Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions text/040-user-account-management.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# RFC 40: User management improvements

* RFC: 40
* Author: Karl Hobley
* Created: 2019-05-02
* Last Modified: 2019-05-02

## Abstract

This RFC includes three proposals for improvements we can make to user management in Wagtail.

## Task A - Make new users set their own password using a link that is emailed to them

When users are created, currently the admin sets their email address and password. The email address is never verified and passwords set in this way are usually weak and don’t have to be changed which can lead to multiple users having the same password.

We should remove the password fields from the create user form, and instead email the user a link to a form where they can set their password themselves. Similar to the password reset feature.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think to adding another setting to allow this behaviour to be toggled?


This has two main advantages:

- Their email address is verified - which is important in case they want notifications or need to use the password reset feature in the future
- Their password is likely to be stronger and unguessable by other users

A disadvantage is this requires email to be configured in order to create new users. I think we could either rely on the admin finding the change password box on the edit page or keep those fields on the create user form but conceal them a bit to discourage their use.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we could use a radio select to solve this problem? Options could be something like:

  • Send this user a link to set their own password (recommended)
  • Allow me to set the password for this user

We'd keep the first as the default option, and only show password fields if the user deliberately chose the second option.


## Task B - Add setting to require verified email addresses

Right now, admins can create users with any email address and users can change their email address to anything they want.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we perhaps make the function that sends the notification swappable? I've worked on a few projects before where it was necessary use different backends for different types of email, so such a feature would be handy in those situations. It would also be cool to provide flexibility for triggering things other than emails... e.g. sending a notification via Slack or some other service.


Some projects might use the user’s email address as their identifier in external systems, so allowing users to change their email address without verification could open up security issues.

We should add a setting `WAGTAIL_REQUIRE_EMAIL_VERIFICATION` which, when set to `True` (it’ll default to `False` for backwards compatibility) requires the user to verify their new email address before the change is made in the database.

## Task C - Disabling user management

Some sites may use SSO for authentication so usernames, emails and passwords (and possibly other basic information) could be managed by an external system.

We should make it possible to easily disable all user management features in Wagtail to prevent updates to fields that are managed by external systems.

Currently it’s not possible to remove `wagtailusers` from `INSTALLED_APPS` as the `UserProfile` model is defined there.

I think we should do the following to allow completely disabling account management in Wagtail:

- Convert the users admin interface into an admin module (Groups is already a module)
- Allow admin modules to be easily unregistered
- Add a setting to allow disabling the “Change email” function for users `WAGTAIL_USER_CHANGE_EMAIL_ENABLED`

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now done: wagtail/wagtail#5293