Re: [Dolibarr-dev] Password of members

dolibarr-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dolibarr-dev] Password of members

From:	Xebax
Subject:	Re: [Dolibarr-dev] Password of members
Date:	Sat, 25 Jun 2016 12:32:29 +0200
User-agent:	Mutt/1.6.0 (2016-04-01)

2016ko ekainaren 25an, larunbata, Xebax-ek zion :
> 2016ko ekainaren 24an, ostirala, Laurent Destailleur (aka Eldy)-ek zion :
> > If you need the login id and not the password, just keep the password
> > empty. The password for members is not used. It is just an information
> > stored when there is need to use dolibarr as a password referencial for
> > members.
> 
> Hi Laurent,
> 
> The login/id and the password are both mandatory.
> When creating a member, the password is automatically filled and if
> it is cleared, the member cannot be created.
> If the password is cleared when modifying a member, it is not modified
> at all (that's a bit strange, by the way, I had to check the DB to
> confirm this behavior).
> The only way I have found to clear the password is to set it to NULL
> with a query in DB.
> 
> Moreover I am very concerned about the password being stored in clear
> text for members. I see no point storing a hashed value for the users
> if the same password is stored in clear text in another table.
> 
> I propose two improvements:
> 
> 1) Add an option to the Members module: "Manage a password for
> members: Yes/No". This option would be visible only if "Manage a
> login/id for members" is enabled.
> 
> 2) Always store the encrypyted/hashed password and add a method to
> check the password (this method should also be available in the web
> services).
> 
> What do you think about that?


This subject has already been discussed one year ago in the French
forum:
http://www.dolibarr.fr/forum/510-adherentsassociation/52193-mots-de-passe-dans-la-table-des-adherents

and also in Doliforge:
https://lists.nongnu.org/archive/html/dolibarr-bugtrack/2015-03/msg00053.html
https://lists.nongnu.org/archive/html/dolibarr-tasktrack/2015-03/msg00004.html

The option "Encrypt passwords in DB" is available in the configuration
but it is ignored. I think it's a bug. Do you agree with that? If you
are OK, I will enter an issue and try to fix it.

Have a nice day.
-- 
Xebax

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Dolibarr-dev] Password of members, Xebax, 2016/06/24
- Re: [Dolibarr-dev] Password of members, Laurent Destailleur (aka Eldy), 2016/06/24
  - Re: [Dolibarr-dev] Password of members, Xebax, 2016/06/25
    - Re: [Dolibarr-dev] Password of members, Xebax <=
    - Re: [Dolibarr-dev] Password of members, Laurent Destailleur (aka Eldy), 2016/06/25

Prev by Date: Re: [Dolibarr-dev] Password of members
Next by Date: Re: [Dolibarr-dev] Password of members
Previous by thread: Re: [Dolibarr-dev] Password of members
Next by thread: Re: [Dolibarr-dev] Password of members
Index(es):
- Date
- Thread