[32]Expansions to the User Management System (Draft)

[masterchief]

1. INTRODUCTION

The user management system requires a number of features to supplement the growing need of community based sites, as well as allowing

2. SCOPE

A number of features are proposed:

• Require acceptance of a user Agreement or Terms of Service
• Set Reserved Usernames (e.g. webmaster, support, etc)
• Disable numbers only for username (mix of number and letters OK), or have the ability to set a regular expression for username validation.
• Required length for user username (e.g. min 5 characters long)
• Required strength for user passwords (e.g. min 8 characters long)
• Block an email via regular expression (eg @hotmail.com)
• Block registration from certain ip's
• Allow for an Extendible password encryption (eg MD5 or SHA1, etc)
• Allow CSV/XML export/import of users
• Ability to add simple additional fields at registration (possibly via an additional parameter field and custom xml definition)
• Ability to require administrator approval of users following registration.
• Ability to invite users to register (may include an interface to invite from your Gmail contacts, etc)
• Force change password every X days, or on "next" login. (would just need a pwd_expiry date field)
• Logging of events (failed attempts to log in, etc) (using JLog?)

3. TECHNICAL IMPLEMENTATION

Requires addition configuration settings. Would be best to move these out of global configuration and into the com_user preferences.

"Rules" and "Tests" simply need a configuration setting and appropriate code in the User Table check method. Others, such as forcing a password change, event logging, could be achieved with plugins.

Import/export features require additional view and methods.

4. IMPACTS

May introduce backward compatibility issues with existing users if they are trying to change their details.

5. REFERENCES

http://forum.joomla.org/index.php/topic ... #msg934669

[Hackwar]

Ok, so I'm adding my com_user stuff here.

1. Introduction
1.1 Scope
The scope of this document is to describe two changes to com_user in the frontend.
1.2 Objective of the document
The objective of this document is to give a basis for a discussion on two changes to com_user in the frontend.
1.3 General remarks
1.4 Definitions
1.5 License
GNU GPL
2. What is the current issue?
For community sites, com_user currently is not usable, especially not in Germany, since you can't delete your own account and since there is no possibility to agree to the terms and conditions of a site. In Germany there is the legal action of an „Abmahnung“, which in itself can become very expensive for a site owner. Adding a Terms of Serivce (in german its called an „Allgemeine Geschäftsbedingungen“) and the ability to delete its own account would get those sites on the safe side again.
3. What are the proposed improvements?
Com_user needs the possibility to delete its own account from the frontend and the possibility to agree to terms of service upon registration. For the registration it would be nice to have a normal uncategorized article act as legal "Terms of Service".
4. Intention
The intention should be obvious.
5. Effects on...
5.1 Users
There should be no negative effect on the users.
5.2 3P extensions
There should be no effects on third party extensions.
5.3 Performance
There should be no effects on the performance.

com_user_0_1_hannes.zip

[kesepian]

I always get email from users asking for delete their account from my Joomla sites. I myself find in the situation when I wanted to erase my account from a Joomla site, and I couldnt do that, because the User Menu doesnt have the ~Terminate/Delete my account~.

It is not a big change, nor even a creative one, but sure is an important one for users who want to keep their privacy or who have changed their mind and want to delete their account from a website.

[LocaLizeR]

Mike Noel released an extension called Unregister for Joomla! 1.0.x under GNU/GPL license. I found no information on his site about an update for Joomla! 1.5 or newer. Hopefully it will be updated.

[jwpmzijl]

Allow me to make a few remarks based upon my experience.
[list]All recommendations by Hannes are valid. The possibility to present "legal stuf" before entering a site nowadays is a neccessity for Euro-based countries (due to the marvelous mother of all burocracies "European Union"). [/list]
But keep in mind that this legal stuf can also be presented off-line. I run 2 websites for clubs i'm involved in. Both present to each new member a registration form at the moment they join the club. In this "contract" they accept that they get a website account and agree to keep the E-mail adres current. So this is in accordance with law. It just happens off-line.

I'm not saying that the above proposals should be skipped. Just make them configurable so we have the option to disable it.

