Done: https://issues.apache.org/jira/browse/OPENMEETINGS-2658
On Thu, Sep 2, 2021 at 6:11 AM Maxim Solodovnik <[email protected]> wrote: > > > On Thu, 2 Sept 2021 at 11:27, Lee But <[email protected]> > wrote: > >> 1) Perhaps there is no need for a new template, just make it possible for >> an admin-registered user to follow a link to log in. >> Yes, a password with registration is a bad idea. >> Which methods are available for a user to log in without knowing their >> password if not sent by the admin? >> > > "Forget password" link should work :)) > > My bank sends verification codes via email, so I suppose there must be >> some way to use email securely. >> > > Better way to send password in separate email > OR even better send it to alternative email or via SMS/Push (different > channel) > > "Forget password" will do it :) (with hash in URL as temporary password :)) > > >> 2) I think the base url is enough, the same as the application.base.url >> key in configuration. >> > > OK > Could you please create JIRA: > https://issues.apache.org/jira/browse/OPENMEETINGS (you need to be > registered :) > > >> >> On Thu, Sep 2, 2021 at 3:33 AM Maxim Solodovnik <[email protected]> >> wrote: >> >>> There is no such thing as temporary password >>> >>> From security perspective it is not good idea to send login and password >>> via same channel >>> And extremely bad idea to send them in same message >>> >>> I'm ready to add some changes to the registration template :) >>> Since email is being sent while registering >>> >>> 1) Do we need a separate template? >>> 2) Shall we add server URL to the current template? >>> >>> >>> On Sat, 28 Aug 2021 at 10:50, Lee But <[email protected]> >>> wrote: >>> >>>> I was just thinking; does the template need a line with the temporary >>>> password in it? >>>> >>>> *Your temporary password is <password>. You should change it when you >>>> complete your registration.* >>>> >>>> On Thu, Aug 26, 2021 at 8:39 AM Ali Alhaidary < >>>> [email protected]> wrote: >>>> >>>>> >>>>> On 8/26/21 8:46 AM, Maxim Solodovnik wrote: >>>>> >>>>> I would call it: security issue :) >>>>> IMO such destructive action like purging user should be very much >>>>> secured .... >>>>> >>>>> Admins periodically review user list and remove old, not fully >>>>> registered or not verified users. Also, a user needs to remove his >>>>> contact >>>>> information if the application keeps interacting with him by email for >>>>> example, however, OM does not do that. >>>>> >>>>> >>>>> On Thu, 26 Aug 2021 at 12:44, Lee But <[email protected]> >>>>> wrote: >>>>> >>>>>> Isn't there a way to send an ID key in the invitation email that can >>>>>> automatically remove the record that matches the key. Or, match the email >>>>>> address? >>>>>> >>>>>> On Thu, Aug 26, 2021 at 5:36 AM Maxim Solodovnik < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, 26 Aug 2021 at 12:18, Lee But <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello Maxim, >>>>>>>> >>>>>>>> The <application.base.url> is just to point to the website that >>>>>>>> openmeetings is on so that the user can recognise it. Example, Maxim >>>>>>>> Solodonvik at www.openmeetings.apache.org has invited you to join >>>>>>>> their online meeting room(s). >>>>>>>> Perhaps, it would be better if the admin could create an >>>>>>>> 'organisation name' and have that in the invitation instead. >>>>>>>> >>>>>>>> The <URL>, would point directly to a page to change the password >>>>>>>> and complete registration. >>>>>>>> >>>>>>> >>>>>>> Well >>>>>>> Actually both URLs will be >>>>>>> https://om.alteametasoft.com/openmeetings/signin >>>>>>> This is why I'm asking :) >>>>>>> >>>>>>> >>>>>>>> What I mean by 'deregister' is to remove the information that the >>>>>>>> admin created: names, password and email address. That may not be >>>>>>>> clear. >>>>>>>> >>>>>>>> I suppose it could read, 'If you have received this invitation in >>>>>>>> error or do not wish to join the meeting room(s), please *click >>>>>>>> here* to deregister your information shown in this email.' >>>>>>>> >>>>>>> >>>>>>> As I wrote before >>>>>>> this is impossible without successful login >>>>>>> which impossible without "change the password and complete >>>>>>> registration" >>>>>>> So the footer looks useless to me :( >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> On Thu, Aug 26, 2021 at 4:59 AM Maxim Solodovnik < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Thanks for the templates :) >>>>>>>>> >>>>>>>>> I'll do the following: >>>>>>>>> >>>>>>>>> 1) will create the key `send.invite.to.user.created.by.admin` >>>>>>>>> 2) will use "Formal version" to create the template >>>>>>>>> (you can modify it any time as described here >>>>>>>>> https://openmeetings.apache.org/EditTemplates.html) >>>>>>>>> >>>>>>>>> Couple of questions: >>>>>>>>> 1) why do we need both "<application.base.url>" and "<URL>"? >>>>>>>>> 2) why do we need this "If you have received this invitation in >>>>>>>>> error, please *click here* to deregister." footer? the only way >>>>>>>>> to de-register is to complete registration then to delete themselves >>>>>>>>> .... >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, 