Page 1 of 2

[32]Expansions to the User Management System (Draft)

Posted: Sat Feb 16, 2008 1:00 am
by masterchief
1. INTRODUCTION

The user management system requires a number of features to supplement the growing need of community based sites, as well as allowing

2. SCOPE

A number of features are proposed:
  • Require acceptance of a user Agreement or Terms of Service
  • Set Reserved Usernames (e.g. webmaster, support, etc)
  • Disable numbers only for username (mix of number and letters OK), or have the ability to set a regular expression for username validation.
  • Required length for user username (e.g. min 5 characters long)
  • Required strength for user passwords (e.g. min 8 characters long)
  • Block an email via regular expression (eg @hotmail.com)
  • Block registration from certain ip's
  • Allow for an Extendible password encryption (eg MD5 or SHA1, etc)
  • Allow CSV/XML export/import of users
  • Ability to add simple additional fields at registration (possibly via an additional parameter field and custom xml definition)
  • Ability to require administrator approval of users following registration.
  • Ability to invite users to register (may include an interface to invite from your Gmail contacts, etc)
  • Force change password every X days, or on "next" login. (would just need a pwd_expiry date field)
  • Logging of events (failed attempts to log in, etc) (using JLog?)
3. TECHNICAL IMPLEMENTATION

Requires addition configuration settings. Would be best to move these out of global configuration and into the com_user preferences.

"Rules" and "Tests" simply need a configuration setting and appropriate code in the User Table check method. Others, such as forcing a password change, event logging, could be achieved with plugins.

Import/export features require additional view and methods.

4. IMPACTS

May introduce backward compatibility issues with existing users if they are trying to change their details.

5. REFERENCES

http://forum.joomla.org/index.php/topic ... #msg934669

Re: Expansions to the User Management System (Draft)

Posted: Sat Feb 16, 2008 11:54 am
by Hackwar
Ok, so I'm adding my com_user stuff here.

1. Introduction
1.1 Scope
The scope of this document is to describe two changes to com_user in the frontend.
1.2 Objective of the document
The objective of this document is to give a basis for a discussion on two changes to com_user in the frontend.
1.3 General remarks
1.4 Definitions
1.5 License
GNU GPL
2. What is the current issue?
For community sites, com_user currently is not usable, especially not in Germany, since you can't delete your own account and since there is no possibility to agree to the terms and conditions of a site. In Germany there is the legal action of an „Abmahnung“, which in itself can become very expensive for a site owner. Adding a Terms of Serivce (in german its called an „Allgemeine Geschäftsbedingungen“) and the ability to delete its own account would get those sites on the safe side again.
3. What are the proposed improvements?
Com_user needs the possibility to delete its own account from the frontend and the possibility to agree to terms of service upon registration. For the registration it would be nice to have a normal uncategorized article act as legal "Terms of Service".
4. Intention
The intention should be obvious.
5. Effects on...
5.1 Users
There should be no negative effect on the users.
5.2 3P extensions
There should be no effects on third party extensions.
5.3 Performance
There should be no effects on the performance.
com_user_0_1_hannes.zip

Delete account feature

Posted: Mon Feb 18, 2008 7:28 am
by kesepian
I always get email from users asking for delete their account from my Joomla sites. I myself find in the situation when I wanted to erase my account from a Joomla site, and I couldnt do that, because the User Menu doesnt have the ~Terminate/Delete my account~.

It is not a big change, nor even a creative one, but sure is an important one for users who want to keep their privacy or who have changed their mind and want to delete their account from a website.

Re: Delete account feature

Posted: Mon Feb 18, 2008 9:17 am
by LocaLizeR
Mike Noel released an extension called Unregister for Joomla! 1.0.x under GNU/GPL license. I found no information on his site about an update for Joomla! 1.5 or newer. Hopefully it will be updated.

Re: Expansions to the User Management System (Draft)

Posted: Mon Feb 18, 2008 10:25 am
by jwpmzijl
Allow me to make a few remarks based upon my experience.
[list]All recommendations by Hannes are valid. The possibility to present "legal stuf" before entering a site nowadays is a neccessity for Euro-based countries (due to the marvelous mother of all burocracies "European Union"). [/list]
But keep in mind that this legal stuf can also be presented off-line. I run 2 websites for clubs i'm involved in. Both present to each new member a registration form at the moment they join the club. In this "contract" they accept that they get a website account and agree to keep the E-mail adres current. So this is in accordance with law. It just happens off-line.

I'm not saying that the above proposals should be skipped. Just make them configurable so we have the option to disable it.

Another point. The requested functionality is covered by Community builder. You need to consider which parts should be core Joomla and which parts can be left to 3p extensions.

Re: Delete account feature

Posted: Mon Feb 18, 2008 10:39 am
by kesepian
LocALiceR wrote:Mike Noel released an extension called Unregister for Joomla! 1.0.x under GNU/GPL license. I found no information on his site about an update for Joomla! 1.5 or newer. Hopefully it will be updated.
Yeah, you're right.
Still, it would be great if this feature will be a standard one. It is an improvement that will save admins for manually delete every delete account request.

