-
Notifications
You must be signed in to change notification settings - Fork 33
RFC 40: User account management changes #40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # RFC 40: User management improvements | ||
|
|
||
| * RFC: 40 | ||
| * Author: Karl Hobley | ||
| * Created: 2019-05-02 | ||
| * Last Modified: 2019-05-02 | ||
|
|
||
| ## Abstract | ||
|
|
||
| This RFC includes three proposals for improvements we can make to user management in Wagtail. | ||
|
|
||
| ## Task A - Make new users set their own password using a link that is emailed to them | ||
|
|
||
| When users are created, currently the admin sets their email address and password. The email address is never verified and passwords set in this way are usually weak and don’t have to be changed which can lead to multiple users having the same password. | ||
|
|
||
| We should remove the password fields from the create user form, and instead email the user a link to a form where they can set their password themselves. Similar to the password reset feature. | ||
|
|
||
| This has two main advantages: | ||
|
|
||
| - Their email address is verified - which is important in case they want notifications or need to use the password reset feature in the future | ||
| - Their password is likely to be stronger and unguessable by other users | ||
|
|
||
| A disadvantage is this requires email to be configured in order to create new users. I think we could either rely on the admin finding the change password box on the edit page or keep those fields on the create user form but conceal them a bit to discourage their use. | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Perhaps we could use a radio select to solve this problem? Options could be something like:
We'd keep the first as the default option, and only show password fields if the user deliberately chose the second option. |
||
|
|
||
| ## Task B - Add setting to require verified email addresses | ||
|
|
||
| Right now, admins can create users with any email address and users can change their email address to anything they want. | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we perhaps make the function that sends the notification swappable? I've worked on a few projects before where it was necessary use different backends for different types of email, so such a feature would be handy in those situations. It would also be cool to provide flexibility for triggering things other than emails... e.g. sending a notification via Slack or some other service. |
||
|
|
||
| Some projects might use the user’s email address as their identifier in external systems, so allowing users to change their email address without verification could open up security issues. | ||
|
|
||
| We should add a setting `WAGTAIL_REQUIRE_EMAIL_VERIFICATION` which, when set to `True` (it’ll default to `False` for backwards compatibility) requires the user to verify their new email address before the change is made in the database. | ||
|
|
||
| ## Task C - Disabling user management | ||
|
|
||
| Some sites may use SSO for authentication so usernames, emails and passwords (and possibly other basic information) could be managed by an external system. | ||
|
|
||
| We should make it possible to easily disable all user management features in Wagtail to prevent updates to fields that are managed by external systems. | ||
|
|
||
| Currently it’s not possible to remove `wagtailusers` from `INSTALLED_APPS` as the `UserProfile` model is defined there. | ||
|
|
||
| I think we should do the following to allow completely disabling account management in Wagtail: | ||
|
|
||
| - Convert the users admin interface into an admin module (Groups is already a module) | ||
| - Allow admin modules to be easily unregistered | ||
| - Add a setting to allow disabling the “Change email” function for users `WAGTAIL_USER_CHANGE_EMAIL_ENABLED` | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is now done: wagtail/wagtail#5293 |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think to adding another setting to allow this behaviour to be toggled?