Feature idea
147 views
Skip to first unread message
Bruno Ribeiro da Silva
Nov 16, 2016, 2:24:43 PM11/16/16
to django-d...@googlegroups.com
Hello everyone,
--
I have this simple idea that I think django could benefit from, which would be the option to create a user by an invitation from the django admin page. So the person who is creating a new user doesn't have to type a password neither a username for this new user. He would only fill a form with an email that the invitation would be sent to. Something like a reset password link but to add a new user.
Do you think it would be useful? That would be accepted as a PR for some version in the future? What are your thoughts?
I would like to implement it and contribute to django, but I need feedback from you guys.
Thanks!
Bruno Ribeiro da Silva
Python Dev and Homebrewer!
Tim Graham
Nov 16, 2016, 2:59:46 PM11/16/16
to Django developers (Contributions to Django itself)
I don't think this registration model is common on most websites.
Aymeric Augustin
Nov 16, 2016, 3:13:26 PM11/16/16
to django-d...@googlegroups.com
Hello,
I wouldn’t dismiss the idea so quickly. Adding staff users from your company is a fairly common use case.
Currently you have to email them a password and ask them to change it. This doesn’t set a good example.
The better solution is SSO with the corporate directory (often ActiveDirectory or Google Apps), but not every project has taken the time to configure that.
Best regards,
--
Aymeric.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2c949269-59f5-4332-8803-c2958f789336%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Anthony King
Nov 16, 2016, 3:23:04 PM11/16/16
to django-d...@googlegroups.com
Sending a link to set a password isn't much better.
Perhaps a way to force a password change on login would be better, which has more use elsewhere, such as being able to periodically force password changes
On 16 Nov 2016 8:13 p.m., "Aymeric Augustin" <aymeric....@polytechnique.org> wrote:
Hello,I wouldn’t dismiss the idea so quickly. Adding staff users from your company is a fairly common use case.
Currently you have to email them a password and ask them to change it. This doesn’t set a good example.The better solution is SSO with the corporate directory (often ActiveDirectory or Google Apps), but not every project has taken the time to configure that.Best regards,
--Aymeric.
On 16 Nov 2016, at 20:59, Tim Graham <timog...@gmail.com> wrote:
I don't think this registration model is common on most websites.
On Wednesday, November 16, 2016 at 2:24:43 PM UTC-5, Bruno Ribeiro da Silva wrote:Hello everyone,I have this simple idea that I think django could benefit from, which would be the option to create a user by an invitation from the django admin page. So the person who is creating a new user doesn't have to type a password neither a username for this new user. He would only fill a form with an email that the invitation would be sent to. Something like a reset password link but to add a new user.Do you think it would be useful? That would be accepted as a PR for some version in the future? What are your thoughts?I would like to implement it and contribute to django, but I need feedback from you guys.Thanks!--Bruno Ribeiro da SilvaPython Dev and Homebrewer!--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsub...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2c949269-59f5-4332-8803-c2958f789336%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/A7A9A23F-24C3-495D-93C4-12A9B859E9FC%40polytechnique.org.
Aymeric Augustin
Nov 17, 2016, 3:38:32 AM11/17/16
to django-d...@googlegroups.com
Hello,
On 16 Nov 2016, at 21:22, Anthony King <anthon...@gmail.com> wrote:Sending a link to set a password isn't much better.
The cardinal rule of passwords is “you must be the only person who knows your password”. This means never writing it down anywhere, except in a proper password manager, and never telling it to anyone, *even* your IT staff — to fight social engineering attacks.
Sending a password in clear over email means the IT staff is okay with knowing the user's password. Disregarding their own guidelines sets a poor example and reduces their credibility about password management in general.
Of course, on most Django websites, someone who can create a staff user can also change the user’s password — it’s rare to give the “create user” but not the “change user” permission. I’m not making a technical argument here, I’m thinking of IT literacy and educating users.
Perhaps a way to force a password change on login would be better, which has more use elsewhere, such as being able to periodically force password changes
Forcing a password change on login is another interesting idea to solve this problem. That’s what ActiveDirectory has to do, because OSes don’t have the same password reset possibilities that web applications have.
However I think that would mean solving the general problem of password rotation. Django solved password validation recently; it could solve password rotation next. (Note that password rotation is controversial because it forces users to choose weak passwords with a basic rotation scheme like putting month number at the end, instead of storing strong random password in a password manager. Trade-offs.)
I still think a simple solution hooking into the current password reset mechanism, just with a different email template, could be a quick security win for a lot of Django sites. I’d encourage people to use it if it existed.
Best regards,
--
Aymeric.
Curtis Maloney
Nov 17, 2016, 3:44:27 AM11/17/16
to django-d...@googlegroups.com
My solution to the "initial password problem" is to send a password
reset token first...
And Django has this built in, handily :)
http://musings.tinbrain.net/blog/2014/sep/21/registration-django-easy-way/
It would be very easy to use the same approach for an "invite"
registration pattern.
--
C
On 17/11/16 19:38, Aymeric Augustin wrote:
> Hello,
>
>> On 16 Nov 2016, at 21:22, Anthony King <anthon...@gmail.com
> <mailto:django-develop...@googlegroups.com>.
> To post to this group, send email to django-d...@googlegroups.com
> <mailto:django-d...@googlegroups.com>.
> <https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org?utm_medium=email&utm_source=footer>.
reset token first...
And Django has this built in, handily :)
http://musings.tinbrain.net/blog/2014/sep/21/registration-django-easy-way/
It would be very easy to use the same approach for an "invite"
registration pattern.
--
C
On 17/11/16 19:38, Aymeric Augustin wrote:
> Hello,
>
>> On 16 Nov 2016, at 21:22, Anthony King <anthon...@gmail.com
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-develop...@googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> <mailto:django-develop...@googlegroups.com>.
> To post to this group, send email to django-d...@googlegroups.com
> <mailto:django-d...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org?utm_medium=email&utm_source=footer>.
Bruno Ribeiro da Silva
Nov 17, 2016, 7:39:07 AM11/17/16
to django-d...@googlegroups.com
Guys,
Thanks for the feedback. My initial thought was to have a more complete approach to this problem, there is always the case that the admin who is creating the user doesn't know the person's full name and/or what to use for username.
This is the flow that I had in mind:
- Admin goes to user list page
- Next to the "ADD USER +" button we would have an "INVITE NEW USER" button
- At the invite page the admin would only have to insert the person's email address. Optionally he could check if this new user would be a super user and/or staff.
- At the invitation (link sent by email) page the user would be able to fill the rest of the information, like: username, first name, last name and password.
I know this approach requires more work but I think it would be nice to free the admin from the burden of having to fill all necessary information.
<mailto:django-developers+unsubsc...@googlegroups.com>.an email to django-developers+unsubscribe@googlegroups.com
To post to this group, send email to django-developers@googlegroups.com
<mailto:django-developers@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org
<https://groups.google.com/d/msgid/django-developers/76AE3F1E-6C00-4E4E-86A7-4E1374FF20AF%40polytechnique.org?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/694f60cb-bcd8-cc32-fd8b-c060c7a54415%40tinbrain.net.
Aymeric Augustin
Nov 17, 2016, 7:48:51 AM11/17/16
to django-d...@googlegroups.com
Hello Bruno,
This is getting quite specific. In that case, I think a third-party, pluggable application is a better way to do this.
Best regards,
--
Aymeric.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAE-2%3DJwKiSSjs216DNQh3BCU_S4B0f%2B1Yk6Ey-bdAXaGLckm%2Bg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages