Plone: Recover password by email instead of username - plone

Is there a simple way to set recovering account's password to work with email instead of user name?
Or I must override mail_password_form template and it's related script?
(Our users seems to forget user ids, too...)

It seems Plone already has this case implemented in mail_password_form.pt.
<label i18n:translate="label_my_user_name_is"
tal:condition="not:use_email_as_login"
for="userid">
My user name is
</label>
<label i18n:translate="label_my_email_address_is"
tal:condition="use_email_as_login"
for="userid">
My email address is
</label>
In Site setup -> Security (##security-controlpanel) check: Use email address as login name (Allows new users to login with their email address instead of specifying a separate login name. Existing users can still login with their user id until you use the ##migrate-to-emaillogin page as a site admin. It is recommended to do that immediately after changing this option.)
(Working for simple accounts, but not useful in my case - ldap accounts.)

Related

Creating WordPress account based on email only submit

Is it possible to create a WordPress account for users who submit an email (no password or username) through an email collection form?
I am looking at sending the user a link to their email to set a password and setup the account in full. The use case is content locking to signed up/logged in users without requiring them to go through the full sign up process. Thanks
I would recommend one of two options: 1) search wordpress.org for a frontend user registration form that may allow you to customize the password options or 2) simply use a generic form or subscription plugin to collect user info, create the new user on the backend manually and then send them an email with a link to change their password

How can I let the browser know the username when user updates his password?

I have a member login system (symfony/php website). When the member logs in, the browser asks the user (as most browsers do nowadays), whether the username and password should be remembered. So far so good.
When the user needs to set a new password by the "forgot password"-link, he will receive a link via his email address. When the link is clicked, he gets a form with two inputs (newPassword and newPassword2) where he can decide on a new password.
Since there is no username-input on this form, the browser cannot know, to which username he should save this password.
How can I make the browser know what the correct username is? I have all data available, but I don't know how to present it to the browser in a correct way. There should be no additional fields visible to the user.
I tried
<input type="hidden" name="username" value="some#username.com"/>
but at least Google Chrome doesn't seem to read that value for its password manager.
No need to send the username to the browser (it's dangerous, I will explain further). When the "forgot password" link is clicked, generate a unique key and store it in a special field of the user table in database (i'll call it "validation code"). This validation code will be inserted in the link sent to the user. When the user click on this link in its email, this code is inserted in a hidden field of the "new password" form. This key will be used after submit to determine the user.
I recommend you not to insert the username directly since a malicious user could modify the HTML code to set the password of any user account.

FOSUserBundle and LDAP user before login - Symfony2

I have successfully set up the FOSUserBundle and the FR3D LDAP bundle to allow my company users to login to the web app with their own login.
From now, if someone logins, they will have the default role, which is ROLE_USER.
However, I only want a specific role to be allowed (in this case it's ROLE_CONSULT, which I created).
What I am doing to allow users at this moment is:
Ask the user to login to the web app
They get the "You have no right to access this web page"
They tell me he connected
I change the user's role to "ROLE_CONSULT" with a form I created within the admin panel.
What I want to do is:
I select the user from the LDAP list
Change the user role (which is not on the database yet, but will be as soon as I change the role)
The user logins successfully
I already developed the 1 and 2 points, but as the "salt" is empty on the database, it doesn't allow the user to connect as it must believe the password isn't correct.
Any idea how I can make it work by telling Symfony2 it is the first login, it will automatically ONLY check the entered password at my LDAP configuration ?
Thanks.
Alright, that was easy.
I just forgot to put the "DN" to the database.
Now it's working.

Meteor accounts invite new users

I have my site configured to login with email/password (no user name).
I have login, forgot password, and password reset pages working as expected, largely based off of this guide and a lot of poking around. I'm at a bit of a loss looking for a more comprehensive or "advanced" guide for controlling user account behavior.
Currently, a registered user can "invite" another user by simply putting in their email address. This person receives an email which brings them to the login screen, but since there is no password set yet, this person must
Click on the forgot password link
Input their email
Follow the link from the reset email and set their password.
I'm trying to work out how I would get the initial invite email to land the person on a "set password" page.
Even a link to the relevant material is greatly appreciated! I have a feeling I may just be searching for the wrong things.
I haven't done it myself, but off top of my head, as an idea (requires Iron-Router ($ meteor add iron:router)):
1) Send a link to an invited user with the query in the link that equals this user's email (q=email#address.com).
2) Use Iron Router to fetch that query (this.params.query using, perhaps, onBeforeAction method).
3) Put the query into a Session.
4) Within Template.myTemplate.helpers() create a new helper that will display the session.
5) Inside your template: <input type="text" name="user_email_from_session" value="{{helper}}">
Hopefully my approach is not too newbie, but even if so, maybe it will serve you as an anti-inspiration :)
Meteor calls "invite" emails "enrollment" emails.
1) Create a new user on the server (doesn't need a password set).
2) Call Accounts.sendEnrollmentEmail(userId) on the server.
3) User receives an email with a link to set their initial password.
Docs: http://docs.meteor.com/api/passwords.html#Accounts-sendEnrollmentEmail

Validate the Authenticity of a User For Site Subscriptions

I have a web application that creates user accounts, but I would also like to have the ability to have users that can sign up for subscriptions without accounts. All they have is a subscription page to modify email settings and enable the newsletter subscription.
My questions is how do I verify that the user is who they say they are without a username/password, and my second is how should they access this page. I dont want just anyone typing in the url with the email and access subscription settings for that user.
For each user entry you create a unique access code that you use in the url in order to validate that this is the user you want.
The subscription form will give these options:
subscribe by filling in your email
request to change your settings by just putting your email to another field
both action will send an email to you with a special url
the first to validate that this is made by you so you will enable this user & his email
the second to send him another special url to make any changes to his settings in the case that this use is active in your database.
For this unique code you can use md5 of his email with a timestamp when he was registered.

Resources