Bob Lannoy wrote > >> Exactly: if you don't want "conversion" from UserRequest to User, then >> just >> give anyone the possibility to create / update / delete users: ...a bit >> weak >> security-wise, isn’t it? > > Well, that's I would use the workflow to handel special cases were > this would be acceptable. (e.g. auto registration + confirmation token > email) > Access to non-sensitive applications where the only requirement would > be to have simple authentication & a default role. > But I'll implement it in my own interface. >
Aaaaah, now I finally understand! Sorry, the last days have been plenty of release bits :-P Well, I think that: * if you just want to allow anyone to perform self-registration and then start user workflow with some double opt-in (the confirmation token email stuff), why don't you just customize the self-registration form from the admin console to actually create an user instead of creating an UserRequest object? You will also need to override the default console behavior where each REST call is made with the credentials of the authenticated user (this won't work for anonymous, of course) and do this particular call, instead, with an admin user. * It could be a simple but yet powerful addition to the roadmap to make configurable whether UserRequest objects (create / update / delete) need to be approved or not. WDYT? Regards. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Userrequest-flow-tp5667761p5672185.html Sent from the syncope-user mailing list archive at Nabble.com.