Another point. The requested functionality is covered by Community builder. You need to consider which parts should be core Joomla and which parts can be left to 3p extensions.

[kesepian]

Mike Noel released an extension called Unregister for Joomla! 1.0.x under GNU/GPL license. I found no information on his site about an update for Joomla! 1.5 or newer. Hopefully it will be updated.

Yeah, you're right.
Still, it would be great if this feature will be a standard one. It is an improvement that will save admins for manually delete every delete account request.

[masterchief]

In terms of users being able to opt out of a site, there are issues that arise if we delete a user complete. Other components might have set up data records based on that user. I'm just wondering if there are some ideas on how to handle that case. Maybe the table row is kept, the the email, username and name are reset to anonymous values?

A simple example would be if a person wanted to opt out of a site which supported FireBoard and they had made posts. Do you need to make provision to delete all their posts as well?

Regarding the extent of features, well, that's up to the community. Given the rise of the social networking scene it would seem appropriate for a lot of this basic user management level stuff to happen at the core level. But I'm open to other suggestions.

[masterchief]

kesepian, do you mind if I merge this topic in with this one:

http://forum.joomla.org/viewtopic.php?f=500&t=265672

We are covering similar ground there. You don't have to if you want to take a different direction with the topic.

[Hackwar]

In germany, deleting the own account is a legal necessity, so I think it is really necessary to implement this into the core.

On the issue of not completely deleting users: I think we will have to really delete users. Third party components have to make preparations for this case and either delete the corresponding data completely or save the data in another manner. Thats what we've got the onDeleteUser for, right?
Furthermore, I'd like to decouple the user system from the rest of Joomla and wrap the whole thing. This would reduce some queries and make it really possible to use other user management systems as a substitute for the built in system. I discussed this with Anthony and he wanted to write a whitepaper about it.

[kesepian]

kesepian, do you mind if I merge this topic in with this one:

http://forum.joomla.org/viewtopic.php?f=500&t=265672

We are covering similar ground there. You don't have to if you want to take a different direction with the topic.

Yes, you may! Thank you, I didnt noticed that someone posted this feature before :P

[masterchief]

Well, I think making pluggable user systems is out of scope for 1.x. Let's leave that till the 2.0 series because we need something that's an achievable result for 1.6.

So on the delete side of things, can someone point me to the text of the legal requirement. If it allows the user to be "neutralised" then I think this would be an easier first step. By that I mean we change the user record to a generic record and the only think that would distinguish one from the other is the user ID. The join on the username might come up with "Deregistered user", and username and email can be nulled ??

For extensions to have to account for deletion of users is a big ask. Asking to account for the concept of a nulled user if more reasonable I should think. Then again, if you delete a user for a good reason, then maybe the 3PD should have to take this into account.

But the bottom line is what is the actual law that you need to comply with. That is what we need to understand first because it will also affect what the 3PD has to do with their data.

Thanks in advance for more input on this.

I'd also like ideas on how the actual terms of service is going to work.
Should this be a special article?
Does it need to be version controlled (in other words if you change it, do you need to know which users signed up on version 1, and which on version 2)?
... etc

[mcsmom]

On the password issue, require change of password on first use is really important when you have bulk upload.

On TOS, I think you would probably need versioning and related records. In some cases if the TOS were changed you might need all of your users to agree again at their next login.

[derred]

Hi all,

I did use the search bar and I went thru some threads and I couldn't find this feature request.

My request will be regarding the password authentication, such as:

Current Password: *******
***** Manual signatures are NOT allowed ********** Manual signatures are NOT allowed *****

New password: *********
Confirm password: *******

together with built-in Captcha of course (if there is such feature but no captcha, it will force some users to use some other login/user component such CB and stuff).

I think this is a greatly important feature especially for single system but multi-users (1 PC-for-all/family/friends/house/whatever).

One of instance can be say you log-in and forget to log-out your session, within certain timeframe before the server/joomla clears out all log-in users (say 60 minutes), anybody could easily change my password since to update password I only need to enter new password and re-confirm.

