0

Hi, We are working on 'Forgot password' functionality (as described in previous posts) and intend to make it as secure as possible. As such we try to use microflows with setting 'Apply entity access' set to True as much as possible, We noticed though that it is not possible for an anonymous user to save his new password (or retrieve a specialization of user account by name (attribute of user)) when handling the reset flow with 'Apply entity access' set to True. I do understand the reason (user entity has an access rule to read/write password only for the current user), however am curious how this should be properly handled. Setting 'Apply entity access' to False for the microflow that handles the commit of the password resolves the issue, but seems weird. One thing I do not quite get is the fact that the User entity has 1 access rule identical for Administrator and User role and restricts the update of the Password field to the current user only. However when I add the password field on a regular form (data view) that contains a specialization of the user entity, I am allowed to change the password of any user (using the standard buttons (no microflows involved). I would expect that I could only do this for my own user. Last thing, I think the forgot password functionality should be included in the standard user management module.

asked 2014-05-16

1 answers