Author: jleroux Revision: 1716915 Modified property: svn:log Modified: svn:log at Fri Nov 27 20:43:46 2015 ------------------------------------------------------------------------------ --- svn:log (original) +++ svn:log Fri Nov 27 20:43:46 2015 @@ -1,12 +1,13 @@ A modified patch from Harsha Chadhar for "New feature to reclaim a user account - Using Security Questions" https://issues.apache.org/jira/browse/OFBIZ-4983 jleroux: the issue description is quite lengthy so I will summarise it here, please refer to the Jira issue for details. -"When a customer creates an account on eCommerce site, s/he will also need to answer a security question. This security question then can be used to reclaim the customer account in case s/he forgets her password. If the user correctly answers the required security question while reclaiming his account, her/his password will be sent through email notification. This part would work in the same way as the existing functionality of email password (forget password)." +"When a customer creates an account on eCommerce site, s/he will also need to answer a security question. This security question then can be used by the user to reclaim her/his account in case s/he forgets her/his password. If the user correctly answers the required security question while reclaiming her/his account, her/his password will be sent through email notification. This part would work in the same way as the existing functionality of email password (forget password)." The description was actually more ambitious (several questions, possibility for users to create own questions) but AFAIK these parts have not been implemented. -Apart updating the patch which did not merge, I got 2 majors issues (and few others I will not report here) I bypassed with workarounds -Unlike Harsha, and as I reported earlier in the issue, I never got the username (userLoginId) back when using hidden parameters in the request body (not in requestParameters, ie UtilHttp.getParameterMap(request)), nor actually any parameters. This is maybe due to my OS (Windows7 was XP before) or my email client (Outlook Express then, now Thunderbird) or even my SMTP configuration (I used my ISP SMTP server) but most probably because I did it all on my sole machine (localhost). I tried to understand what was happening to request body parameters with http://www.telerik.com/fiddler, but I finally gave up because it's even more complicated when https is in the picture. So I decided to rather use parameters in the URL (Query string). It's a bit less safe, though the password is OFBiz encrypted, and should be replaced. But it's safe enough because only the user should receive this message and it even if the message is sniffed during its journey it should be hard to decrypt the password! +Apart updating the patch which did not merge, I got 2 majors issues (and few others I will not report here) I bypassed with workarounds. + +Unlike Harsha, and as I reported earlier in the issue, I never got the username (userLoginId) back when using hidden parameters in the request body (not in requestParameters, ie UtilHttp.getParameterMap(request)), nor actually any parameters. This is maybe due to my OS (Windows7 was XP before) or my email client (Outlook Express then, now Thunderbird) or even my SMTP configuration (I used my ISP SMTP server) but most probably because I did it all on my sole machine (localhost). I tried to understand what was happening to request body parameters with http://www.telerik.com/fiddler, but finally gave up because it's even more complicated when https is in the picture. So I decided to rather use parameters in the URL (Query string). It's a bit less safe, though the password is OFBiz encrypted, and should be replaced. But it's safe enough because only the user should receive this message and even if the message is sniffed during its journey it should be hard to decrypt the password! Harsha used the SecurityExtUiLabels.xml (created by ashish at r1618415) in securityext component but there is already a SecurityextUiLabels.xml in common component. Since I use Windows OFBiz was unable to retrieve the labels from SecurityExtUiLabels.xml since I guess it looked into a SecurityextUiLabels.xml. So I renamed a SecurityExtUiLabels.xml to EmailPassword.xml.
