|
From: | Laurent Destailleur (aka Eldy) |
Subject: | Re: [Dolibarr-dev] Password of members |
Date: | Sat, 25 Jun 2016 21:31:13 +0200 |
2016ko ekainaren 24an, ostirala, Laurent Destailleur (aka Eldy)-ek zion :
> If you need the login id and not the password, just keep the password
> empty. The password for members is not used. It is just an information
> stored when there is need to use dolibarr as a password referencial for
> members.
Hi Laurent,
The login/id and the password are both mandatory.
When creating a member, the password is automatically filled and if
it is cleared, the member cannot be created.
If the password is cleared when modifying a member, it is not modified
at all (that's a bit strange, by the way, I had to check the DB to
confirm this behavior).
The only way I have found to clear the password is to set it to NULL
with a query in DB.
Moreover I am very concerned about the password being stored in clear
text for members. I see no point storing a hashed value for the users
if the same password is stored in clear text in another table.
I propose two improvements:
1) Add an option to the Members module: "Manage a password for
members: Yes/No". This option would be visible only if "Manage a
login/id for members" is enabled.
2) Always store the encrypyted/hashed password and add a method to
check the password (this method should also be available in the web
services).
What do you think about that?
--
Xebax
_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
[Prev in Thread] | Current Thread | [Next in Thread] |