I am no expert in Joomla, so pardon my noobness if there is any in my feature request.

I am motivated to write all this (even though I am no expert or experienced Joomla user) because I see the white paper feature request for Joomla 1.6. Hopefully this feature will be available in the future.

Thank you for your time and concern.

ps: is there by any chance, this will be available on Joomla 1.5.x ? Thank you in advance.

[kdevine]

Jinx put in some pretty great hooks to JUser that allow developers to have custom parameters as well as custom properties. I wrote a plugin called UserMeta to take advantage of those hooks and facilitate extension of the user object.

http://joomlacode.org/gf/project/usermeta/

The plugin is really targeted for developers since it doesn't do much 'out of the box', only supplies the necessary files and means for customizing the user object. But it is possible using this method to add things like TOS acceptance and other additional fields on the registration form. It would be nice to have a more user friendly interface for non-developers but the plugin itself it pretty light and has very low impact on the code base.

[3dentech]

Joomla uses phpGACL which is a very powerful group management tool, i just dont know why we dont use its features to make group control works right, should be great to have a better access control. In my opinion joomla user control must be make from the scratch and intead of a multi-level group control it should have a linux like multi-group system where every user could belong to N groups and each group has its read/write permitions for each component, session and category. Its not not necessary to implement this to user just to its groups it would extend alot of joomla power on building community sites

Its important to:

• Allow creation of custom groups

• Remove and Modify group permitions

tank u

[JasynL1977]

The control panel seems to be an easy target for attack. I would incorporate the following...

2) Password strength (in which you can set the password rules)

[JasynL1977]

I do not think that the captcha idea is a good one, for handicap accessibility purposes. There's a lot of issues with captchas; they represent major usability issues.

[derred]

i see. Then forget the captcha. How about the verification though? Without verification anyone could change your password then?

[JasynL1977]

I think your other ideas are good; I just wanted to point out the problem with captchas, that was all.

[derred]

I see thank you! I just think security (not Joomla, but for users) should be one of the priorities. Hopefully this goes into their plan, will be more delightful if this feature applied into Joomla! 1.5

[CirTap]

anybody could easily change my password since to update password I only need to enter new password and re-confirm.

I might be wrong, but AFAIK if the user changes his/her password in the front-end it needs to be confirmed by mail. Unless this has happened, the old password remains active... or was it "reset password" only? The latter would allow you to "recover" and assign your own password again.
If you leave your mail app open, too, well, then ..

CirTap

[masterchief]

Thanks 3dentech. ACL, while related, is being handled in separate topics.

[masterchief]

Tracker Task:
http://joomlacode.org/gf/project/joomla ... m_id=10746

[torkil]

Concerning passwords:

The fact that passwords in Joomla only can contain letters and numbers seems a bit weird to me. Why is this? Allowing characters like for instance "#%$ will only help increase password strength.

[Beat]

Concerning passwords:

The fact that passwords in Joomla only can contain letters and numbers seems a bit weird to me. Why is this? Allowing characters like for instance "#%$ will only help increase password strength.

Indeed a good point

I tested that any raw input passwords work fine in Joomla 1.5.3, so it's just removing the validation, and changing the input handling mode to RAW unfiltered.

[derred]

Hi all,

Sorry for going off topic, but today I login into joomla's forum to view my posts and somehow my posts or threads are here. Is this means my suggestion is taken into account or anything? Reading from the whole thread sounds like every post is technical and post by developers except for mine.

So I am confused, could it be merged topic or somehow, bugged or anything? Pardon my newbieness, I am here to learn and experience

Please advice thank you.

[icandy]

Does anyone know the status on this? All these features are exactly what I want. But I dont want to wait Tell me this has already been done and I can download it somewhere! *ever hopeful*

[deilert]

I'd also be interested in the status...

Ability to require administrator approval of users following registration.

This is what I'm seeking as well - see my post

[leowyc]

Any progress for these features? I've just upgraded to 1.5.8 but seem like it's just a security patch.

[Tonie]

This is no feature that is going to be added to the 1.5.x series.