[32]Expansions to the User Management System (Draft)

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

[32]Expansions to the User Management System (Draft)

Post by masterchief » Sat Feb 16, 2008 1:00 am

1. INTRODUCTION

The user management system requires a number of features to supplement the growing need of community based sites, as well as allowing

2. SCOPE

A number of features are proposed:
  • Require acceptance of a user Agreement or Terms of Service
  • Set Reserved Usernames (e.g. webmaster, support, etc)
  • Disable numbers only for username (mix of number and letters OK), or have the ability to set a regular expression for username validation.
  • Required length for user username (e.g. min 5 characters long)
  • Required strength for user passwords (e.g. min 8 characters long)
  • Block an email via regular expression (eg @hotmail.com)
  • Block registration from certain ip's
  • Allow for an Extendible password encryption (eg MD5 or SHA1, etc)
  • Allow CSV/XML export/import of users
  • Ability to add simple additional fields at registration (possibly via an additional parameter field and custom xml definition)
  • Ability to require administrator approval of users following registration.
  • Ability to invite users to register (may include an interface to invite from your Gmail contacts, etc)
  • Force change password every X days, or on "next" login. (would just need a pwd_expiry date field)
  • Logging of events (failed attempts to log in, etc) (using JLog?)
3. TECHNICAL IMPLEMENTATION

Requires addition configuration settings. Would be best to move these out of global configuration and into the com_user preferences.

"Rules" and "Tests" simply need a configuration setting and appropriate code in the User Table check method. Others, such as forcing a password change, event logging, could be achieved with plugins.

Import/export features require additional view and methods.

4. IMPACTS

May introduce backward compatibility issues with existing users if they are trying to change their details.

5. REFERENCES

http://forum.joomla.org/index.php/topic ... #msg934669
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3763
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Expansions to the User Management System (Draft)

Post by Hackwar » Sat Feb 16, 2008 11:54 am

Ok, so I'm adding my com_user stuff here.

1. Introduction
1.1 Scope
The scope of this document is to describe two changes to com_user in the frontend.
1.2 Objective of the document
The objective of this document is to give a basis for a discussion on two changes to com_user in the frontend.
1.3 General remarks
1.4 Definitions
1.5 License
GNU GPL
2. What is the current issue?
For community sites, com_user currently is not usable, especially not in Germany, since you can't delete your own account and since there is no possibility to agree to the terms and conditions of a site. In Germany there is the legal action of an „Abmahnung“, which in itself can become very expensive for a site owner. Adding a Terms of Serivce (in german its called an „Allgemeine Geschäftsbedingungen“) and the ability to delete its own account would get those sites on the safe side again.
3. What are the proposed improvements?
Com_user needs the possibility to delete its own account from the frontend and the possibility to agree to terms of service upon registration. For the registration it would be nice to have a normal uncategorized article act as legal "Terms of Service".
4. Intention
The intention should be obvious.
5. Effects on...
5.1 Users
There should be no negative effect on the users.
5.2 3P extensions
There should be no effects on third party extensions.
5.3 Performance
There should be no effects on the performance.
com_user_0_1_hannes.zip
You do not have the required permissions to view the files attached to this post.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

kesepian
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Mon Feb 18, 2008 7:21 am
Contact:

Delete account feature

Post by kesepian » Mon Feb 18, 2008 7:28 am

I always get email from users asking for delete their account from my Joomla sites. I myself find in the situation when I wanted to erase my account from a Joomla site, and I couldnt do that, because the User Menu doesnt have the ~Terminate/Delete my account~.

It is not a big change, nor even a creative one, but sure is an important one for users who want to keep their privacy or who have changed their mind and want to delete their account from a website.

