Terry Steichen (JIRA) wrote:
No consistent means for maintaining a user's unique identity
------------------------------------------------------------
Key: JSPWIKI-267
URL: https://issues.apache.org/jira/browse/JSPWIKI-267
Project: JSPWiki
Issue Type: Bug
Components: Authentication&Authorization
Affects Versions: 2.6.2
Environment: All
Reporter: Terry Steichen
Now that we've modified JSPWiki to allow users to change not only
their Name but also their login name, I don't see any way for
JSPWiki administrator to keep track of users over time. For many
reasons of administration, billing, user behavior management, I
think there should be some way to unambiguously identify a particular
user, no matter how often they may change their profile.
I'm pretty sure we don't want to permit people to modify their user
name once they've created it. I haven't looked into how this works
yet, but is there a flag that can be set to disable this "feature"?
If not, I think it would be a good addition -- my guess is that not
too many admins want to permit this since tracking users (especially
problematic ones) becomes immeasureably more difficult.
I'm also with Terry on this -- it's too much of a problem if people
can alter user names. I can easily imagine a bot going to town with
this one... (i.e., it sounds like a really big security hole)
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
