Self Activation/Lost Password feature
Brought to you by:
megatux
Menu
▾
▴
#2 Self Activation/Lost Password feature
IMPORTANT - Please read this entire file before
attempting to use the self activation and lost password
feature! DO NOT APPLY THE PATCH BEFORE READING THIS
FILE IN FULL!
This feature is intended to permit individuals to
create their own user
account, based on a administratively configured
template. The person_per record must already be
configured, however, as the name and e-mail address are
required fields to activate the user_usr account.
Additionally, once the user account has been created,
the same challenge/response mechanism can be used to
reset the account password without administrative effort.
PREREQUISITES:
1) The Self Activation/Lost Password feature requires
the use of the PHPMailer class (not required by the
default InfoCentral); the reason for this is that
certain ISP's refuse mail with an envelope sender of
the form <anonymous@host>, which the default mailer uses.
2) The Self Activation feature requires the use of a
template user account, called "New User", which has a
per_ID of 2; if you have an existing installation of
InfoCentral with an ordinary user account with
per_ID=2, you will need to manually fix that; the
easiest way is to copy the user_usr and person_per
records for per_ID=2, then rename the existing per_ID=2
records to "New User" and set a null password (so the
account cannot be logged into).
INSTALLATION:
1) Test the patch with the base InfoCentral source code
( 1.2.6a ) using the following command:
$ patch -p0 -F3 -i LostPassword.diff --dry-run
if that doesn't report any conflicts, then apply the
patch with:
$ patch -p0 -F3 -i LostPassword.diff
If you are not running the 1.2.6a release, you may have
to apply portions of the patch manually (specifically
to Default.php).
2) Make sure to update the following fields in
Include/Config.php with sensible values:
// The email address that shows up in the
"From:" field
$sFromEmailAddress = "admin@openserve.org";
// The name that shows up on email address
$sFromName = "Mailing List";
as the challenge messages are constructed using those
values. You may also need to change the following (if
you have never set up the e-mail feature):
// SMTP Address
$sSMTPHost = "10.0.0.10";
// Does your SMTP server require authentication
(username/password)?
$sSMTPAuth = false;
// SMTP Username
$sSMTPUser = "user";
// SMTP Password
$sSMTPPass = "blah";
3) Edit the 'New User' account and set the default
rights you want all new users to have (don't need to
have any, but you can decide which rights are
appropriate for your installation).
4) Create a test person_per record and then attempt to
activate the account; you need to have First and Last
Name plus a valid e-mail address defined in order to
activate the account. You should receive a challenge
e-mail with a link in it which will activate the
account and allow the user to set their own password.
IMPORTANT NOTE:
This challenge/response system is not highly secure; it
is possible for anyone to force a password change
knowing only the name and e-mail address of any person
record. However, for most purposes, this is normally
secure enough, since the challenge e-mail is sent
directly to the address on record, so a third party
will be unable to log in as any given user (since the
temporary password is randomly generated).
Lost Password and Self Activation Feature