User avatar
LocaLizeR
Joomla! Explorer
Joomla! Explorer
Posts: 331
Joined: Thu Sep 15, 2005 4:44 am
Location: Hungary
Contact:

Re: Delete account feature

Post by LocaLizeR » Mon Feb 18, 2008 9:17 am

Mike Noel released an extension called Unregister for Joomla! 1.0.x under GNU/GPL license. I found no information on his site about an update for Joomla! 1.5 or newer. Hopefully it will be updated.
Jozsef Tamas Herczeg // Member of the Hungarian Joomla Translation Team :: Follow me on Twitter: @jtherczeg
:: "Do not give fish to the hungry man teach him how to fish instead" ::

jwpmzijl
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Nov 15, 2005 4:48 pm

Re: Expansions to the User Management System (Draft)

Post by jwpmzijl » Mon Feb 18, 2008 10:25 am

Allow me to make a few remarks based upon my experience.
[list]All recommendations by Hannes are valid. The possibility to present "legal stuf" before entering a site nowadays is a neccessity for Euro-based countries (due to the marvelous mother of all burocracies "European Union"). [/list]
But keep in mind that this legal stuf can also be presented off-line. I run 2 websites for clubs i'm involved in. Both present to each new member a registration form at the moment they join the club. In this "contract" they accept that they get a website account and agree to keep the E-mail adres current. So this is in accordance with law. It just happens off-line.

I'm not saying that the above proposals should be skipped. Just make them configurable so we have the option to disable it.

Another point. The requested functionality is covered by Community builder. You need to consider which parts should be core Joomla and which parts can be left to 3p extensions.

kesepian
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Mon Feb 18, 2008 7:21 am
Contact:

Re: Delete account feature

Post by kesepian » Mon Feb 18, 2008 10:39 am

LocALiceR wrote:Mike Noel released an extension called Unregister for Joomla! 1.0.x under GNU/GPL license. I found no information on his site about an update for Joomla! 1.5 or newer. Hopefully it will be updated.
Yeah, you're right.
Still, it would be great if this feature will be a standard one. It is an improvement that will save admins for manually delete every delete account request.
http://kesepian.ro - Blog, not something else.

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Expansions to the User Management System (Draft)

Post by masterchief » Mon Feb 18, 2008 11:56 am

In terms of users being able to opt out of a site, there are issues that arise if we delete a user complete. Other components might have set up data records based on that user. I'm just wondering if there are some ideas on how to handle that case. Maybe the table row is kept, the the email, username and name are reset to anonymous values?

A simple example would be if a person wanted to opt out of a site which supported FireBoard and they had made posts. Do you need to make provision to delete all their posts as well?

Regarding the extent of features, well, that's up to the community. Given the rise of the social networking scene it would seem appropriate for a lot of this basic user management level stuff to happen at the core level. But I'm open to other suggestions.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Delete account feature

Post by masterchief » Mon Feb 18, 2008 12:12 pm

kesepian, do you mind if I merge this topic in with this one:

http://forum.joomla.org/viewtopic.php?f=500&t=265672

We are covering similar ground there. You don't have to if you want to take a different direction with the topic.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3763
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Expansions to the User Management System (Draft)

Post by Hackwar » Mon Feb 18, 2008 12:41 pm

In germany, deleting the own account is a legal necessity, so I think it is really necessary to implement this into the core.

On the issue of not completely deleting users: I think we will have to really delete users. Third party components have to make preparations for this case and either delete the corresponding data completely or save the data in another manner. Thats what we've got the onDeleteUser for, right?
Furthermore, I'd like to decouple the user system from the rest of Joomla and wrap the whole thing. This would reduce some queries and make it really possible to use other user management systems as a substitute for the built in system. I discussed this with Anthony and he wanted to write a whitepaper about it. :)
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

kesepian
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Mon Feb 18, 2008 7:21 am
Contact:

Re: Delete account feature

Post by kesepian » Mon Feb 18, 2008 4:12 pm

masterchief wrote:kesepian, do you mind if I merge this topic in with this one:

http://forum.joomla.org/viewtopic.php?f=500&t=265672

We are covering similar ground there. You don't have to if you want to take a different direction with the topic.
Yes, you may! Thank you, I didnt noticed that someone posted this feature before :P
http://kesepian.ro - Blog, not something else.

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Expansions to the User Management System (Draft)

Post by masterchief » Tue Feb 19, 2008 1:06 am

Well, I think making pluggable user systems is out of scope for 1.x. Let's leave that till the 2.0 series because we need something that's an achievable result for 1.6.

So on the delete side of things, can someone point me to the text of the legal requirement. If it allows the user to be "neutralised" then I think this would be an easier first step. By that I mean we change the user record to a generic record and the only think that would distinguish one from the other is the user ID. The join on the username might come up with "Deregistered user", and username and email can be nulled ??

