Thanks! got notification from JIRA :) On Thu, 2 Sept 2021 at 14:02, Lee But <[email protected]> wrote:
> Done: https://issues.apache.org/jira/browse/OPENMEETINGS-2658 > > On Thu, Sep 2, 2021 at 6:11 AM Maxim Solodovnik <[email protected]> > wrote: > >> >> >> On Thu, 2 Sept 2021 at 11:27, Lee But <[email protected]> >> wrote: >> >>> 1) Perhaps there is no need for a new template, just make it possible >>> for an admin-registered user to follow a link to log in. >>> Yes, a password with registration is a bad idea. >>> Which methods are available for a user to log in without knowing their >>> password if not sent by the admin? >>> >> >> "Forget password" link should work :)) >> >> My bank sends verification codes via email, so I suppose there must be >>> some way to use email securely. >>> >> >> Better way to send password in separate email >> OR even better send it to alternative email or via SMS/Push (different >> channel) >> >> "Forget password" will do it :) (with hash in URL as temporary password >> :)) >> >> >>> 2) I think the base url is enough, the same as the application.base.url >>> key in configuration. >>> >> >> OK >> Could you please create JIRA: >> https://issues.apache.org/jira/browse/OPENMEETINGS (you need to be >> registered :) >> >> >>> >>> On Thu, Sep 2, 2021 at 3:33 AM Maxim Solodovnik <[email protected]> >>> wrote: >>> >>>> There is no such thing as temporary password >>>> >>>> From security perspective it is not good idea to send login and >>>> password via same channel >>>> And extremely bad idea to send them in same message >>>> >>>> I'm ready to add some changes to the registration template :) >>>> Since email is being sent while registering >>>> >>>> 1) Do we need a separate template? >>>> 2) Shall we add server URL to the current template? >>>> >>>> >>>> On Sat, 28 Aug 2021 at 10:50, Lee But <[email protected]> >>>> wrote: >>>> >>>>> I was just thinking; does the template need a line with the temporary >>>>> password in it? >>>>> >>>>> *Your temporary password is <password>. You should change it when you >>>>> complete your registration.* >>>>> >>>>> On Thu, Aug 26, 2021 at 8:39 AM Ali Alhaidary < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> On 8/26/21 8:46 AM, Maxim Solodovnik wrote: >>>>>> >>>>>> I would call it: security issue :) >>>>>> IMO such destructive action like purging user should be very much >>>>>> secured .... >>>>>> >>>>>> Admins periodically review user list and remove old, not fully >>>>>> registered or not verified users. Also, a user needs to remove his >>>>>> contact >>>>>> information if the application keeps interacting with him by email for >>>>>> example, however, OM does not do that. >>>>>> >>>>>> >>>>>> On Thu, 26 Aug 2021 at 12:44, Lee But <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Isn't there a way to send an ID key in the invitation email that can >>>>>>> automatically remove the record that matches the key. Or, match the >>>>>>> email >>>>>>> address? >>>>>>> >>>>>>> On Thu, Aug 26, 2021 at 5:36 AM Maxim Solodovnik < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, 26 Aug 2021 at 12:18, Lee But <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello Maxim, >>>>>>>>> >>>>>>>>> The <application.base.url> is just to point to the website that >>>>>>>>> openmeetings is on so that the user can recognise it. Example, Maxim >>>>>>>>> Solodonvik at www.openmeetings.apache.org has invited you to join >>>>>>>>> their online meeting room(s). >>>>>>>>> Perhaps, it would be better if the admin could create an >>>>>>>>> 'organisation name' and have that in the invitation instead. >>>>>>>>> >>>>>>>>> The <URL>, would point directly to a page to change the password >>>>>>>>> and complete registration. >>>>>>>>> >>>>>>>> >>>>>>>> Well >>>>>>>> Actually both URLs will be >>>>>>>> https://om.alteametasoft.com/openmeetings/signin >>>>>>>> This is why I'm asking :) >>>>>>>> >>>>>>>> >>>>>>>>> What I mean by 'deregister' is to remove the information that the >>>>>>>>> admin created: names, password and email address. That may not be >>>>>>>>> clear. >>>>>>>>> >>>>>>>>> I suppose it could read, 'If you have received this invitation in >>>>>>>>> error or do not wish to join the meeting room(s), please *click >>>>>>>>> here* to deregister your information shown in this email.' >>>>>>>>> >>>>>>>> >>>>>>>> As I wrote before >>>>>>>> this is impossible without successful login >>>>>>>> which impossible without "change the password and complete >>>>>>>> registration" >>>>>>>> So the footer looks useless to me :( >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Aug 26, 2021 at 4:59 AM Maxim Solodovnik < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Thanks for the templates :) >>>>>>>>>> >>>>>>>>>> I'll do the following: >>>>>>>>>> >>>>>>>>>> 1) will create the key `send.invite.to.user.created.by.admin` >>>>>>>>>> 2) will use "Formal version" to create the template >>>>>>>>>> (you can modify it any time as described here >>>>>>>>>> https://openmeetings.apache.org/EditTemplates.html) >>>>>>>>>> >>>>>>>>>> Couple of questions: >>>>>>>>>> 1) why do we need both "<application.base.url>" and "<URL>"? >>>>>>>>>> 2) why do we need this "If you have received this invitation in >>>>>>>>>> error, please *click here* to deregister." footer? the only way >>>>>>>>>> to de-register is to complete registration then to delete themselves >>>>>>>>>> .... