Hello Bruno, This is getting quite specific. In that case, I think a third-party, pluggable application is a better way to do this.
Best regards, -- Aymeric. > On 17 Nov 2016, at 13:38, Bruno Ribeiro da Silva <[email protected]> > wrote: > > Guys, > > Thanks for the feedback. My initial thought was to have a more complete > approach to this problem, there is always the case that the admin who is > creating the user doesn't know the person's full name and/or what to use for > username. > > This is the flow that I had in mind: > > - Admin goes to user list page > - Next to the "ADD USER +" button we would have an "INVITE NEW USER" button > - At the invite page the admin would only have to insert the person's email > address. Optionally he could check if this new user would be a super user > and/or staff. > - At the invitation (link sent by email) page the user would be able to fill > the rest of the information, like: username, first name, last name and > password. > > I know this approach requires more work but I think it would be nice to free > the admin from the burden of having to fill all necessary information. > > > 2016-11-17 6:44 GMT-02:00 Curtis Maloney <[email protected] > <mailto:[email protected]>>: > My solution to the "initial password problem" is to send a password reset > token first... > > And Django has this built in, handily :) > > http://musings.tinbrain.net/blog/2014/sep/21/registration-django-easy-way/ > <http://musings.tinbrain.net/blog/2014/sep/21/registration-django-easy-way/> > > It would be very easy to use the same approach for an "invite" registration > pattern. > > -- > C > > > On 17/11/16 19:38, Aymeric Augustin wrote: > Hello, > > On 16 Nov 2016, at 21:22, Anthony King <[email protected] > <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > Sending a link to set a password isn't much better. > > The cardinal rule of passwords is “you must be the only person who knows > your password”. This means never writing it down anywhere, except in a > proper password manager, and never telling it to anyone, *even* your IT > staff — to fight social engineering attacks. > > Sending a password in clear over email means the IT staff is okay with > knowing the user's password. Disregarding their own guidelines sets a > poor example and reduces their credibility about password management in > general. > > Of course, on most Django websites, someone who can create a staff user > can also change the user’s password — it’s rare to give the “create > user” but not the “change user” permission. I’m not making a technical > argument here, I’m thinking of IT literacy and educating users. > > Perhaps a way to force a password change on login would be better, > which has more use elsewhere, such as being able to periodically force > password changes > > Forcing a password change on login is another interesting idea to solve > this problem. That’s what ActiveDirectory has to do, because OSes don’t > have the same password reset possibilities that web applications have. > > However I think that would mean solving the general problem of password > rotation. Django solved password validation recently; it could solve > password rotation next. (Note that password rotation is controversial > because it forces users to choose weak passwords with a basic rotation > scheme like putting month number at the end, instead of storing strong > random password in a password manager. Trade-offs.) > > I still think a simple solution hooking into the current password reset > mechanism, just with a different email template, could be a quick > security win for a lot of Django sites. I’d encourage people to use it > if it existed. > > Best regards, > > -- > Aymeric. > > -- > You received this message because you are subscribed to the Google > Groups "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:django-developers%[email protected]> > <mailto:[email protected] > <mailto:django-developers%[email protected]>>. > To post to this group, send email to [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org > > <https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org> > <https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org?utm_medium=email&utm_source=footer > > <https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org?utm_medium=email&utm_source=footer>>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:django-developers%[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/694f60cb-bcd8-cc32-fd8b-c060c7a54415%40tinbrain.net > > <https://groups.google.com/d/msgid/django-developers/694f60cb-bcd8-cc32-fd8b-c060c7a54415%40tinbrain.net>. > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > > -- > Bruno Ribeiro da Silva > Python Dev and Homebrewer! > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAE-2%3DJwKiSSjs216DNQh3BCU_S4B0f%2B1Yk6Ey-bdAXaGLckm%2Bg%40mail.gmail.com > > <https://groups.google.com/d/msgid/django-developers/CAE-2%3DJwKiSSjs216DNQh3BCU_S4B0f%2B1Yk6Ey-bdAXaGLckm%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/BEF97909-9891-4F1C-A1CD-CAB25720DA2E%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
