[Bug 19660] New: Set borrower password on first login from self registration
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Bug ID: 19660 Summary: Set borrower password on first login from self registration Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: liz@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org Currently when a borrower has confirmed their account, we show them their username and password after confirmation. I propose instead of doing this, we allow the user to set their own password after they have confirmed their account. We could use parts of the forgot-my-password code to do this, for example pre-populating the username/email bits of the form, and asking the user to fill in their new password twice. We really shouldn't be showing the password on the screen, ever. Let's not do that anymore. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Liz Rea <liz@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Academy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 jwayway@hotmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 --- Comment #1 from jwayway@hotmail.com --- Created attachment 70596 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70596&action=edit Bug-19660: Set password after self registration Test plan: 1. Enable PatronSelfRegistration 2. Add a PatronSelfRegistrationDefaultCategory too 3. In OPAC register a user 4. Without patch after hitting submit, password is displayed onscreen 5. After applying patch, password is changed afterwards by sending a email 6. Note how primary email is required Notes - Email is now required for this to work since a unique key was needed for password-recovery.pl to work - A password is randomly generated for the user -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 --- Comment #2 from jwayway@hotmail.com --- Created attachment 70727 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70727&action=edit Bug-19960 This is a follow up patch to fix the password field on the registration complete page. Please upload this patch along with the previous version :) Test plan: 1. Apply this patch 2. The password field has the pregenerated password if the syspref is enabled 3. Before the patch the password was displayed on the screen in a span tag -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 jwayway@hotmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #70727|Bug-19960 |Bug-19960: Fix password description| |field -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Laurence Rault <laurence.rault@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |laurence.rault@biblibre.com --- Comment #3 from Laurence Rault <laurence.rault@biblibre.com> --- Tested ok following test plan, ready to be signeoff Impossible to signoff from the sandbox : It seems you don't have applied a patch, so you cannot sign it off. If you applied patches from the right report, check the commit message of the last patch. It should start with "Bug XXXXX", if not, please inform the author of the patch. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtompset@hotmail.com --- Comment #4 from M. Tompsett <mtompset@hotmail.com> --- These system preferences need setting from a base kohadevbox: OpacResetPassword - Allowed -- otherwise you get almost done, and then it won't let you check it, because reset isn't allowed. PatronSelfRegistration - Allow -- otherwise, you can't even start. PatronSelfRegistrationDefaultCategory - Anything valid, otherwise you may have a crash somewhere. PatronSelfRegistrationPrefillForm -- MMmmm... something isn't right with this now. It works as expected, but something about this leaves a bad taste in my mouth. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #70596|0 |1 is obsolete| | Attachment #70727|0 |1 is obsolete| | --- Comment #5 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72900 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72900&action=edit Bug 19660: Set password after self registration Test plan: 1. Enable PatronSelfRegistration 2. Add a PatronSelfRegistrationDefaultCategory too 3. In OPAC register a user 4. Without patch after hitting submit, password is displayed onscreen 5. After applying patch, password is changed afterwards by sending a email 6. Note how primary email is required Notes - Email is now required for this to work since a unique key was needed for password-recovery.pl to work - A password is randomly generated for the user Signed-off-by: Laurence Rault <laurence.rault@biblibre.com> Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 --- Comment #6 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72901 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72901&action=edit Bug 19660: Follow up to fix password field on the registration page This is a follow up patch to fix the password field on the registration complete page. Please upload this patch along with the previous version :) Test plan: 1. Apply this patch 2. The password field has the pregenerated password if the syspref is enabled 3. Before the patch the password was displayed on the screen in a span tag Signed-off-by: Laurence Rault <laurence.rault@biblibre.com> Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- vertification_legend ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |BLOCKED --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- QA: Looking here -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|BLOCKED |Failed QA --- Comment #9 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- I have the feeling that we are not ready yet. As Mark already stated, this feature does not work when pref ResetPassword has not been enabled. But since that is possible, we should make it work somehow? Currently when off, you can enter your email address. You will directly see: You can't reset your password. But I also got an email with a reset link. Clicking that link gives also: You can't reset your password. Apart from ResetPassword dependence, if the registration is complete, I think that the form is still a bit confusing. Entering an email is optional and password is prefilled. If I just click Login, I am in but I do not know my password. Why don't we add a New password field on the Completion form? Then the user is forced to enter a new password AND we do not rely on the Reset functionality that may be disabled altogether? (Or add the password already on the first registraton form memberentry?) Note that without digging thru all registration options, I got the option to create a Staff user in the self registration form. I think we should not offer that. Outside scope here though. Changing status. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|oleonard@myacpl.org |koha-bugs@lists.koha-commun | |ity.org -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Agnes Rivers-Moore <arm@hanover.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arm@hanover.ca --- Comment #10 from Agnes Rivers-Moore <arm@hanover.ca> --- Librarian point of view - As M Tomsett says, this method cannot work properly without an email address. The email field should not be required - especially now with so many countries requiring specific opt-in permission from the user to send them email. However, it should be possible for people to use online services without giving an email address. I agree with Marcel that the ideal solution is to have the user enter password (hidden, twice for verification) in the registration form. Then, let the email address be optional, as a library set preference. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 Séverine Queune <severine.queune@bulac.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |severine.queune@bulac.fr -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Agnes Rivers-Moore from comment #10)
Librarian point of view - As M Tomsett says, this method cannot work properly without an email address. The email field should not be required - especially now with so many countries requiring specific opt-in permission from the user to send them email. However, it should be possible for people to use online services without giving an email address. I agree with Marcel that the ideal solution is to have the user enter password (hidden, twice for verification) in the registration form. Then, let the email address be optional, as a library set preference.
The problem with an optional email address on self registration is that you have no means to verify that the user registering is a real person. It would open self registrations up to bots and pranks. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 --- Comment #12 from Agnes Rivers-Moore <arm@hanover.ca> --- (In reply to Katrin Fischer from comment #11)
(In reply to Agnes Rivers-Moore from comment #10)
Librarian point of view - As M Tomsett says, this method cannot work properly without an email address. The email field should not be required - especially now with so many countries requiring specific opt-in permission from the user to send them email. However, it should be possible for people to use online services without giving an email address. I agree with Marcel that the ideal solution is to have the user enter password (hidden, twice for verification) in the registration form. Then, let the email address be optional, as a library set preference.
The problem with an optional email address on self registration is that you have no means to verify that the user registering is a real person. It would open self registrations up to bots and pranks.
I am not sure existence of an email address proves a genuine individual or protects from pranking or misuse. If a library needs to prove there is a real person who is not already registered, or banned, or from another country, they would need more than an email address. Our staff see the online registration attempt and contact the person for ID verification. So, library set preference for whether email is required or not. For us, phone number required is more important. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19660 --- Comment #13 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Agnes Rivers-Moore from comment #12)
I am not sure existence of an email address proves a genuine individual or protects from pranking or misuse. If a library needs to prove there is a real person who is not already registered, or banned, or from another country, they would need more than an email address. Our staff see the online registration attempt and contact the person for ID verification. So, library set preference for whether email is required or not. For us, phone number required is more important.
If you enable the verification step for self registration (and imo you should always do that), you need an email address. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org