Return-Path: 
 <allura-dev-return-2282-apmail-incubator-allura-dev-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-allura-dev-archive@minotaur.apache.org
Delivered-To: apmail-incubator-allura-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D0D86106C1
	for <apmail-incubator-allura-dev-archive@minotaur.apache.org>;
 Tue,  5 Nov 2013 10:01:27 +0000 (UTC)
Received: (qmail 62187 invoked by uid 500); 5 Nov 2013 10:01:27 -0000
Delivered-To: apmail-incubator-allura-dev-archive@incubator.apache.org
Received: (qmail 62084 invoked by uid 500); 5 Nov 2013 10:01:24 -0000
Mailing-List: contact allura-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:allura-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:allura-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:allura-dev@incubator.apache.org>
List-Id: <allura-dev.incubator.apache.org>
Reply-To: allura-dev@incubator.apache.org
Delivered-To: mailing list allura-dev@incubator.apache.org
Received: (qmail 62044 invoked by uid 99); 5 Nov 2013 10:01:16 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Nov 2013 10:01:16 +0000
X-ASF-Spam-Status: No, hits=-0.1 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of noreply@sourceforge.net
 designates 216.34.181.60 as permitted sender)
Received: from [216.34.181.60] (HELO smtp.ch3.sourceforge.com) (216.34.181.60)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Nov 2013 10:01:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.com; s=x;
	h=Date:References:In-Reply-To:Message-ID:Subject:Reply-To:From:To:MIME-Version:Content-Type;
 bh=yRvAvwVjI2yJFO9wKA9aMAaSjC3ZTEm10+CUFDqJ/gg=;
	b=c/E9BcRF9NDhl2OxoLf62ALM4wNRPyasRETglXmez2IVfWt+LalRZd2/KXORJRMsYdMjgeZ1xoIcPwhFTDpVgmyc1ODfavKkPm4y7/o7Cn3jgftqXH+lpEmvkv+dHrH2EhevIXOcAW4ubHjh36t121JqO0vcFYD+fmvWw8h6AJU=;
Received: from localhost ([127.0.0.1]
 helo=sfs-alluradaemon-4.v29.ch3.sourceforge.com)
	by sfs-alluradaemon-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <noreply@sourceforge.net>)
	id 1VddRL-0007VG-LH
	for allura-dev@incubator.apache.org; Tue, 05 Nov 2013 10:00:51 +0000
Content-Type: multipart/related;
 boundary="===============5912177717221797757=="
MIME-Version: 1.0
To: "[allura:tickets] " <6783@tickets.allura.p.re.sf.net>
From: "Igor Bondarenko" <jetmind@users.sf.net>
Reply-To: "[allura:tickets] " <6783@tickets.allura.p.re.sf.net>
Subject: [allura:tickets] #6783 Create a process to reset forgotten passwords
Message-ID: 
 </p/allura/tickets/6783/ca149d2d0311507962239dc60731a1b78d5506f8.tickets@allura.p.sourceforge.net>
In-Reply-To: <526690a57929e551e8fa9ec2.tickets@allura.p.sourceforge.net>
References: <526690a57929e551e8fa9ec2.tickets@allura.p.sourceforge.net>
Date: Tue, 05 Nov 2013 10:00:51 +0000
X-Virus-Checked: Checked by ClamAV on apache.org

--===============5912177717221797757==
Content-Type: multipart/alternative;
 boundary="===============1344216818969914556=="
MIME-Version: 1.0

--===============1344216818969914556==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Closed #463. `je/42cc_6783`


---

** [tickets:#6783] Create a process to reset forgotten passwords**

**Status:** code-review
**Labels:** 42cc auth 
**Created:** Tue Oct 22, 2013 02:50 PM UTC by Dave Brondsema
**Last Updated:** Wed Oct 23, 2013 06:15 AM UTC
**Owner:** nobody

Allura should have a link on the login page for people who have forgotten their username or password.

It should go to a form that asks them for their email address, and then if that email address is verified in the system and  and the user record isn't disabled, send an email to them.  The email should include their username and a link to a reset page.

The reset page can use a secret hash url parameter to validate the user and let them reset their password.  The hash should be stored in the database when the email was first sent.  Also store the time that the email was sent, so that the hash is only valid for a certain time period (configurable in ini).  For the password change form, lets re-use as much of the password change logic that already exists for logged-in users.  Refactor if needed.

Use `config['site_name']` on the html and email templates, so that the experience is recognizable and comfortable for users.

Since auth is pluggable in Allura, this whole process needs to be optional.  Perhaps the simplest thing would be a new property on `AuthenticationProvider` classes.  Have it default to false, and the `LocalAuthenticationProvider` can set the "forgot password reset" property to true.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
--===============1344216818969914556==
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<div class="markdown_content"><p>Closed #463. <code>je/42cc_6783</code></p>
<hr />
<p><strong> <a class="alink" href="http://sourceforge.net/p/allura/tickets/6783/">[tickets:#6783]</a> Create a process to reset forgotten passwords</strong></p>
<p><strong>Status:</strong> code-review<br />
<strong>Labels:</strong> 42cc auth <br />
<strong>Created:</strong> Tue Oct 22, 2013 02:50 PM UTC by Dave Brondsema<br />
<strong>Last Updated:</strong> Wed Oct 23, 2013 06:15 AM UTC<br />
<strong>Owner:</strong> nobody</p>
<p>Allura should have a link on the login page for people who have forgotten their username or password.</p>
<p>It should go to a form that asks them for their email address, and then if that email address is verified in the system and  and the user record isn't disabled, send an email to them.  The email should include their username and a link to a reset page.</p>
<p>The reset page can use a secret hash url parameter to validate the user and let them reset their password.  The hash should be stored in the database when the email was first sent.  Also store the time that the email was sent, so that the hash is only valid for a certain time period (configurable in ini).  For the password change form, lets re-use as much of the password change logic that already exists for logged-in users.  Refactor if needed.</p>
<p>Use <code>config['site_name']</code> on the html and email templates, so that the experience is recognizable and comfortable for users.</p>
<p>Since auth is pluggable in Allura, this whole process needs to be optional.  Perhaps the simplest thing would be a new property on <code>AuthenticationProvider</code> classes.  Have it default to false, and the <code>LocalAuthenticationProvider</code> can set the "forgot password reset" property to true.</p>
<hr />
<p>Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to <a href="https://sourceforge.net/p/allura/tickets/">https://sourceforge.net/p/allura/tickets/</a></p>
<p>To unsubscribe from further messages, a project admin can change settings at <a href="https://sourceforge.net/p/allura/admin/tickets/options.">https://sourceforge.net/p/allura/admin/tickets/options.</a>  Or, if this is a mailing list, you can unsubscribe from the mailing list.</p></div>
--===============1344216818969914556==--

--===============5912177717221797757==--