[Koha-bugs] [Bug 16711] OPAC Password recovery: Handling if multiple accounts have the same mail address

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sun May 21 07:34:30 CEST 2017 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16711

--- Comment #7 from Marc Véron <veron at veron.ch> ---
Thinking loud about sending information about all library accounts if in
password recovery an email with multiple library accounts attached is given:

What could be the reasons to have one email address and multiple accounts?

- An individual has multiple library accounts, e.g. one for professional
purposes and a private one. For exammple a teacher needs books for school and
wants to separate that from their private lecture.

In that case sending a reset links for multiple accounts would be OK (no
privacy breach) because it is the same person. But atm the mail contains only a
reset link, no information that would help to identifiy the account. So the
individual could reset the wrong password.

- A group (family, couple) shares the same email but they have different
library accounts

In that case, privacy is defined by the group: Either one individual has access
to the email or all of the group have access. If all have access, one
individual could change the password for an other one. That would be a privacy
breach.

OK then, it is not a good idea to send reset links for all accounts attached to
an email account.

IMO the easiest solution would be not to send recovery link(s), but to display
an information similar to the one that appears if an email address is not found
in the database (Error No account was found with the provided information.
Please...)

The message could be something like: 
-------------
Information
Multiple library accounts are attached to this email. Please fill the field
'Login' to identify which password you want to reset. Please contact the
library if you need further assistance.
-------------

Additionally, there could be more enhancements (to be covered by separate
bugs):
- Have a syspref to prevent multiple accounts with same email (could get
complicated for existing installs)
- Have a precooked report that displays library accounts sharing one email
address

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list