Re: Expansions to the User Management System (Draft)

Posted: Mon Feb 18, 2008 11:56 am
by masterchief
In terms of users being able to opt out of a site, there are issues that arise if we delete a user complete. Other components might have set up data records based on that user. I'm just wondering if there are some ideas on how to handle that case. Maybe the table row is kept, the the email, username and name are reset to anonymous values?

A simple example would be if a person wanted to opt out of a site which supported FireBoard and they had made posts. Do you need to make provision to delete all their posts as well?

Regarding the extent of features, well, that's up to the community. Given the rise of the social networking scene it would seem appropriate for a lot of this basic user management level stuff to happen at the core level. But I'm open to other suggestions.

Re: Delete account feature

Posted: Mon Feb 18, 2008 12:12 pm
by masterchief
kesepian, do you mind if I merge this topic in with this one:

http://forum.joomla.org/viewtopic.php?f=500&t=265672

We are covering similar ground there. You don't have to if you want to take a different direction with the topic.

Re: Expansions to the User Management System (Draft)

Posted: Mon Feb 18, 2008 12:41 pm
by Hackwar
In germany, deleting the own account is a legal necessity, so I think it is really necessary to implement this into the core.

On the issue of not completely deleting users: I think we will have to really delete users. Third party components have to make preparations for this case and either delete the corresponding data completely or save the data in another manner. Thats what we've got the onDeleteUser for, right?
Furthermore, I'd like to decouple the user system from the rest of Joomla and wrap the whole thing. This would reduce some queries and make it really possible to use other user management systems as a substitute for the built in system. I discussed this with Anthony and he wanted to write a whitepaper about it. :)

Re: Delete account feature

Posted: Mon Feb 18, 2008 4:12 pm
by kesepian
masterchief wrote:kesepian, do you mind if I merge this topic in with this one:

http://forum.joomla.org/viewtopic.php?f=500&t=265672

We are covering similar ground there. You don't have to if you want to take a different direction with the topic.
Yes, you may! Thank you, I didnt noticed that someone posted this feature before :P

Re: Expansions to the User Management System (Draft)

Posted: Tue Feb 19, 2008 1:06 am
by masterchief
Well, I think making pluggable user systems is out of scope for 1.x. Let's leave that till the 2.0 series because we need something that's an achievable result for 1.6.

So on the delete side of things, can someone point me to the text of the legal requirement. If it allows the user to be "neutralised" then I think this would be an easier first step. By that I mean we change the user record to a generic record and the only think that would distinguish one from the other is the user ID. The join on the username might come up with "Deregistered user", and username and email can be nulled ??

For extensions to have to account for deletion of users is a big ask. Asking to account for the concept of a nulled user if more reasonable I should think. Then again, if you delete a user for a good reason, then maybe the 3PD should have to take this into account.

But the bottom line is what is the actual law that you need to comply with. That is what we need to understand first because it will also affect what the 3PD has to do with their data.

Thanks in advance for more input on this.

I'd also like ideas on how the actual terms of service is going to work.
Should this be a special article?
Does it need to be version controlled (in other words if you change it, do you need to know which users signed up on version 1, and which on version 2)?
... etc

Re: Expansions to the User Management System (Draft)

Posted: Sun Mar 02, 2008 12:14 pm
by mcsmom
On the password issue, require change of password on first use is really important when you have bulk upload.

On TOS, I think you would probably need versioning and related records. In some cases if the TOS were changed you might need all of your users to agree again at their next login.

[30]security and password verification

Posted: Tue Mar 04, 2008 11:24 am
by derred
Hi all,

I did use the search bar and I went thru some threads and I couldn't find this feature request.

My request will be regarding the password authentication, such as:

Current Password: *******
***** Manual signatures are NOT allowed ********** Manual signatures are NOT allowed *****

New password: *********
Confirm password: *******

together with built-in Captcha of course (if there is such feature but no captcha, it will force some users to use some other login/user component such CB and stuff).

I think this is a greatly important feature especially for single system but multi-users (1 PC-for-all/family/friends/house/whatever).

One of instance can be say you log-in and forget to log-out your session, within certain timeframe before the server/joomla clears out all log-in users (say 60 minutes), anybody could easily change my password since to update password I only need to enter new password and re-confirm.

I am no expert in Joomla, so pardon my noobness if there is any in my feature request.

I am motivated to write all this (even though I am no expert or experienced Joomla user) because I see the white paper feature request for Joomla 1.6. Hopefully this feature will be available in the future.

Thank you for your time and concern.

ps: is there by any chance, this will be available on Joomla 1.5.x ? Thank you in advance.

Re: Expansions to the User Management System (Draft)

Posted: Wed Mar 05, 2008 6:05 pm
by kdevine
Jinx put in some pretty great hooks to JUser that allow developers to have custom parameters as well as custom properties. I wrote a plugin called UserMeta to take advantage of those hooks and facilitate extension of the user object.

http://joomlacode.org/gf/project/usermeta/

The plugin is really targeted for developers since it doesn't do much 'out of the box', only supplies the necessary files and means for customizing the user object. But it is possible using this method to add things like TOS acceptance and other additional fields on the registration form. It would be nice to have a more user friendly interface for non-developers but the plugin itself it pretty light and has very low impact on the code base.