For extensions to have to account for deletion of users is a big ask. Asking to account for the concept of a nulled user if more reasonable I should think. Then again, if you delete a user for a good reason, then maybe the 3PD should have to take this into account.

But the bottom line is what is the actual law that you need to comply with. That is what we need to understand first because it will also affect what the 3PD has to do with their data.

Thanks in advance for more input on this.

I'd also like ideas on how the actual terms of service is going to work.
Should this be a special article?
Does it need to be version controlled (in other words if you change it, do you need to know which users signed up on version 1, and which on version 2)?
... etc
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7985
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: Expansions to the User Management System (Draft)

Post by mcsmom » Sun Mar 02, 2008 12:14 pm

On the password issue, require change of password on first use is really important when you have bulk upload.

On TOS, I think you would probably need versioning and related records. In some cases if the TOS were changed you might need all of your users to agree again at their next login.
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

derred
Joomla! Intern
Joomla! Intern
Posts: 62
Joined: Fri Feb 15, 2008 2:07 am

[30]security and password verification

Post by derred » Tue Mar 04, 2008 11:24 am

Hi all,

I did use the search bar and I went thru some threads and I couldn't find this feature request.

My request will be regarding the password authentication, such as:

Current Password: *******
***** Manual signatures are NOT allowed ********** Manual signatures are NOT allowed *****

New password: *********
Confirm password: *******

together with built-in Captcha of course (if there is such feature but no captcha, it will force some users to use some other login/user component such CB and stuff).

I think this is a greatly important feature especially for single system but multi-users (1 PC-for-all/family/friends/house/whatever).

One of instance can be say you log-in and forget to log-out your session, within certain timeframe before the server/joomla clears out all log-in users (say 60 minutes), anybody could easily change my password since to update password I only need to enter new password and re-confirm.

I am no expert in Joomla, so pardon my noobness if there is any in my feature request.

I am motivated to write all this (even though I am no expert or experienced Joomla user) because I see the white paper feature request for Joomla 1.6. Hopefully this feature will be available in the future.

Thank you for your time and concern.

ps: is there by any chance, this will be available on Joomla 1.5.x ? Thank you in advance.

kdevine
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 200
Joined: Thu Mar 02, 2006 8:38 pm
Location: Baltimore, MD

Re: Expansions to the User Management System (Draft)

Post by kdevine » Wed Mar 05, 2008 6:05 pm

Jinx put in some pretty great hooks to JUser that allow developers to have custom parameters as well as custom properties. I wrote a plugin called UserMeta to take advantage of those hooks and facilitate extension of the user object.

http://joomlacode.org/gf/project/usermeta/

The plugin is really targeted for developers since it doesn't do much 'out of the box', only supplies the necessary files and means for customizing the user object. But it is possible using this method to add things like TOS acceptance and other additional fields on the registration form. It would be nice to have a more user friendly interface for non-developers but the plugin itself it pretty light and has very low impact on the code base.

User avatar
3dentech
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 120
Joined: Fri Feb 01, 2008 11:39 pm
Location: Brazil
Contact:

Re: Expansions to the User Management System (Draft)

Post by 3dentech » Wed Mar 05, 2008 8:15 pm

Joomla uses phpGACL which is a very powerful group management tool, i just dont know why we dont use its features to make group control works right, should be great to have a better access control. In my opinion joomla user control must be make from the scratch and intead of a multi-level group control it should have a linux like multi-group system where every user could belong to N groups and each group has its read/write permitions for each component, session and category. Its not not necessary to implement this to user just to its groups it would extend alot of joomla power on building community sites

Its important to:
  • Allow creation of custom groups
  • Remove and Modify group permitions
tank u

JasynL1977
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Thu Sep 06, 2007 5:14 pm

[12]Control Panel Security: (2) Password Strength

Post by JasynL1977 » Mon Mar 10, 2008 8:38 pm

The control panel seems to be an easy target for attack. I would incorporate the following...

2) Password strength (in which you can set the password rules)

JasynL1977
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Thu Sep 06, 2007 5:14 pm

Re: security and password verification

Post by JasynL1977 » Mon Mar 10, 2008 9:37 pm

I do not think that the captcha idea is a good one, for handicap accessibility purposes. There's a lot of issues with captchas; they represent major usability issues.

derred
Joomla! Intern
Joomla! Intern
Posts: 62
Joined: Fri Feb 15, 2008 2:07 am

Re: security and password verification

Post by derred » Mon Mar 10, 2008 10:48 pm

i see. Then forget the captcha. How about the verification though? Without verification anyone could change your password then?

