On 05/03/2010 04:34 PM, Denis Gervalle wrote: > Hi devs, > > I would like to fix the current inconsistencies in the way the change > password feature is implemented. > > Actually, to be able to change a password, you need to be able to save the > document storing the XWikiUsers XObject. So edit right on the user profile > is just what you require, but, if you want to use the "change password" > feature implemented in passwd.vm, you need: > - either being on your own profile or having global (!) admin right, just > to see the "Change password" button > - either being on your own profile or having (local) admin right on this > profile, just to be able to use passwd.vm > > This seems to me really inconsistant, since these protections implemented in > the UI part are either annoying or a false impression of security. > So, I propose to simplify this by only checking the real requirements, which > means only checking edit right on the user document ? > > WDYT ?
I don't like it so much. Even if the change is possible for random users, I wouldn't like them to see a big "change this user's password" button when looking at my profile. Most users of a wiki don't know how to change a password through the object editor, but they do know how to click on a link. It's not about security, it's about ease of access to this dangerous feature. Anyway, in most wikis only the owner and the admins have edit right on a profile, so it's the same thing in the end. +1 for fixing the inconsistency in local/global admin rights. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
