On Thu, 2 Sept 2021 at 11:27, Lee But <[email protected]> wrote:
> 1) Perhaps there is no need for a new template, just make it possible for > an admin-registered user to follow a link to log in. > Yes, a password with registration is a bad idea. > Which methods are available for a user to log in without knowing their > password if not sent by the admin? > "Forget password" link should work :)) My bank sends verification codes via email, so I suppose there must be some > way to use email securely. > Better way to send password in separate email OR even better send it to alternative email or via SMS/Push (different channel) "Forget password" will do it :) (with hash in URL as temporary password :)) > 2) I think the base url is enough, the same as the application.base.url > key in configuration. > OK Could you please create JIRA: https://issues.apache.org/jira/browse/OPENMEETINGS (you need to be registered :) > > On Thu, Sep 2, 2021 at 3:33 AM Maxim Solodovnik <[email protected]> > wrote: > >> There is no such thing as temporary password >> >> From security perspective it is not good idea to send login and password >> via same channel >> And extremely bad idea to send them in same message >> >> I'm ready to add some changes to the registration template :) >> Since email is being sent while registering >> >> 1) Do we need a separate template? >> 2) Shall we add server URL to the current template? >> >> >> On Sat, 28 Aug 2021 at 10:50, Lee But <[email protected]> >> wrote: >> >>> I was just thinking; does the template need a line with the temporary >>> password in it? >>> >>> *Your temporary password is <password>. You should change it when you >>> complete your registration.* >>> >>> On Thu, Aug 26, 2021 at 8:39 AM Ali Alhaidary < >>> [email protected]> wrote: >>> >>>> >>>> On 8/26/21 8:46 AM, Maxim Solodovnik wrote: >>>> >>>> I would call it: security issue :) >>>> IMO such destructive action like purging user should be very much >>>> secured .... >>>> >>>> Admins periodically review user list and remove old, not fully >>>> registered or not verified users. Also, a user needs to remove his contact >>>> information if the application keeps interacting with him by email for >>>> example, however, OM does not do that. >>>> >>>> >>>> On Thu, 26 Aug 2021 at 12:44, Lee But <[email protected]> >>>> wrote: >>>> >>>>> Isn't there a way to send an ID key in the invitation email that can >>>>> automatically remove the record that matches the key. Or, match the email >>>>> address? >>>>> >>>>> On Thu, Aug 26, 2021 at 5:36 AM Maxim Solodovnik <[email protected]> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, 26 Aug 2021 at 12:18, Lee But <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hello Maxim, >>>>>>> >>>>>>> The <application.base.url> is just to point to the website that >>>>>>> openmeetings is on so that the user can recognise it. Example, Maxim >>>>>>> Solodonvik at www.openmeetings.apache.org has invited you to join >>>>>>> their online meeting room(s). >>>>>>> Perhaps, it would be better if the admin could create an >>>>>>> 'organisation name' and have that in the invitation instead. >>>>>>> >>>>>>> The <URL>, would point directly to a page to change the password and >>>>>>> complete registration. >>>>>>> >>>>>> >>>>>> Well >>>>>> Actually both URLs will be >>>>>> https://om.alteametasoft.com/openmeetings/signin >>>>>> This is why I'm asking :) >>>>>> >>>>>> >>>>>>> What I mean by 'deregister' is to remove the information that the >>>>>>> admin created: names, password and email address. That may not be clear. >>>>>>> >>>>>>> I suppose it could read, 'If you have received this invitation in >>>>>>> error or do not wish to join the meeting room(s), please *click >>>>>>> here* to deregister your information shown in this email.' >>>>>>> >>>>>> >>>>>> As I wrote before >>>>>> this is impossible without successful login >>>>>> which impossible without "change the password and complete >>>>>> registration" >>>>>> So the footer looks useless to me :( >>>>>> >>>>>> >>>>>>> >>>>>>> On Thu, Aug 26, 2021 at 4:59 AM Maxim Solodovnik < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Thanks for the templates :) >>>>>>>> >>>>>>>> I'll do the following: >>>>>>>> >>>>>>>> 1) will create the key `send.invite.to.user.created.by.admin` >>>>>>>> 2) will use "Formal version" to create the template >>>>>>>> (you can modify it any time as described here >>>>>>>> https://openmeetings.apache.org/EditTemplates.html) >>>>>>>> >>>>>>>> Couple of questions: >>>>>>>> 1) why do we need both "<application.base.url>" and "<URL>"? >>>>>>>> 2) why do we need this "If you have received this invitation in >>>>>>>> error, please *click here* to deregister." footer? the only way to >>>>>>>> de-register is to complete registration then to delete themselves .... >>>>>>>> >>>>>>>> >>>>>>>> On Wed, 25 Aug 2021 at 20:39, Ali Alhaidary < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Nice :-) >>>>>>>>> >>>>>>>>> Ali >>>>>>>>> On 8/25/21 3:07 PM, Lee But wrote: >>>>>>>>> >>>>>>>>> Hello Maxim, >>>>>>>>> >>>>>>>>> Here are two templates. One is formal, the other informal. I think >>>>>>>>> it would be useful for admins to view default templates and create >>>>>>>>> their >>>>>>>>> own invitations as well. >>>>>>>>> possible keys could be: >>>>>>>>> >>>>>>>>> send.formal.invite.to.user.created.by.admin >>>>>>>>> send.casual.invite.to.user.created.by.admin >>>>>>>>> send.custom.invite.to.user.created.by.admin >>>>>>>>> >>>>>>>>> In the examples below, the name order could be swapped according >>>>>>>>> to the language being used. >>>>>>>>> >>>>>>>>> ***************** >>>>>>>>> Formal version >>>>>>>>> >>>>>>>>> ***************** >>>>>>>>> >>>>>>>>> Dear <firstName> <lastName>, >>>>>>>>> >>>>>>>>> <adminFirstName> <adminLastName> at <application.base.url> has >>>>>>>>> invited you to join their online meeting room(s). >>>>>>>>> >>>>>>>>> To complete your registration and use the room(s), please visit >>>>>>>>> the link below and create a strong password. >>>>>>>>> >>>>>>>>> <URL> >>>>>>>>> >>>>>>>>> Your username for logging in is <username>. >>>>>>>>> >>>>>>>>> Thank you for joining our meeting rooms. >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> >>>>>>>>> <adminFirstName> <adminLastName> >>>>>>>>> >>>>>>>>> >>>>>>>>> If you have received this invitation in error, please *click here* >>>>>>>>> to deregister. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ***************** >>>>>>>>> Casual version >>>>>>>>> >>>>>>>>> ***************** >>>>>>>>> >>>>>>>>> Hi <firstName> <lastName>, >>>>>>>>> >>>>>>>>> <adminFirstName> <adminLastName> here from <application.base.url>. >>>>>>>>> I’ve added you as a user to our online meeting room(s). >>>>>>>>> >>>>>>>>> To use the room(s), you need to complete your registration. Click >>>>>>>>> the link below and create a strong password. >>>>>>>>> >>>>>>>>> <URL> >>>>>>>>> >>>>>>>>> Your username for logging in is <username>. >>>>>>>>> >>>>>>>>> Thanks for joining our meeting room(s). >>>>>>>>> >>>>>>>>> See you soon! >>>>>>>>> >>>>>>>>> <adminFirstName> >>>>>>>>> >>>>>>>>> >>>>>>>>> If I’ve sent you this invitation by mistake, please *click here* >>>>>>>>> to deregister. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Aug 25, 2021 at 6:13 AM Maxim Solodovnik < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Maybe you can help to create a template for such email (as text) >>>>>>>>>> here? :) >>>>>>>>>> and maybe propose a configuration key name? >>>>>>>>>> >>>>>>>>>> `send.email.when.created.by.admin`? Maybe better ideas? :)) >>>>>>>>>> >>>>>>>>>> On Wed, 25 Aug 2021 at 12:18, Lee But < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hello Maxim, >>>>>>>>>>> >>>>>>>>>>> I'm testing with my own email addresses until I am sure that I >>>>>>>>>>> have everything right. >>>>>>>>>>> I think that would be great. Also, a link to the login page >>>>>>>>>>> would be useful, as without it, users don't know the URL of the >>>>>>>>>>> website. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Lee >>>>>>>>>>> >>>>>>>>>>> On Wed, Aug 25, 2021 at 2:53 AM Maxim Solodovnik < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello Lee, >>>>>>>>>>>> >>>>>>>>>>>> this is by design >>>>>>>>>>>> these email settings are for self-registration only >>>>>>>>>>>> Password is not being sent for security reasons >>>>>>>>>>>> >>>>>>>>>>>> As workaround your users can click "Forget password" >>>>>>>>>>>> enter login/email and change the password >>>>>>>>>>>> >>>>>>>>>>>> We can add some additional setting to send email to newly >>>>>>>>>>>> created users with instructions above :) >>>>>>>>>>>> WDYT? >>>>>>>>>>>> >>>>>>>>>>>> On Tue, 24 Aug 2021 at 23:07, Lee But < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello, >>>>>>>>>>>>> >>>>>>>>>>>>> I turned off self-registering, and when I set up a user as >>>>>>>>>>>>> admin, no verification email is sent despite the key being set to >>>>>>>>>>>>> true. >>>>>>>>>>>>> [image: image.png] >>>>>>>>>>>>> >>>>>>>>>>>>> Also, the email that contains the user's account details does >>>>>>>>>>>>> not contain the password, nor a link to the openmeetings page, so >>>>>>>>>>>>> they >>>>>>>>>>>>> cannot log in. >>>>>>>>>>>>> Here's the message: >>>>>>>>>>>>> >>>>>>>>>>>>> [image: image.png] >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you, >>>>>>>>>>>>> Lee >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Best regards, >>>>>>>>>>>> Maxim >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Best regards, >>>>>>>>>> Maxim >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Best regards, >>>>>>>> Maxim >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Best regards, >>>>>> Maxim >>>>>> >>>>> >>>> >>>> -- >>>> Best regards, >>>> Maxim >>>> >>>> >> >> -- >> Best regards, >> Maxim >> > -- Best regards, Maxim
