Menu
▾
▴
RE: [Mantisbt-dev] Lost password function
|
From: Mitch \(WebCob\) <mi...@we...> - 2004-07-23 01:21:26
|
> > He doesn't always get to read all of the threads... > [Victor] I actually do, but I don't always have the time to reply right > away. With these discussions, I also like to get more feedback before > posting my conclusions. Excuse me ;-) Didn't mean it to sound critical - hadn't heard from you in a bit - remembered our emails before where you said to cc you if it required your direct input (or am I mixing up my projects again? ;-) > 2. Email will be sent with a link which look like the following: > http://.../password_reset.php?user=vboctor&auth=XXXXXXXXXXXXXX user should be base64'd. Usernames can have characters that are not URL friendly if the user configurable regex is changed. > auth_code = md5( config_get( 'path' ) . $t_username . > $t_current_password ); This addresses A5 only if the same password is never used - right? $t_current_password itself is not a cleartext password anyways right? Just confirming - a few peoples contents indicated they were assuming passwords were stored in a readable format... > A3: can be done by adding code in password reset to re-use the same > code. One more extension possibility... can this work? Would it be a big change to allow a project manager (configurable of course) to INVITE a new user. Just thinking of another re-use for this code... Right now, users can sign themselves up, but we for example maintain MANY private projects for our users, and allow them to manage their own access (removes us as the bottleneck). Rather than having people sign themselves up, it would be nice to delegate that function to a project manager, who could then trigger the new account creation, with an automatic membership in the current project (selectable at creation time or editable now as it is currently...) Is this obtainable another way? Or am I right in thinking this is related to the new functionality? m/ |