[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dolibarr-dev] Password of members
From: |
Xebax |
Subject: |
Re: [Dolibarr-dev] Password of members |
Date: |
Sat, 25 Jun 2016 11:15:59 +0200 |
User-agent: |
Mutt/1.6.0 (2016-04-01) |
2016ko ekainaren 24an, ostirala, Laurent Destailleur (aka Eldy)-ek zion :
> If you need the login id and not the password, just keep the password
> empty. The password for members is not used. It is just an information
> stored when there is need to use dolibarr as a password referencial for
> members.
Hi Laurent,
The login/id and the password are both mandatory.
When creating a member, the password is automatically filled and if
it is cleared, the member cannot be created.
If the password is cleared when modifying a member, it is not modified
at all (that's a bit strange, by the way, I had to check the DB to
confirm this behavior).
The only way I have found to clear the password is to set it to NULL
with a query in DB.
Moreover I am very concerned about the password being stored in clear
text for members. I see no point storing a hashed value for the users
if the same password is stored in clear text in another table.
I propose two improvements:
1) Add an option to the Members module: "Manage a password for
members: Yes/No". This option would be visible only if "Manage a
login/id for members" is enabled.
2) Always store the encrypyted/hashed password and add a method to
check the password (this method should also be available in the web
services).
What do you think about that?
--
Xebax
signature.asc
Description: PGP signature