[pmwiki-devel] How to deal with "I forgot my password"

John Rankin john.rankin at affinity.co.nz
Sun Mar 20 19:12:23 CDT 2011 

We are using a modified version of Cookbook.NewGroupBox [1] to let users 
create a NewGroup.HomePage and set a group password for edit/upload in 
NewGroup.GroupAttributes. The user only needs read access to the "Start 
a New Group" page, but gets re-prompted for the new edit password before 
the recipe saves NewGroup.HomePage. We want a way for users to recover 
from a forgotten password and are having difficulty working out how to 
implement a suitable scheme.

We envisage this will work as follows (open to suggestions for a better 
way and correction of any misunderstandings).

1. As part of creating a new group, prompt the user for an email 
address, which gets stored (unencrypted) in NewGroup.GroupAttributes. I 
think pmwiki only encrypts attribute values if the name starts with 
"passwd", otherwise they are stored in the clear. Send a welcome message 
to the address with the url of the new group plus the password.

2. Add a "Forgot your password?" link to the standard pmwiki form that 
prompts the user to enter a password. When clicked, this will:

- generate a string of letters and numbers and set this as an attr 
password in NewGroup.GroupAttributes

- retrieve the stored email address and send it an email containing the 
generated attr password string and a link to an action=resetpasswd that 
requires the new attr password

3. When the user clicks the link, it takes her to a form that prompts 
for the attr password sent in the email and for a new password. The code 
will then:

- check that the attr password authorises the action

- set the edit and upload passwords to the entered new password value

- unset the attr password, so that if the email gets compromised, the 
password no longer works

- retrieve the email address and send it a confirming email with the new 
edit/upload password

I need advice on how to:

a. retrieve the email address from NewGroup.GroupAttributes (is this 
just a call to PageVar?)

b. check that the attr password is valid and that only the generated 
value allows the resetpasswd action

c. unset the attr password in a way that does not open 
NewGroup.GroupAttributes to editing by all and sundry

d. deal with the case where a user with an edit password has accessed 
NewGroup.GroupAttributes?action=attr

Comments? have others solved a similar problem?

[1] http://www.pmwiki.org/wiki/Cookbook/NewGroupBox

-- 
John Rankin
Affinity Limited
T 64 4 495 3737
F 64 4 473 7991
M 021 RANKIN
john.rankin at affinity.co.nz
www.affinity.co.nz

More information about the pmwiki-devel mailing list