User tests: Successful: Unsuccessful:
With this PR it is possible to switch the reset username and password option off in com_users and mod_login.
How to test:
Go to Users -> Manage and click the Options button on the top right op the screen
Turn the 'Allow User Registration' and 'Enable reset options' on and off. Check if the user registration, reset username an reset password checkboxes are turned on and off.
Because hiding the links doesn't disable the working of links, they request for both links could be sent anyway. To check if the URL's don't work anymore, first enable the "Enable reset options" switch and click the reset username and password link. Copy both links to a text document. Disable the "Enable reset options" and paste both links in the browser. There should be an 404 error indication that a reset is not possible.
Status | New | ⇒ | Pending |
Labels |
Added:
?
?
|
Labels |
Added:
?
?
|
Labels |
Added:
?
|
Thanks.
I think you may want to have a check as well where the actual reset is performed. You're doing the checks currently only for showing the views. But someone could easily fake the form and send the request anyway. If you really want to prevent users from resetting their passwords, you need to prevent the execution of the code in the controller.
Category | ⇒ | Front End |
Works for me!
Status | Pending | ⇒ | Ready to Commit |
Thanks for coding and testing. --> RTC
Labels |
Added:
?
|
Milestone |
Added: |
I strongly disagree with forbidding people to change their password. This is a security implication. I can understand why you would want to forbid users not to change their username. But stopping them from changing passwords is a horrific idea and even by giving site owners this option we are implicitly endorsing it. I am strongly against us merging this PR.
@wilsonge I fully agree with you! For a normal users who register on a site it's a vital functionality to change there password. The reason I wanted to implement this feature is due to the fact I've encountered multiple websites which uses one password and username for multiple users which I always strongly discourage by the way . As this happened 3 times to me now I thought is was time to implement this kind of feature. The last time for example, the company had multiple divisions with every division having the own specials needs for the intranet website. So if you work on that division, you log in to the intranet site with the global division username and password only seeing the content and functionality for that particular division. To use this kind of functionality it is wise to switch the username and password reset off.
This PR doesn't forbid users to change their passwords. It stops them from using Joomla core to do it.
Guess that those that use different authentication provide means for users to change their password.
Never heard about GMAIL or FACEBOOK stopping you from changing passwords because you configured Joomla site to disallow it.
Assume the Joomla account to be under control of software other than Joomla core.
To forbid changes of user data of specific users via Joomla core a custom (really small) system/user plugin (onUserBeforeSave) is the better way I think.
And links can be hidden by CSS or overrides.
Would consider that bad UX, even when done only for specific users. Consider it bad design to let the user do things and then tell them it is not allowed. Same applies to hiding using CSS. You shouldn't hide options, you should remove them. Make them unavailable to use, not only make them invisible.
Just to put things into perspective. It's an option that is switched off by default and it is there to help users in particular situations, as with a lot of settings in Joomla...
I don't see the need for this option. Having the actual links work isn't that much of a problem, regular users are not going to type in the URL in their browser if you don't show them. If you really want to forbid it, this can be done via a plugin.
@RickR2H I am going to close this PR for the following reasons, first of all you agree this only happens on very rare occasions. Second it is not checked with other authentication mechanisms and finally, the same can be achieved via a plugin so there is an alternative available.
Thank you for your work on this PR and others for giving their feedback.
Status | Ready to Commit | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-10-25 16:23:36 |
Closed_By | ⇒ | roland-d |
Labels |
Removed:
?
|
Milestone |
Removed: |
Thanks @Bakual for the feedback! Changes added in the new commit!