incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JSPWIKI-159) Getting an new password is only possible for one user per mail address
Date Sun, 09 Dec 2012 10:31:20 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13527397#comment-13527397
] 

Florian Holeczek commented on JSPWIKI-159:
------------------------------------------

Hmm... When opening this issue, I've been chosing this subject intentionally, because it just
describes a concrete problem which arises from the current design.  There has been some discussion
so far, shedding light on several aspects.  A simple rename seems too simple to me, what about
creating the following sub-tasks:

* Ensure 1:1 relationship between loginName and email address
  This includes updating documentation, with special regards to the different *Names' meanings
and behaviours.
  Probably this is also a point for the ReleaseNotes, because existing user databases have
to be adapted when updating. It's also a candidate for linking to JSPWIKI-130 .

* Define and implement improved signup, password reset and email address change workflows
  Important constraints are: double checks (double opt-in) for every action, prevent DoS attacks
against both existing users and the JSPWiki instance, minimize exposure to bots
  For example:
  Signup: send a verification mail with a link that has to be followed in order to finish
signup
  Password Reset: Which are the prerequisites to provide for initiation - loginName, email
address, both? Afterwards, send a verification mail with a link that has to be followed in
order to get a newly generated password by mail.
  Email Address Change: send a verification mail with a link that has to be followed in order
to finish the change
  Again, this includes updating documentation.

                
> Getting an new password is only possible for one user per mail address
> ----------------------------------------------------------------------
>
>                 Key: JSPWIKI-159
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-159
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>            Reporter: Florian Holeczek
>
> If there's more than one user with a given email address, it's only possible for one
of these users to get a new password via email.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message