Add disable forced reset credential flag on portal login reset/create #6817
Conversation
Add user setting to persist option for the user setting it in MRD add checkbox and persist js function to template.
|
Decided to put up separate PR to ease backport if wanted @adunsulag |
|
@sjpadgett By putting it on the patient dashboard won't users think the setting will only apply to that one patient instead of it applying globally to all patients? If someone checks/unchecks the box for a single patient I'm not sure they'll realize they ended up changing the setting for all patients. If I'm following the code correctly, I believe that's how things will work with this commit right? |
|
Would make this something that the admin gets to set (ie. global). |
| Csrf\CsrfUtils, | ||
| Utils\RandomGenUtils, | ||
| }; | ||
| use OpenEMR\Common\{Csrf\CsrfUtils,}; |
There was a problem hiding this comment.
was this meant to remove Utils\RandomGenUtils ?
There was a problem hiding this comment.
not used so not needed
There was a problem hiding this comment.
sounds good, then would change to since no longer compounding:
use OpenEMR\Common\Csrf\CsrfUtils;
There was a problem hiding this comment.
sounds like maybe issue with PR since I see use OpenEMR\Common\{Csrf\CsrfUtils,}; instead of use OpenEMR\Common\Csrf\CsrfUtils; in line above
|
I don't want a global. I want to leave it up to the user and the ability to decide patient by patient if needed. It will persist for each user therefore once a user sets it, it will remain set and up to user to decide to unset. Because one admin decides they don't like the forced reset that doesn't mean all users agree especially in practice groups. It can be seen by many as a security hole. |
|
To clarify, trying to ensure no security issues (let me know if i am missing something). My concern regarding security here is that if a practice wishes to enforce high security (make the user change the password), which has been the status quo, this will essentially remove that protection (since now any user that creates an account gets to decide this; ie. might as well not even use it then in that case). Makes more sense from a practice perspective for an admin/practice to decide what to do and then make it uniform. Having lay users decide likely mean they will just use whatever is set on toggle (and they will likely click is either way by mistake every once in awhile until the next mistaken click :) ). Also recommend keeping status quo on the global (ie. enforce the password change). |
|
I disagree but don't care enough to argue the point. Closing for Stephen to pick up. |
|
I hope this compromise satisfies everyone's concerns or wishes. |
|
Looks great! (noted you have the global in another PR) |
|
|
|
One complaint I often get is from practices that have mental health and/or seniors or otherwise patients that are not computer savvy and want the sign in, register and general portal use easier. This is the main reason to allow force reset to be optional per patient on their credential create/reset. |
|
Two opposing thoughts here. With a provider hat on, agree with being a patient advocate. With a security hat on, sadly it is those patients (no computer savviness) that benefit most from the additional security (ie. they are most likely to not control access to their email etc. ) :) |
|
I almost feel like I need to develop a single sign on option for the portal. |
Add user setting to persist option for the user setting it in MRD
add checkbox and persist js function to template.
Fixes #6813