JasynL1977
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Thu Sep 06, 2007 5:14 pm

Re: security and password verification

Post by JasynL1977 » Tue Mar 11, 2008 6:18 pm

I think your other ideas are good; I just wanted to point out the problem with captchas, that was all.

derred
Joomla! Intern
Joomla! Intern
Posts: 62
Joined: Fri Feb 15, 2008 2:07 am

Re: security and password verification

Post by derred » Wed Mar 12, 2008 12:17 am

I see thank you! I just think security (not Joomla, but for users) should be one of the priorities. Hopefully this goes into their plan, will be more delightful if this feature applied into Joomla! 1.5

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: security and password verification

Post by CirTap » Wed Mar 12, 2008 8:21 pm

derred wrote: anybody could easily change my password since to update password I only need to enter new password and re-confirm.
I might be wrong, but AFAIK if the user changes his/her password in the front-end it needs to be confirmed by mail. Unless this has happened, the old password remains active... or was it "reset password" only? The latter would allow you to "recover" and assign your own password again.
If you leave your mail app open, too, well, then .. ;)

CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Expansions to the User Management System (Draft)

Post by masterchief » Wed Mar 19, 2008 11:55 am

Thanks 3dentech. ACL, while related, is being handled in separate topics.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [32]Expansions to the User Management System (Draft)

Post by masterchief » Sat Apr 19, 2008 9:40 am

Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
torkil
Joomla! Guru
Joomla! Guru
Posts: 726
Joined: Wed Aug 24, 2005 9:34 am
Location: Rørvik, Norway
Contact:

Re: [32]Expansions to the User Management System (Draft)

Post by torkil » Fri May 23, 2008 9:09 am

Concerning passwords:

The fact that passwords in Joomla only can contain letters and numbers seems a bit weird to me. Why is this? Allowing characters like for instance "#%$ will only help increase password strength.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: [32]Expansions to the User Management System (Draft)

Post by Beat » Fri May 23, 2008 9:15 am

torkil wrote:Concerning passwords:

The fact that passwords in Joomla only can contain letters and numbers seems a bit weird to me. Why is this? Allowing characters like for instance "#%$ will only help increase password strength.
Indeed a good point :)

I tested that any raw input passwords work fine in Joomla 1.5.3, so it's just removing the validation, and changing the input handling mode to RAW unfiltered.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

derred
Joomla! Intern
Joomla! Intern
Posts: 62
Joined: Fri Feb 15, 2008 2:07 am

Re: [32]Expansions to the User Management System (Draft)

Post by derred » Fri Jul 11, 2008 7:40 am

Hi all,

Sorry for going off topic, but today I login into joomla's forum to view my posts and somehow my posts or threads are here. Is this means my suggestion is taken into account or anything? Reading from the whole thread sounds like every post is technical and post by developers except for mine.

So I am confused, could it be merged topic or somehow, bugged or anything? Pardon my newbieness, I am here to learn and experience :)

Please advice thank you.

icandy
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Mar 16, 2008 11:06 pm

Re: [32]Expansions to the User Management System (Draft)

Post by icandy » Sun Aug 17, 2008 1:47 am

Does anyone know the status on this? All these features are exactly what I want. But I dont want to wait ;) Tell me this has already been done and I can download it somewhere! *ever hopeful*

User avatar
deilert
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon Oct 09, 2006 8:26 pm

Re: [32]Expansions to the User Management System (Draft)

Post by deilert » Mon Nov 10, 2008 11:00 pm

I'd also be interested in the status...
masterchief wrote:Ability to require administrator approval of users following registration.
This is what I'm seeking as well - see my post

leowyc
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Aug 12, 2008 9:19 am

Re: [32]Expansions to the User Management System (Draft)

Post by leowyc » Tue Nov 18, 2008 10:04 am

Any progress for these features? I've just upgraded to 1.5.8 but seem like it's just a security patch.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: [32]Expansions to the User Management System (Draft)

Post by Tonie » Tue Nov 18, 2008 10:05 am

This is no feature that is going to be added to the 1.5.x series.


Locked

Return to “Accepted - Archived”