These scripts are, I am pretty sure, redundant, as their function was subsumed by
register
.
--
TWiki:Main/CrawfordCurrie - 14 May 2007
Now you cannot reset your password anymore because you need a password to reset a password.
Peter raised this question on the
TWiki:Codev.RemovePasswdAndResetpasswdScripts and yet the code was checked in?????
--
TWiki:Main.KennethLavrsen - 15 May 2007
Actually he raised it after it was already checked in, but that's my fault for being too proactive, not his.
Text of my response to Lavr's critique:
...it is possible to exclude resetpasswd
from require valid-user
and use the ?LoginName=XyZ
parameter to indicate the username to reset. There is no interactive screen for the resetpasswd
script, and I have searched the doc and there is no mention of this use model anywhere. It's another one of those undocumented magical spells.
I re-added the resetpasswd
script. To correct the documentation of the apache use model is rather more important, however. I have re-used the bug number - elevating it to urgent, as this is an obvious gotcha/low hanging fruit.
Clearly users need to be
told about this use model. I propose two remedial steps:
- Provision of a standard 401
ErrorDocument
, which can be used in place of a redirect to TWikiRegsitration. The ErrorDocument should include a form that prompts for a username to reset the password.
- Documentation of this in TWikiInstallation
I changed the headline from "Get rid of
passwd
and
resetpasswd
scripts" raised the priority of this report from Normal to Urgent - I consider we should not release without adequate documentation of this - and changed the component to
Documentation Example 401 error document:
TWiki Authorization failed
If you need to reset your TWiki password, enter your Apache login name below and click "Reset My Password".
Your new password will be emailed to your registered email address.
(don't try it! it will reset your password and then you'll have to wait for the next synch with t.o for your login to work again!)
CC
We have to be careful with the
ErrorDocument. It has already been subject to concern about load when search engines like Google look up no longer existing topics. it is important that the redirects are not fed to something that causes additional Twiki execution. Ie. a static page instead of a real TWiki topic. Otherwise the search engine load increases again.
--
TWiki:Main.KennethLavrsen - 15 May 2007
I think it is better not to have the reset password form in the auth error page for these reasons:
- N/A for sites that use external auth (LDAP, AD, ...).
- Increases the likelihood that Joe Bloe resets the password for JohnSmith, resulting in an increased admin support load.
--
TWiki:Main.PeterThoeny - 15 May 2007 Think it through. Putting aside public sites - not our target demographic - IME there are four typical setups for internal sites:
- Uncertificated https: public site,
view
is authenticated, authenticated using apache + .htpasswd, users typically pre-registered - typical small company setup, 5-50 employees
- http: behind a firewall, publicly viewable, write authenticated using apache or template login + .htpasswd, users pre-registered - typical SME setup, 50-500 employees
- http: behind a firewall, authenticated via apache or template login + .htpasswd, voluntary registration
- http: behind a firewall, authenticated via LDAP or equivalent, compulsory or automatic registration - corporate intranet setup - 500- employees
Some observations about authentication failures:
- Users in all setups can be trusted not to reset other user's passwords. Even if they do, it gains them nothing, as the new password is mailed to the registered address.
- Redirect to a "get lost" error document is inappropriate in all setups
- Redirect to TWikiRegistration is only appropriate in setup 3
- Password reset in setup 4 requires a bespoke error document
So, I agree that for public sites - such as t.o and d.t.o - redirect to a password reset page is inappropriate, but redirect to TWikiRegstration
is. But I contend that for any site where a redirect to TWikiRegistration is
not appropriate, then redirect to a password reset page
is appropriate. Redirect to a "get lost" page is IME only for public sites with pre-registered users.
CC Kenneth takes this
- Enhance twiki config file and .htaccess default to contain commented out error document redirects to reset password and a static html doc in the root.
- Create the static html file
- Update ApacheConfigGenerator so you can choose between 3 settings
- Update installation guide accordingly
--
TWiki:Main.KennethLavrsen - 18 Jun 2007 It makes no sense to try and create a static html file. I have added the two options TWikiRegistration and ResetPassword. Also to the ApacheConfigGenerator. If people want a static html they will want something different in each case.
The discussion on the load this creates from search engines is more relevant for the 404 message (not found) and this is not the one we talk about here.
--
TWiki:Main.KennethLavrsen - 27 Aug 2007
(PS pasting signature in here also makes the TinyMCE jump to near the top of the topic. Grrr!)
Cleaned "WaitingFor" field.
--
TWiki:Main.GilmarSantosJr - 10 Aug 2008