We are using a modified version of Cookbook.NewGroupBox [1] to let users
create a NewGroup.HomePage and set a group password for edit/upload in
NewGroup.GroupAttributes. The user only needs read access to the "Start
a New Group" page, but gets re-prompted for the new edit password before
the recipe saves NewGroup.HomePage. We want a way for users to recover
from a forgotten password and are having difficulty working out how to
implement a suitable scheme.
We envisage this will work as follows (open to suggestions for a better
way and correction of any misunderstandings).
1. As part of creating a new group, prompt the user for an email
address, which gets stored (unencrypted) in NewGroup.GroupAttributes. I
think pmwiki only encrypts attribute values if the name starts with
"passwd", otherwise they are stored in the clear. Send a welcome message
to the address with the url of the new group plus the password.
2. Add a "Forgot your password?" link to the standard pmwiki form that
prompts the user to enter a password. When clicked, this will:
- generate a string of letters and numbers and set this as an attr
password in NewGroup.GroupAttributes
- retrieve the stored email address and send it an email containing the
generated attr password string and a link to an action=resetpasswd that
requires the new attr password
3. When the user clicks the link, it takes her to a form that prompts
for the attr password sent in the email and for a new password. The code
will then:
- check that the attr password authorises the action
- set the edit and upload passwords to the entered new password value
- unset the attr password, so that if the email gets compromised, the
password no longer works
- retrieve the email address and send it a confirming email with the new
edit/upload password
I need advice on how to:
a. retrieve the email address from NewGroup.GroupAttributes (is this
just a call to PageVar?)
b. check that the attr password is valid and that only the generated
value allows the resetpasswd action
c. unset the attr password in a way that does not open
NewGroup.GroupAttributes to editing by all and sundry
d. deal with the case where a user with an edit password has accessed
NewGroup.GroupAttributes?action=attr
Comments? have others solved a similar problem?
[1] http://www.pmwiki.org/wiki/Cookbook/NewGroupBox
--
John Rankin
Affinity Limited
T 64 4 495 3737
F 64 4 473 7991
M 021 RANKIN
john.ran...@affinity.co.nz
www.affinity.co.nz
_______________________________________________
pmwiki-devel mailing list
pmwiki-devel@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