Re: Expansions to the User Management System (Draft)

Posted: Wed Mar 05, 2008 8:15 pm
by 3dentech
Joomla uses phpGACL which is a very powerful group management tool, i just dont know why we dont use its features to make group control works right, should be great to have a better access control. In my opinion joomla user control must be make from the scratch and intead of a multi-level group control it should have a linux like multi-group system where every user could belong to N groups and each group has its read/write permitions for each component, session and category. Its not not necessary to implement this to user just to its groups it would extend alot of joomla power on building community sites

Its important to:
  • Allow creation of custom groups
  • Remove and Modify group permitions
tank u

[12]Control Panel Security: (2) Password Strength

Posted: Mon Mar 10, 2008 8:38 pm
by JasynL1977
The control panel seems to be an easy target for attack. I would incorporate the following...

2) Password strength (in which you can set the password rules)

Re: security and password verification

Posted: Mon Mar 10, 2008 9:37 pm
by JasynL1977
I do not think that the captcha idea is a good one, for handicap accessibility purposes. There's a lot of issues with captchas; they represent major usability issues.

Re: security and password verification

Posted: Mon Mar 10, 2008 10:48 pm
by derred
i see. Then forget the captcha. How about the verification though? Without verification anyone could change your password then?

Re: security and password verification

Posted: Tue Mar 11, 2008 6:18 pm
by JasynL1977
I think your other ideas are good; I just wanted to point out the problem with captchas, that was all.

Re: security and password verification

Posted: Wed Mar 12, 2008 12:17 am
by derred
I see thank you! I just think security (not Joomla, but for users) should be one of the priorities. Hopefully this goes into their plan, will be more delightful if this feature applied into Joomla! 1.5

Re: security and password verification

Posted: Wed Mar 12, 2008 8:21 pm
by CirTap
derred wrote: anybody could easily change my password since to update password I only need to enter new password and re-confirm.
I might be wrong, but AFAIK if the user changes his/her password in the front-end it needs to be confirmed by mail. Unless this has happened, the old password remains active... or was it "reset password" only? The latter would allow you to "recover" and assign your own password again.
If you leave your mail app open, too, well, then .. ;)

CirTap

Re: Expansions to the User Management System (Draft)

Posted: Wed Mar 19, 2008 11:55 am
by masterchief
Thanks 3dentech. ACL, while related, is being handled in separate topics.

Re: [32]Expansions to the User Management System (Draft)

Posted: Sat Apr 19, 2008 9:40 am
by masterchief

Re: [32]Expansions to the User Management System (Draft)

Posted: Fri May 23, 2008 9:09 am
by torkil
Concerning passwords:

The fact that passwords in Joomla only can contain letters and numbers seems a bit weird to me. Why is this? Allowing characters like for instance "#%$ will only help increase password strength.

Re: [32]Expansions to the User Management System (Draft)

Posted: Fri May 23, 2008 9:15 am
by Beat
torkil wrote:Concerning passwords:

The fact that passwords in Joomla only can contain letters and numbers seems a bit weird to me. Why is this? Allowing characters like for instance "#%$ will only help increase password strength.
Indeed a good point :)

I tested that any raw input passwords work fine in Joomla 1.5.3, so it's just removing the validation, and changing the input handling mode to RAW unfiltered.

Re: [32]Expansions to the User Management System (Draft)

Posted: Fri Jul 11, 2008 7:40 am
by derred
Hi all,

Sorry for going off topic, but today I login into joomla's forum to view my posts and somehow my posts or threads are here. Is this means my suggestion is taken into account or anything? Reading from the whole thread sounds like every post is technical and post by developers except for mine.

So I am confused, could it be merged topic or somehow, bugged or anything? Pardon my newbieness, I am here to learn and experience :)

Please advice thank you.

Re: [32]Expansions to the User Management System (Draft)

Posted: Sun Aug 17, 2008 1:47 am
by icandy
Does anyone know the status on this? All these features are exactly what I want. But I dont want to wait ;) Tell me this has already been done and I can download it somewhere! *ever hopeful*

Re: [32]Expansions to the User Management System (Draft)

Posted: Mon Nov 10, 2008 11:00 pm
by deilert
I'd also be interested in the status...
masterchief wrote:Ability to require administrator approval of users following registration.
This is what I'm seeking as well - see my post

Re: [32]Expansions to the User Management System (Draft)

Posted: Tue Nov 18, 2008 10:04 am
by leowyc
Any progress for these features? I've just upgraded to 1.5.8 but seem like it's just a security patch.

Re: [32]Expansions to the User Management System (Draft)

Posted: Tue Nov 18, 2008 10:05 am
by Tonie
This is no feature that is going to be added to the 1.5.x series.