[jira] Commented: (JSPWIKI-266) Add ability to restrict account creation

[Terry Steichen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/JSPWIKI-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12595850#action_12595850
 ] 

Terry Steichen commented on JSPWIKI-266:
----------------------------------------

I think what Aaron's suggesting is that only selected individuals (such as 
members of the Admin group) can create profiles.  In contrast, Janne's 
suggestion (below) leaves the individual uses with the task of tentatively 
creating their own profile, subject to approval (of a member of the Admin 
group).

Personally, I've modified my system so that ALL profile creations are handled 
by a member of the Admin group - no individual users can create their own.  
However, as I discussed in some recent postings ("re:Changed UserManager 
Behavior?" 06 May 2008), in order to do that I had to bypass some of JSPWiki's 
architectural assumptions (that only a profile's owner can create/modify their 
profile).

So, bottom line, no, I don't think the workflow strategy would be sufficient 
(if I understand Aaron's point properly).


> Add ability to restrict account creation
> ----------------------------------------
>
>                 Key: JSPWIKI-266
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-266
>             Project: JSPWiki
>          Issue Type: New Feature
>          Components: Authentication&Authorization
>            Reporter: Aaron Hamid
>
> This is a formal feature request (because I could not find an existing issue) 
> for the "Admin Creates User Profiles" Idea here:
> http://www.jspwiki.org/wiki/IdeaAdminCreatesUserProfiles
> Once way to implement it would be, that a different permission, 
> "createProfile", be added, still configurable in the jspwiki.policy file. 
> This way the desired policy could be configured such that the admin group has 
> the "createProfile" permission, while the Authenticated have their 
> "editProfile" permission.
> Workarounds are presented here 
> http://www.jspwiki.org/wiki/AllowOnlyAdministratorCreateUserAccounts but have 
> drawbacks, including allowing arbitrary junk accounts or forcing security to 
> be configured external to the application.
> The proposal above, a new "createProfile" permission, seems like a 
> straightforward way to address this concern directly in the product expanding 
> its usefulness without weird workarounds.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.