[pmwiki-devel] How to deal with "I forgot my password"

[John Rankin]

On 21/03/11 1:12 PM, John Rankin wrote:
> We are using a modified version of Cookbook.NewGroupBox [1] to let 
> users create a NewGroup.HomePage and set a group password for 
> edit/upload in NewGroup.GroupAttributes. The user only needs read 
> access to the "Start a New Group" page, but gets re-prompted for the 
> new edit password before the recipe saves NewGroup.HomePage. We want a 
> way for users to recover from a forgotten password and are having 
> difficulty working out how to implement a suitable scheme.
>
> <snip>
>
> I need advice on how to:
>
> a. retrieve the email address from NewGroup.GroupAttributes
Figured that one out: $page = RetrieveAuthPage(...); $page['email'] 
contains the email address.
>
> b. check that the attr password is valid and that only the generated 
> value allows the resetpasswd action
I think the trick is to set $DefaultPasswords['attr'] = '*'; in 
local/config.php, then by default only the admin password will work.

We generate a random password, store it (encrypted) in passwdattr and 
email it to the user's designated address.

Then we can use the standard password prompt mechanism, and only the 
admin password or the generated value will work.
>
> c. unset the attr password in a way that does not open 
> NewGroup.GroupAttributes to editing by all and sundry
If we 'clear' the attr password, the default password reverts to '*' and 
the attributes screen remains locked to non-admin users.
>
> d. deal with the case where a user with an edit password has accessed 
> NewGroup.GroupAttributes?action=attr
Setting $DefaultPasswords['attr'] = '*'; prevents this.
>
> Comments?
>
> [1] http://www.pmwiki.org/wiki/Cookbook/NewGroupBox
>
JR

-- 
John Rankin
Affinity Limited
T 64 4 495 3737
F 64 4 473 7991
M 021 RANKIN
john.rankin at affinity.co.nz
www.affinity.co.nz