On 28 October 2010 19:17, Vega <[email protected]> wrote: > There's still no way for admin to verify user identity to avoid scam. > Moreoever, if user can't access her WIAB account, how will she ask > admin for password reset? >
Maybe we're thinking of different use cases. I'm not suggesting something that could be used to run a globally accessible public Wave system, just something for a small organisation to collaborate. A user can walk over to their administrator's desk and ask for a password reset. Or perhaps send an email herself or log a work order or whatever her organisation does for administrative requests. We don't need to solve the problem of user verification right away - we can solve the problem of basic password resets first. For it to be safe to have such a system available on the internet we should probably add a flag to disable user self-registration, so the admin has all the power. > Regarding automatic password reset via email - in fact it is a lot > easier than implementing admin privileges logics + UI for admin page. > > What I suggest will work like this: > -User click on password recovery link > -Password recovery form is served where user enters username and > email. If they match WIAB sends POST request to MailHandlerServlet > that is running on other server (with access to mail server). The > request contains the recipient address and message text (with new > password). > -The both sides need to setup OAuth to trust each other. > -MailHandlerServlet (in simplest case - App Engine domain) sends the > requested email to recipient. > > The design is easy and sending email using App Engine mail server is > very easy. The architecture also allows to use other (non App Engine) > mail server as the communication is done via HTTP. It also escapes the > need to user verification. > Regarding user details update - I still think that the best way to do > it is based on WIAB services - like Settings Wave with profile gadget. > > On Oct 28, 8:42 am, Alex North <[email protected]> wrote: > > Good points, thanks for thinking about this. We don't have a design, no. > > > > I think your ideas about email addresses for verification are good, but > > adding email sending to WIAB will be a significant piece of work. Let's > > implement something really simple first, just enough to make WIAB usable. > > > > How about: > > - Some users are admins (add this to the user store). Possibly the first > > user to register is automatically an admin, others are not by default > > - An admin can grant admin access to other users, change passwords, and > > generally create and edit user records > > - User's can't reset their own passwords - they need to ask an admin > > > > I know that's no way to run a production service, but it's enough to get > us > > over the hump of being able to admin the user store. > > > > On 28 October 2010 17:34, Vega <[email protected]> wrote: > > > > > > > > > By the way, when you talk about account management for admin - do you > > > have some design? > > > Firstly, in order to think about account management - WIAB should > > > support some notion of privileged accounts. I am not aware of such > > > functionality in WIAB. > > > Secondly, given that there will be functionality to to authorize some > > > user as admin and given that admins would have access to a page that > > > would allow to reset passwords - they still would need some > > > verification mechanism for password reset to avoid scam. Usually it > > > is done by sending email with password to verified email address - but > > > WIAB doesn't have mail server, and doesn't store email addresses or > > > has the functionality to verify email addresses. > > > > > I think the easiest solution for password recovering would be like > > > this: > > > -User will provide email address on registration > > > -WIAB will store the email along with user credentials > > > -Whenever user enters incorrect password - login page will be present > > > a link to password recovery page where the user should enter the > > > registered email. > > > -If username matches the email address, WIAB will automatically reset > > > the password and send it to registered email using Google AppEngine > > > mail server. > > > > > On Oct 28, 1:34 am, Alex North <[email protected]> wrote: > > > > Building features on top of Wave itself is definitely something we > like > > > to > > > > do. User profiles, settings, avatars etc fit well here (it's what > Google > > > > Wave does too). > > > > > > However I agree with James we probably need some basic infrastructure > > > > outside of waves to bootstrap such a system. Basic password resetting > is > > > a > > > > good example, as is some admin functionality like account management. > > > > > > Implementing profile waves is a big task, but password reset and user > > > > management pages sound feasible. Go for it! > > > > > > Alex > > > > > > On 28 October 2010 08:28, Vega <[email protected]> wrote: > > > > > > > I am not sure how much effort would take to support gadgets in WIAB > - > > > > > probably not too much. Implementation of admin gadget should not be > > > > > too hard, if needed I can do it. > > > > > > > On Oct 27, 3:31 pm, x00 <[email protected]> wrote: > > > > > > Content management could work through extensions, and ultimately > a > > > > > > fully blown wave application framework. But I don't see that as > the > > > > > > remit of WIAB at the moment. > > > > > > > > Potentially in the future all content could be float atop of wave > > > like > > > > > > services, bar the infrastructure itself. > > > > > > > -- > > > > > You received this message because you are subscribed to the Google > > > Groups > > > > > "Wave Protocol" group. > > > > > To post to this group, send email to > [email protected]. > > > > > To unsubscribe from this group, send email to > > > > > [email protected]<wave-protocol%[email protected]> > <wave-protocol%2bunsubscr...@goog legroups.com> > > > <wave-protocol%2bunsubscr...@goog legroups.com> > > > > > . > > > > > For more options, visit this group at > > > > >http://groups.google.com/group/wave-protocol?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Wave Protocol" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > > > [email protected]<wave-protocol%[email protected]> > <wave-protocol%2bunsubscr...@goog legroups.com> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/wave-protocol?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Wave Protocol" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<wave-protocol%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/wave-protocol?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Wave Protocol" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/wave-protocol?hl=en.
