Hi,
Below is a summary of the situation, you can refer to the Jira issues comments
for more information.
With OFBIZ-4983 and r1716915, basically a feature was implemented to allow an eCommerce customer to create a security question while creating his/her
account. The user could then answer the security question to get his/her password through email.
This feature was partly removed while fixing OFBIZ-4361, where basically a JWT
is used to safely ask for a new password through and email
With OFBIZ-11206 patch it's possible to create a security question but only in partymgr. When used from "forgot your password" feature, if you have
also set a password hint, you get on screen the value of your password hint.
As I wrote in OFBIZ-11206:
/"I wonder if it makes sense to keep this feature as is. It seems convoluted
to me. Why ask a question to get a password hint? //
//It seems a lot to remember:/
//
1. /The choice of the security question/
2. /The answer to this security question/
3. /The relation between the password hint and the password itself/
//
/I see only a good thing in this feature: you don't have to change your
password. But sincerely do we really need a such feature? I finally think
than rather fixing the current state we should remove the feature all
together. IMO, the password link in an email done a safe way is enough. //
/
/The point to keep in mind is that OOTB all OFBiz users must have an email, apart
anonymous which have no passwords anyway."/
So, as suggested Nicolas, either we
* /"We continue to support this and I will increase coherence of that/
* /We abandon it and I will remove all code linked to this deprecated
feature"/
What do you think?
Thanks
Jacques
