2016ko ekainaren 24an, ostirala, Laurent Destailleur (aka Eldy)-ek zion : > If you need the login id and not the password, just keep the password > empty. The password for members is not used. It is just an information > stored when there is need to use dolibarr as a password referencial for > members.
Hi Laurent, The login/id and the password are both mandatory. When creating a member, the password is automatically filled and if it is cleared, the member cannot be created. If the password is cleared when modifying a member, it is not modified at all (that's a bit strange, by the way, I had to check the DB to confirm this behavior). The only way I have found to clear the password is to set it to NULL with a query in DB. Moreover I am very concerned about the password being stored in clear text for members. I see no point storing a hashed value for the users if the same password is stored in clear text in another table. I propose two improvements: 1) Add an option to the Members module: "Manage a password for members: Yes/No". This option would be visible only if "Manage a login/id for members" is enabled. 2) Always store the encrypyted/hashed password and add a method to check the password (this method should also be available in the web services). What do you think about that? -- Xebax
signature.asc
Description: PGP signature
_______________________________________________ Dolibarr-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
