2016ko ekainaren 25an, larunbata, Xebax-ek zion : > 2016ko ekainaren 24an, ostirala, Laurent Destailleur (aka Eldy)-ek zion : > > If you need the login id and not the password, just keep the password > > empty. The password for members is not used. It is just an information > > stored when there is need to use dolibarr as a password referencial for > > members. > > Hi Laurent, > > The login/id and the password are both mandatory. > When creating a member, the password is automatically filled and if > it is cleared, the member cannot be created. > If the password is cleared when modifying a member, it is not modified > at all (that's a bit strange, by the way, I had to check the DB to > confirm this behavior). > The only way I have found to clear the password is to set it to NULL > with a query in DB. > > Moreover I am very concerned about the password being stored in clear > text for members. I see no point storing a hashed value for the users > if the same password is stored in clear text in another table. > > I propose two improvements: > > 1) Add an option to the Members module: "Manage a password for > members: Yes/No". This option would be visible only if "Manage a > login/id for members" is enabled. > > 2) Always store the encrypyted/hashed password and add a method to > check the password (this method should also be available in the web > services). > > What do you think about that?
This subject has already been discussed one year ago in the French forum: http://www.dolibarr.fr/forum/510-adherentsassociation/52193-mots-de-passe-dans-la-table-des-adherents and also in Doliforge: https://lists.nongnu.org/archive/html/dolibarr-bugtrack/2015-03/msg00053.html https://lists.nongnu.org/archive/html/dolibarr-tasktrack/2015-03/msg00004.html The option "Encrypt passwords in DB" is available in the configuration but it is ignored. I think it's a bug. Do you agree with that? If you are OK, I will enter an issue and try to fix it. Have a nice day. -- Xebax
signature.asc
Description: PGP signature
_______________________________________________ Dolibarr-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