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, 25 Aug 2021 at 20:39, Ali Alhaidary < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Nice :-) >>>>>>>>>>> >>>>>>>>>>> Ali >>>>>>>>>>> On 8/25/21 3:07 PM, Lee But wrote: >>>>>>>>>>> >>>>>>>>>>> Hello Maxim, >>>>>>>>>>> >>>>>>>>>>> Here are two templates. One is formal, the other informal. I >>>>>>>>>>> think it would be useful for admins to view default templates and >>>>>>>>>>> create >>>>>>>>>>> their own invitations as well. >>>>>>>>>>> possible keys could be: >>>>>>>>>>> >>>>>>>>>>> send.formal.invite.to.user.created.by.admin >>>>>>>>>>> send.casual.invite.to.user.created.by.admin >>>>>>>>>>> send.custom.invite.to.user.created.by.admin >>>>>>>>>>> >>>>>>>>>>> In the examples below, the name order could be swapped according >>>>>>>>>>> to the language being used. >>>>>>>>>>> >>>>>>>>>>> ***************** >>>>>>>>>>> Formal version >>>>>>>>>>> >>>>>>>>>>> ***************** >>>>>>>>>>> >>>>>>>>>>> Dear <firstName> <lastName>, >>>>>>>>>>> >>>>>>>>>>> <adminFirstName> <adminLastName> at <application.base.url> has >>>>>>>>>>> invited you to join their online meeting room(s). >>>>>>>>>>> >>>>>>>>>>> To complete your registration and use the room(s), please visit >>>>>>>>>>> the link below and create a strong password. >>>>>>>>>>> >>>>>>>>>>> <URL> >>>>>>>>>>> >>>>>>>>>>> Your username for logging in is <username>. >>>>>>>>>>> >>>>>>>>>>> Thank you for joining our meeting rooms. >>>>>>>>>>> >>>>>>>>>>> Best regards, >>>>>>>>>>> >>>>>>>>>>> <adminFirstName> <adminLastName> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If you have received this invitation in error, please *click >>>>>>>>>>> here* to deregister. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ***************** >>>>>>>>>>> Casual version >>>>>>>>>>> >>>>>>>>>>> ***************** >>>>>>>>>>> >>>>>>>>>>> Hi <firstName> <lastName>, >>>>>>>>>>> >>>>>>>>>>> <adminFirstName> <adminLastName> here from >>>>>>>>>>> <application.base.url>. I’ve added you as a user to our online >>>>>>>>>>> meeting >>>>>>>>>>> room(s). >>>>>>>>>>> >>>>>>>>>>> To use the room(s), you need to complete your registration. >>>>>>>>>>> Click the link below and create a strong password. >>>>>>>>>>> >>>>>>>>>>> <URL> >>>>>>>>>>> >>>>>>>>>>> Your username for logging in is <username>. >>>>>>>>>>> >>>>>>>>>>> Thanks for joining our meeting room(s). >>>>>>>>>>> >>>>>>>>>>> See you soon! >>>>>>>>>>> >>>>>>>>>>> <adminFirstName> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If I’ve sent you this invitation by mistake, please *click here* >>>>>>>>>>> to deregister. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Aug 25, 2021 at 6:13 AM Maxim Solodovnik < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Maybe you can help to create a template for such email (as >>>>>>>>>>>> text) here? :) >>>>>>>>>>>> and maybe propose a configuration key name? >>>>>>>>>>>> >>>>>>>>>>>> `send.email.when.created.by.admin`? Maybe better ideas? :)) >>>>>>>>>>>> >>>>>>>>>>>> On Wed, 25 Aug 2021 at 12:18, Lee But < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello Maxim, >>>>>>>>>>>>> >>>>>>>>>>>>> I'm testing with my own email addresses until I am sure that I >>>>>>>>>>>>> have everything right. >>>>>>>>>>>>> I think that would be great. Also, a link to the login page >>>>>>>>>>>>> would be useful, as without it, users don't know the URL of the >>>>>>>>>>>>> website. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Lee >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Aug 25, 2021 at 2:53 AM Maxim Solodovnik < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Lee, >>>>>>>>>>>>>> >>>>>>>>>>>>>> this is by design >>>>>>>>>>>>>> these email settings are for self-registration only >>>>>>>>>>>>>> Password is not being sent for security reasons >>>>>>>>>>>>>> >>>>>>>>>>>>>> As workaround your users can click "Forget password" >>>>>>>>>>>>>> enter login/email and change the password >>>>>>>>>>>>>> >>>>>>>>>>>>>> We can add some additional setting to send email to newly >>>>>>>>>>>>>> created users with instructions above :) >>>>>>>>>>>>>> WDYT? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, 24 Aug 2021 at 23:07, Lee But < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I turned off self-registering, and when I set up a user as >>>>>>>>>>>>>>> admin, no verification email is sent despite the key being set >>>>>>>>>>>>>>> to true. >>>>>>>>>>>>>>> [image: image.png] >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Also, the email that contains the user's account details >>>>>>>>>>>>>>> does not contain the password, nor a link to the openmeetings >>>>>>>>>>>>>>> page, so they >>>>>>>>>>>>>>> cannot log in. >>>>>>>>>>>>>>> Here's the message: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [image: image.png] >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you, >>>>>>>>>>>>>>> Lee >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Best regards, >>>>>>>>>>>>>> Maxim >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Best regards, >>>>>>>>>>>> Maxim >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Best regards, >>>>>>>>>> Maxim >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Best regards, >>>>>>>> Maxim >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Best regards, >>>>>> Maxim >>>>>> >>>>>> >>>> >>>> -- >>>> Best regards, >>>> Maxim >>>> >>> >> >> -- >> Best regards, >> Maxim >> > -- Best regards, Maxim
