New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recovering password #192
Comments
When importing members, I'd always try and create random passwords. It feels strange to have members without passwords. But the question is if the Members extension can/should handle this gracefully. Probably yes — but the issue might not be limited to recovery codes. Have you tried to log in, for example? What happens? |
That's not possible as empty passwords are not accepted. |
I mean "does anything break badly"? Or is it simply impossible to login (which I would consider the right behaviour). |
The latter: Members throws an error that the password is invalid/missing. |
OK, so it does not handle this case gracefully. |
Which behaviour would be correct in your eyes instead of throwing |
But the question is: Should it be possible to have Members without passwords? If we allow to log in using an empty password (i.e make this a supported feature), this might be a big security flaw. So either we say "a password (field) is always required" if Members fields are used for members functionality, or it will mean a lot of work to handle all those exceptions. This is a hard question, and I'd like to hear @brendo's thoughts on the matter. (I couldn't say today, cause I have already been in a German beer garden.) |
I'm only starting to use Members, but here is what I would have expected:
That's why I was confused that recovering a password wasn't possible if no password was set before. Members didn't throw an error in this case it was just leaving out the recovery code in the XML. The thing is that the way Symphony works it's likely possible that you have Members without password (Members allows sections without password fields) so it should handle this somehow. |
Yep, that sounds very reasonable to me. |
Likewise |
It seems like Members is not able to generate recovery codes for members that have no password stored. I stumbled upon this when working on a site where we added the password field to our members section after importing a long list of members. As a consequence the corresponding table
tbl_entries_data_
doesn't contain any values for the imported members.Everything works fine when I set passwords for these members (which is not funny with a few hundred Members in the section). In my eyes Members should handle this case automatically by creating the missing entry in the table.
The text was updated successfully, but these errors were encountered: