - 14 Aug 2015

@Bakual Done ;D

avatar Bakual
Bakual - comment - 14 Aug 2015

:+1:

avatar zero-24 zero-24 - change - 16 Aug 2015
Category Front End
avatar RichardR2H RichardR2H - test_item - 17 Aug 2015 - Not tested
avatar RichardR2H
RichardR2H - comment - 17 Aug 2015

Works for me!


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7686.

avatar RichardR2H RichardR2H - test_item - 17 Aug 2015 - Tested successfully
avatar MSnoeren1995
MSnoeren1995 - comment - 17 Aug 2015

@test Works fine for me!

avatar MSnoeren1995 MSnoeren1995 - test_item - 17 Aug 2015 - Tested successfully
avatar zero-24 zero-24 - change - 18 Aug 2015
Status Pending Ready to Commit
avatar zero-24
zero-24 - comment - 18 Aug 2015

Thanks for coding and testing. --> RTC


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7686.

avatar joomla-cms-bot joomla-cms-bot - change - 18 Aug 2015
Labels Added: ?
avatar zero-24 zero-24 - change - 18 Aug 2015
Milestone Added:
avatar timhaeuser timhaeuser - test_item - 20 Aug 2015 - Tested successfully
avatar wilsonge
wilsonge - comment - 20 Sep 2015

I strongly disagree with forbidding people to change their password. This is a security implication. I can understand why you would want to forbid users not to change their username. But stopping them from changing passwords is a horrific idea and even by giving site owners this option we are implicitly endorsing it. I am strongly against us merging this PR.

avatar RickR2H
RickR2H - comment - 20 Sep 2015

@wilsonge I fully agree with you! For a normal users who register on a site it's a vital functionality to change there password. The reason I wanted to implement this feature is due to the fact I've encountered multiple websites which uses one password and username for multiple users which I always strongly discourage by the way . As this happened 3 times to me now I thought is was time to implement this kind of feature. The last time for example, the company had multiple divisions with every division having the own specials needs for the intranet website. So if you work on that division, you log in to the intranet site with the global division username and password only seeing the content and functionality for that particular division. To use this kind of functionality it is wise to switch the username and password reset off.

avatar sovainfo
sovainfo - comment - 20 Sep 2015

This PR doesn't forbid users to change their passwords. It stops them from using Joomla core to do it.
Guess that those that use different authentication provide means for users to change their password.
Never heard about GMAIL or FACEBOOK stopping you from changing passwords because you configured Joomla site to disallow it.
Assume the Joomla account to be under control of software other than Joomla core.

avatar RickR2H
RickR2H - comment - 20 Sep 2015

@sovainfo I never looked at it that way but you are right.

avatar bertmert
bertmert - comment - 20 Sep 2015

To forbid changes of user data of specific users via Joomla core a custom (really small) system/user plugin (onUserBeforeSave) is the better way I think.
And links can be hidden by CSS or overrides.

avatar sovainfo
sovainfo - comment - 24 Sep 2015

Would consider that bad UX, even when done only for specific users. Consider it bad design to let the user do things and then tell them it is not allowed. Same applies to hiding using CSS. You shouldn't hide options, you should remove them. Make them unavailable to use, not only make them invisible.

avatar RickR2H
RickR2H - comment - 24 Sep 2015

Just to put things into perspective. It's an option that is switched off by default and it is there to help users in particular situations, as with a lot of settings in Joomla...

avatar roland-d
roland-d - comment - 17 Oct 2015

I don't see the need for this option. Having the actual links work isn't that much of a problem, regular users are not going to type in the URL in their browser if you don't show them. If you really want to forbid it, this can be done via a plugin.

avatar roland-d
roland-d - comment - 25 Oct 2015

@RickR2H I am going to close this PR for the following reasons, first of all you agree this only happens on very rare occasions. Second it is not checked with other authentication mechanisms and finally, the same can be achieved via a plugin so there is an alternative available.

Thank you for your work on this PR and others for giving their feedback.

avatar roland-d roland-d - change - 25 Oct 2015
Status Ready to Commit Closed
Closed_Date 0000-00-00 00:00:00 2015-10-25 16:23:36
Closed_By roland-d
avatar roland-d roland-d - close - 25 Oct 2015
avatar RickR2H
RickR2H - comment - 25 Oct 2015

@roland-d No problem! I get your point!

avatar joomla-cms-bot joomla-cms-bot - change - 25 Oct 2015
Labels Removed: ?
avatar zero-24 zero-24 - change - 26 Oct 2015
Milestone Removed:

Add a Comment

Login with GitHub to post a comment