[Yanel-dev] Forgot password feature

Michael Wechner michael.wechner at wyona.com
Fri Jul 24 18:24:14 CEST 2009 

Prabodh Upreti schrieb:
> Hi Michael
>  
> I was assuming here that the create user feature only allows one user 
> per email address.

no, it currently doesn't check this, whereas I am reluctant to block this
> If this is not true then, yes we should block it at the forgot pw 
> level.  Also need to modify create user to only create with unique 
> passwords.

well, that's the question, where exactly do we want to handle/catch 
this. It's not clear to me yet, and maybe we should
start a pros/cons list.

Cheers

Michael
> Thanks.
>  
> Prabodh
>
> ------------------------------------------------------------------------
> *From:* Michael Wechner <michael.wechner at wyona.com>
> *To:* yanel-development at wyona.com
> *Sent:* Thursday, July 23, 2009 4:21:05 PM
> *Subject:* Re: [Yanel-dev] Forgot password feature
>
> Dear Prabodh
>
> One more thing which came to my mind: What is happening if more than 
> one user account has the same email address?
>
> At the moment we allow this, whereas we might want to consider 
> blocking this.
>
> WDOT?
>
> Thanks
>
> Michael
>
> Michael Wechner schrieb:
> > Dear Prabodh
> >
> > I am currently testing the forgot password feature and have a couple 
> of questions:
> >
> > IIUC if a successful request (email exists) was done, then for this 
> user a file will be created
> >
> > data-repo/data/change-password-requests/USER_ID.xml (whereas the 
> path change-password-requests is configurable)
> >
> > with the following content
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <user xmlns="http://www.wyona.org/yanel/1.0">
> >  <email>michael.wechner at wyona.com 
> <mailto:michael.wechner at wyona.com></email>
> >  <starttime>1248374094694</starttime>
> >  <guid>f4c9fa73-b10a-4033-a31c-7d0339bd3937</guid>
> > </user>
> >
> > How is <starttime> related to the expire date of this request?
> >
> > What does <guid> stand for? I guess the content is the "reset 
> password request id", but if so, then why call it like that?
> >
> > Why save the email instead the user id?
> >
> > Re scalability, if we have one million users and many people forget 
> their passwords, do we have to parse all these files to find the 
> correct "reset password request id"?
> >
> > Why not deleting this file after the password has been reset 
> successfully?
> >
> > All the best
> >
> > Michael
>
> -- Yanel-development mailing list Yanel-development at wyona.com 
> <mailto:Yanel-development at wyona.com>
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>

More information about the Yanel-development mailing list