[OPEN-ILS-DEV] Self-serve password reset thoughts
Dan Scott
dan at coffeecode.net
Sun Mar 28 18:36:25 EDT 2010
I had a few minutes to pull together some thoughts on what we might want
from a self-serve password reset service and how it would be implemented
relatively securely at
http://evergreen-ils.org/dokuwiki/doku.php?id=dev:proposal:self_serve_password_reset This feature is something that is highly desired in our consortium, and I think it is something that should be supported out of the box. Our circ staff are tired of resetting passwords!
One thing I noted is that actor.usr.email does not have a unique
constraint on it - presumably because a given set of users might share a
single email account (spouses or a family are the likely cases that
spring to mind).
This complicates things considerably on the self-serve end, as my
current thoughts didn't account for this. I'm tempted to initially
disable self-serve password resets for accounts that don't have a unique
email address, because of the possible hilarity that could ensue if
account #1 issued a reset request for account #2, knowing that they
would be able to intercept the email with the password reset link.
I'm certainly interested in feedback on these initial thoughts about a
self-serve password reset service. I'm hoping to have the time to
implement this over the next few weeks, if I can carve out the time from
other duties :)
More information about the Open-ils-dev
mailing list