In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
ID: Category: Type: Reproducibility: Date Submitted: Last Update:
948 [In-Portal CMS] Front End feature request always 2010-12-13 10:32 2012-07-25 05:33
Reporter: Dmitry Platform:  
Assigned To: alex OS:  
Priority: normal OS Version:  
Status: closed Product Version: 5.1.1  
Product Build: Resolution: fixed  
 
ETA: none Fixed in Version: 5.2.0-B1  
Reference: https://groups.google.com/d/topic/in-portal-dev/lfqeAuXWWko/discussion
Change Log Message: Improved "Forgot Password" logic
Estimate Points: 2
Summary: 0000948: Change in "Forgot Password" logic
Description: There are several issues with current Forgot Password functionality:

1. User nees to perform 6 steps to restore his password (he also needs to go to his profile to change it to whatever he want later). Not too user friendly.
2. It's not secure to send passwords by email.
3. Auto-generated passwords are very hard to remember (not user friendly) vs. the ones that user enters on his own.


Proposed solution is to send "forgot password" like link to his email and then he can change his password to what ever he wants.

Simplify this scheme this way:

1. user clicks "Forgot Password" link on login page
2. user enters his email or login
3. user presses "Send Password" button
4. user receives email with confirmation link
5. when user clicks on that link, then he is brought to password change form where user enter his new password (2 times) and immediately got logged in

This way user gets his password changed quickly and new password isn't sent by email.


NOTE: There is a need to add a hint to "Assign password automatically" configuration option under Configuration->Users:General section, saying:

"Not encrypted passwords will be send to user by email"
Steps To Reproduce:
Additional Information: Currently it works this way:

1. user clicks "Forgot Password" link on login page
2. user enters his email or login
3. user presses "Send Password" button
4. user receives email with confirmation link
5. when user clicks on that link, then he is brought to confirmation page
6. when user clicks "Yes" on that confirmation page, then new password is generated and sent to it by email (not too secure)
Relationships
parent of 0001044closed  (5.1.3)alex Expiration of registration with "Email Activation" can't be changed 
related to 0001095closed  (5.1.3)alex Error messages are displayed on unrelated forms 
related to 0001201closed  (5.2.0)alex Fatal error during Installation on States import with MySQL in Strict Mode 
Attached Files: patch forgot_password_imporvements_core.patch (29,267) 2011-07-13 06:40
http://tracker.in-portal.org/file_download.php?file_id=1072&type=bug
patch forgot_password_imporvements_themes.patch (2,818) 2011-07-13 06:40
http://tracker.in-portal.org/file_download.php?file_id=1073&type=bug
Issue History
Date Modified Username Field Change
2012-07-25 05:33 alex Note Added: 0005076
2012-07-25 05:33 alex Status resolved => closed
2012-02-06 04:02 alex Relationship added related to 0001201
2011-10-22 05:41 alex Estimate Points => 2
2011-08-10 05:03 alex Relationship added related to 0001095
2011-07-13 06:42 alex Note Added: 0003631
2011-07-13 06:42 alex Status reviewed and tested => resolved
2011-07-13 06:42 alex Fixed in Version => 5.2.0-B1
2011-07-13 06:42 alex Resolution open => fixed
2011-07-13 06:42 alex Assigned To !COMMUNITY => alex
2011-07-13 06:42 alex Changeset attached 5.2.x r14472
2011-07-13 06:41 alex Changeset attached 1.2.x r14471
2011-07-13 06:41 alex Note Added: 0003630
2011-07-13 06:41 alex Status needs testing => reviewed and tested
2011-07-13 06:40 alex Assigned To => !COMMUNITY
2011-07-13 06:40 alex Developer => alex
2011-07-13 06:40 alex Status active => needs testing
2011-07-13 06:40 alex File Added: forgot_password_imporvements_themes.patch
2011-07-13 06:40 alex File Added: forgot_password_imporvements_core.patch
2011-07-13 06:39 alex Note Added: 0003629
2011-07-12 08:06 alex Relationship added parent of 0001044
2011-07-08 10:57 alex Target Version Icebox => 5.2.0
2010-12-13 12:45 alex Description Updated bug_revision_view_page.php?rev_id=638#r638
2010-12-13 12:42 alex Description Updated bug_revision_view_page.php?rev_id=637#r637
2010-12-13 10:32 Dmitry New Issue
2010-12-13 10:32 Dmitry Reference => https://groups.google.com/d/topic/in-portal-dev/lfqeAuXWWko/discussion
2010-12-13 10:32 Dmitry Change Log Message => Improved "Forgot Password" logic

Notes
(0003629)
alex   
2011-07-13 06:39   
Not obvious things in the patch:
1. password field now keeps password, when there is an error on a form (before you needed to re-enter password after each error) - now works, like in admin console
2. u:OnResetPasswordConfirmed and u:OnResetPassword events were removed
3. fields PassResetTime and MinPwResetDelay were removed from PortalUser table, since they weren't used anywhere
4. email events USER.PSWD (user and admin) were removed, since there is no longer needed to send newly generated password to a user
5. field PwResetConfirm in PortalUser table made NOT NULL to comply with rules
6. changed translation of LU_TEXT_FORGOTPASSHASBEENRESET phrase to match new forgot password logic
7. u_TestCodeIsValid tag logic moved to UserHelper, so now it can be used where needed
8. session is no longer used in forgot password reset process (email event content isn't changed)
9. tags u_ActivationLink and u_ActivationUser changed, since they used fields from forgot password reset system
(0003630)
alex   
2011-07-13 06:41   
Will test later, but commit right now to ease merge process from 5.1.x branch.
(0003631)
alex   
2011-07-13 06:42   
Fix committed to 5.2.x branch. Commit Message:

Fixes 0000948: Change in "Forgot Password" logic
(0005076)
alex   
2012-07-25 05:33   
Since 5.2.0 version was released.