[jira] [Commented] (JSPWIKI-159) Getting an new password is only possible for one user per mail address

Sun, 09 Dec 2012 02:31:26 -0800 

    [ 
https://issues.apache.org/jira/browse/JSPWIKI-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13527397#comment-13527397
 ] 

Florian Holeczek commented on JSPWIKI-159:
------------------------------------------

Hmm... When opening this issue, I've been chosing this subject intentionally, 
because it just describes a concrete problem which arises from the current 
design.  There has been some discussion so far, shedding light on several 
aspects.  A simple rename seems too simple to me, what about creating the 
following sub-tasks:

* Ensure 1:1 relationship between loginName and email address
  This includes updating documentation, with special regards to the different 
*Names' meanings and behaviours.
  Probably this is also a point for the ReleaseNotes, because existing user 
databases have to be adapted when updating. It's also a candidate for linking 
to JSPWIKI-130 .

* Define and implement improved signup, password reset and email address change 
workflows
  Important constraints are: double checks (double opt-in) for every action, 
prevent DoS attacks against both existing users and the JSPWiki instance, 
minimize exposure to bots
  For example:
  Signup: send a verification mail with a link that has to be followed in order 
to finish signup
  Password Reset: Which are the prerequisites to provide for initiation - 
loginName, email address, both? Afterwards, send a verification mail with a 
link that has to be followed in order to get a newly generated password by mail.
  Email Address Change: send a verification mail with a link that has to be 
followed in order to finish the change
  Again, this includes updating documentation.

                
> Getting an new password is only possible for one user per mail address
> ----------------------------------------------------------------------
>
>                 Key: JSPWIKI-159
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-159
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>            Reporter: Florian Holeczek
>
> If there's more than one user with a given email address, it's only possible 
> for one of these users to get a new password via email.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to