25 Aug 2021 at 20:39, Ali Alhaidary < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Nice :-) >>>>>>>>>> >>>>>>>>>> Ali >>>>>>>>>> On 8/25/21 3:07 PM, Lee But wrote: >>>>>>>>>> >>>>>>>>>> Hello Maxim, >>>>>>>>>> >>>>>>>>>> Here are two templates. One is formal, the other informal. I >>>>>>>>>> think it would be useful for admins to view default templates and >>>>>>>>>> create >>>>>>>>>> their own invitations as well. >>>>>>>>>> possible keys could be: >>>>>>>>>> >>>>>>>>>> send.formal.invite.to.user.created.by.admin >>>>>>>>>> send.casual.invite.to.user.created.by.admin >>>>>>>>>> send.custom.invite.to.user.created.by.admin >>>>>>>>>> >>>>>>>>>> In the examples below, the name order could be swapped according >>>>>>>>>> to the language being used. >>>>>>>>>> >>>>>>>>>> ***************** >>>>>>>>>> Formal version >>>>>>>>>> >>>>>>>>>> ***************** >>>>>>>>>> >>>>>>>>>> Dear <firstName> <lastName>, >>>>>>>>>> >>>>>>>>>> <adminFirstName> <adminLastName> at <application.base.url> has >>>>>>>>>> invited you to join their online meeting room(s). >>>>>>>>>> >>>>>>>>>> To complete your registration and use the room(s), please visit >>>>>>>>>> the link below and create a strong password. >>>>>>>>>> >>>>>>>>>> <URL> >>>>>>>>>> >>>>>>>>>> Your username for logging in is <username>. >>>>>>>>>> >>>>>>>>>> Thank you for joining our meeting rooms. >>>>>>>>>> >>>>>>>>>> Best regards, >>>>>>>>>> >>>>>>>>>> <adminFirstName> <adminLastName> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If you have received this invitation in error, please *click >>>>>>>>>> here* to deregister. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ***************** >>>>>>>>>> Casual version >>>>>>>>>> >>>>>>>>>> ***************** >>>>>>>>>> >>>>>>>>>> Hi <firstName> <lastName>, >>>>>>>>>> >>>>>>>>>> <adminFirstName> <adminLastName> here from >>>>>>>>>> <application.base.url>. I’ve added you as a user to our online >>>>>>>>>> meeting >>>>>>>>>> room(s). >>>>>>>>>> >>>>>>>>>> To use the room(s), you need to complete your registration. Click >>>>>>>>>> the link below and create a strong password. >>>>>>>>>> >>>>>>>>>> <URL> >>>>>>>>>> >>>>>>>>>> Your username for logging in is <username>. >>>>>>>>>> >>>>>>>>>> Thanks for joining our meeting room(s). >>>>>>>>>> >>>>>>>>>> See you soon! >>>>>>>>>> >>>>>>>>>> <adminFirstName> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If I’ve sent you this invitation by mistake, please *click here* >>>>>>>>>> to deregister. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Aug 25, 2021 at 6:13 AM Maxim Solodovnik < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Maybe you can help to create a template for such email (as text) >>>>>>>>>>> here? :) >>>>>>>>>>> and maybe propose a configuration key name? >>>>>>>>>>> >>>>>>>>>>> `send.email.when.created.by.admin`? Maybe better ideas? :)) >>>>>>>>>>> >>>>>>>>>>> On Wed, 25 Aug 2021 at 12:18, Lee But < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello Maxim, >>>>>>>>>>>> >>>>>>>>>>>> I'm testing with my own email addresses until I am sure that I >>>>>>>>>>>> have everything right. >>>>>>>>>>>> I think that would be great. Also, a link to the login page >>>>>>>>>>>> would be useful, as without it, users don't know the URL of the >>>>>>>>>>>> website. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Lee >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Aug 25, 2021 at 2:53 AM Maxim Solodovnik < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello Lee, >>>>>>>>>>>>> >>>>>>>>>>>>> this is by design >>>>>>>>>>>>> these email settings are for self-registration only >>>>>>>>>>>>> Password is not being sent for security reasons >>>>>>>>>>>>> >>>>>>>>>>>>> As workaround your users can click "Forget password" >>>>>>>>>>>>> enter login/email and change the password >>>>>>>>>>>>> >>>>>>>>>>>>> We can add some additional setting to send email to newly >>>>>>>>>>>>> created users with instructions above :) >>>>>>>>>>>>> WDYT? >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, 24 Aug 2021 at 23:07, Lee But < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I turned off self-registering, and when I set up a user as >>>>>>>>>>>>>> admin, no verification email is sent despite the key being set >>>>>>>>>>>>>> to true. >>>>>>>>>>>>>> [image: image.png] >>>>>>>>>>>>>> >>>>>>>>>>>>>> Also, the email that contains the user's account details does >>>>>>>>>>>>>> not contain the password, nor a link to the openmeetings page, >>>>>>>>>>>>>> so they >>>>>>>>>>>>>> cannot log in. >>>>>>>>>>>>>> Here's the message: >>>>>>>>>>>>>> >>>>>>>>>>>>>> [image: image.png] >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you, >>>>>>>>>>>>>> Lee >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Best regards, >>>>>>>>>>>>> Maxim >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Best regards, >>>>>>>>>>> Maxim >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Best regards, >>>>>>>>> Maxim >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Best regards, >>>>>>> Maxim >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Best regards, >>>>> Maxim >>>>> >>>>> >>> >>> -- >>> Best regards, >>> Maxim >>> >> > > -- > Best regards, > Maxim >
