[Koha-devel] Why we do not push the ACCTDETAILS email via message queue?

Wed Jun 20 02:06:52 CEST 2018

I think that would probably be the best way of going about it, but I’m sure there are a lot of libraries that wouldn’t be happy about it. 

David Cook

Systems Librarian

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

Office: 02 9212 0899

Direct: 02 8005 0595

From: koha-devel-bounces at lists.koha-community.org [mailto:koha-devel-bounces at lists.koha-community.org] On Behalf Of Liz Rea
Sent: Tuesday, 19 June 2018 12:26 PM
To: koha-devel at lists.koha-community.org
Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?

I feel like instead of sending people a password, we should send them to the "forgot password reset page" with a couple of slight changes for new account holders, so they can set their own passwords.

Seems better than sending the password in the clear in an email.

Cheers,
Liz

On 19/06/18 12:21, David Cook wrote:

Cheers, Jonathan. I had totally forgotten about that. Yikes.

Good call, Chris. While I think many mail servers these days use TLS to secure the email between the mail servers, an unscrupulous administrator could still certainly take advantage of people on either end. The best idea probably is to just not use AutoEmailOpacUser, as Jonathan seems to suggest. 

David Cook

Systems Librarian

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

Office: 02 9212 0899

Direct: 02 8005 0595

From: Jonathan Druart [mailto:jonathan.druart at bugs.koha-community.org] 
Sent: Tuesday, 19 June 2018 12:07 AM
To: Christopher Nighswonger  <mailto:chris.nighswonger at gmail.com> <chris.nighswonger at gmail.com>
Cc: David Cook  <mailto:dcook at prosentient.com.au> <dcook at prosentient.com.au>; Koha Devel  <mailto:koha-devel at lists.koha-community.org> <koha-devel at lists.koha-community.org>
Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?

It has been reported (by David) on our bug tracker already (20796, security area, which does no longer make sense at it is public now...)

For information this notice contains the password in clear for... 10 years now (bug 2149) and the behavior is turned off by default (AutoEmailOpacUser).

On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger <chris.nighswonger at gmail.com <mailto:chris.nighswonger at gmail.com>   <mailto:chris.nighswonger at gmail.com> <mailto:chris.nighswonger at gmail.com> > wrote:

Considering that email is plaintext (AKA "postcard") mail, I'm surprised we would send a user's password in an email in any case.

On Mon, Jun 18, 2018 at 4:14 AM, David Cook <dcook at prosentient.com.au <mailto:dcook at prosentient.com.au>   <mailto:dcook at prosentient.com.au> <mailto:dcook at prosentient.com.au> > wrote:

Considering that the borrower’s password is typically in the ACCTDETAILS email, I think using the message_queue for ACCTDETAILS would be a bad idea and would probably violate the GDPR in Europe.

Just imagine looking through your database and seeing all those plain text passwords, especially for people who re-use the same password for everything. I think it would be a security and privacy nightmare.

David Cook

Systems Librarian

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

Office: 02 9212 0899 <tel:02%2092%2012%2008%2099> 

Direct: 02 8005 0595 <tel:02%2080%2005%2005%2095> 

From: koha-devel-bounces at lists.koha-community.org <mailto:koha-devel-bounces at lists.koha-community.org>   <mailto:koha-devel-bounces at lists.koha-community.org> <mailto:koha-devel-bounces at lists.koha-community.org>  [mailto:koha-devel-bounces at lists.koha-community.org  <mailto:koha-devel-bounces at lists.koha-community.org> <mailto:koha-devel-bounces at lists.koha-community.org> ] On Behalf Of Sophie Meynieux
Sent: Friday, 15 June 2018 9:33 PM
To: koha-devel at lists.koha-community.org <mailto:koha-devel at lists.koha-community.org>   <mailto:koha-devel at lists.koha-community.org> <mailto:koha-devel at lists.koha-community.org> 
Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?

Maybe because for this message you're expecting it is sent immediately while message_queue table could be processed more occasionally ? 

Best regards

S. Meynieux

_______________________________________________
Koha-devel mailing list
Koha-devel at lists.koha-community.org <mailto:Koha-devel at lists.koha-community.org> 
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

-- 
--
Liz Rea
Catalyst.Net Limited
Level 6, Catalyst House, 
150 Willis Street, Wellington.
P.O Box 11053, Manners Street, 
Wellington 6142
04 803 2265

GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20180620/882d749a/attachment.html>