The way we do this is having a syspref to choose between both ways, and a big sign ok to of the release notes asking users to switch.
El mar., 19 de jun. de 2018 9:25 p. m., Liz Rea <l...@catalyst.net.nz> escribió: > The easy answer is : leave it alone for existing installs, default it on > for new ones. > > > > On 20/06/18 12:19, David Cook wrote: > > > > I think that’s not a bad way of looking at it. If people do complain, > > we can say that the change away was because of a commitment to patron > > security and privacy. I would hope that people would find that > > difficult to argue against. > > > > If I recall correctly, I think DSpace does it this way. When you > > create a new user, I think it sends an email containing a URL with a > > token to the user, and then they set their own password from there. It > > works pretty well. Surely we could say “everybody else is doing it” as > > well. > > > > But I know that there are a lot of libraries using this feature, and > > it would be disruptive to their existing workflows for it to go away. > > But… that’s also progress for you. So long as people have notice that > > it’s going away before the upgrade, they’d have time to change their > > workflows and adapt to a safer way of doing things? > > > > David Cook > > > > Systems Librarian > > > > Prosentient Systems > > > > 72/330 Wattle St > > > > Ultimo, NSW 2007 > > > > Australia > > > > Office: 02 9212 0899 > > > > Direct: 02 8005 0595 > > > > *From:*Chris Cormack [mailto:chr...@catalyst.net.nz] > > *Sent:* Wednesday, 20 June 2018 10:12 AM > > *To:* koha-devel@lists.koha-community.org; David Cook > > <dc...@prosentient.com.au>; 'Liz Rea' <l...@catalyst.net.nz> > > *Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS email > > via message queue? > > > > We could make a list of them. It could be the "libraries who don't > > care about their users privacy" list. > > > > I'm only mostly joking > > > > Chris > > > > On June 20, 2018 12:06:52 PM GMT+12:00, David Cook > > <dc...@prosentient.com.au <mailto:dc...@prosentient.com.au>> wrote: > > > > I think that would probably be the best way of going about it, but > > I’m sure there are a lot of libraries that wouldn’t be happy about > > it. > > > > David Cook > > > > Systems Librarian > > > > Prosentient Systems > > > > 72/330 Wattle St > > > > Ultimo, NSW 2007 > > > > Australia > > > > Office: 02 9212 0899 > > > > Direct: 02 8005 0595 > > > > *From:*koha-devel-boun...@lists.koha-community.org > > <mailto:koha-devel-boun...@lists.koha-community.org> > > [mailto:koha-devel-boun...@lists.koha-community.org] *On Behalf Of > > *Liz Rea > > *Sent:* Tuesday, 19 June 2018 12:26 PM > > *To:* koha-devel@lists.koha-community.org > > <mailto:koha-devel@lists.koha-community.org> > > *Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS > > email via message queue? > > > > I feel like instead of sending people a password, we should send > > them to the "forgot password reset page" with a couple of slight > > changes for new account holders, so they can set their own passwords. > > > > Seems better than sending the password in the clear in an email. > > > > Cheers, > > Liz > > > > On 19/06/18 12:21, David Cook wrote: > > > > Cheers, Jonathan. I had totally forgotten about that. Yikes. > > > > > > > > Good call, Chris. While I think many mail servers these days use > TLS to secure the email between the mail servers, an unscrupulous > administrator could still certainly take advantage of people on either end. > The best idea probably is to just not use AutoEmailOpacUser, as Jonathan > seems to suggest. > > > > > > > > David Cook > > > > Systems Librarian > > > > Prosentient Systems > > > > 72/330 Wattle St > > > > Ultimo, NSW 2007 > > > > Australia > > > > > > > > Office: 02 9212 0899 > > > > Direct: 02 8005 0595 > > > > > > > > From: Jonathan Druart [mailto: > jonathan.dru...@bugs.koha-community.org] > > > > Sent: Tuesday, 19 June 2018 12:07 AM > > > > To: Christopher Nighswonger<chris.nighswon...@gmail.com> > <mailto:chris.nighswon...@gmail.com> > > > > Cc: David Cook<dc...@prosentient.com.au> <mailto: > dc...@prosentient.com.au>; Koha Devel<koha-devel@lists.koha-community.org> > > <mailto:koha-devel@lists.koha-community.org> > > > > Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS > email via message queue? > > > > > > > > It has been reported (by David) on our bug tracker already > (20796, security area, which does no longer make sense at it is public > now...) > > > > > > > > For information this notice contains the password in clear > for... 10 years now (bug 2149) and the behavior is turned off by default > (AutoEmailOpacUser). > > > > > > > > > > > > On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger < > chris.nighswon...@gmail.com <mailto:chris.nighswon...@gmail.com> <mailto: > chris.nighswon...@gmail.com> > > <mailto:chris.nighswon...@gmail.com> > wrote: > > > > Considering that email is plaintext (AKA "postcard") mail, I'm > surprised we would send a user's password in an email in any case. > > > > > > > > > > > > On Mon, Jun 18, 2018 at 4:14 AM, David Cook < > dc...@prosentient.com.au <mailto:dc...@prosentient.com.au> <mailto: > dc...@prosentient.com.au> > > <mailto:dc...@prosentient.com.au> > wrote: > > > > Considering that the borrower’s password is typically in the > ACCTDETAILS email, I think using the message_queue for ACCTDETAILS would be > a bad idea and would probably violate the GDPR in Europe. > > > > > > > > Just imagine looking through your database and seeing all those > plain text passwords, especially for people who re-use the same password > for everything. I think it would be a security and privacy nightmare. > > > > > > > > David Cook > > > > Systems Librarian > > > > Prosentient Systems > > > > 72/330 Wattle St > > > > Ultimo, NSW 2007 > > > > Australia > > > > > > > > Office: 02 9212 0899 <tel:02%2092%2012%2008%2099> > > > > Direct: 02 8005 0595 <tel:02%2080%2005%2005%2095> > > > > > > > > From:koha-devel-boun...@lists.koha-community.org > > <mailto:koha-devel-boun...@lists.koha-community.org> <mailto: > koha-devel-boun...@lists.koha-community.org> > > <mailto:koha-devel-boun...@lists.koha-community.org> [mailto: > koha-devel-boun...@lists.koha-community.org <mailto: > koha-devel-boun...@lists.koha-community.org> > > <mailto:koha-devel-boun...@lists.koha-community.org> ] On > Behalf Of Sophie Meynieux > > > > Sent: Friday, 15 June 2018 9:33 PM > > > > To:koha-devel@lists.koha-community.org > > <mailto:koha-devel@lists.koha-community.org> <mailto: > koha-devel@lists.koha-community.org> > > <mailto:koha-devel@lists.koha-community.org> > > > > Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS > email via message queue? > > > > > > > > Maybe because for this message you're expecting it is sent > immediately while message_queue table could be processed more occasionally ? > > > > Best regards > > > > S. Meynieux > > > > > > > > _______________________________________________ > > > > Koha-devel mailing list > > > > Koha-devel@lists.koha-community.org > > <mailto:Koha-devel@lists.koha-community.org> > > > > > http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel > > > > website :http://www.koha-community.org/ > > > > git :http://git.koha-community.org/ > > > > bugs :http://bugs.koha-community.org/ > > > > -- > > > > -- > > > > Liz Rea > > > > Catalyst.Net Limited > > > > Level 6, Catalyst House, > > > > 150 Willis Street, Wellington. > > > > P.O Box 11053, Manners Street, > > > > Wellington 6142 > > > > 04 803 2265 > > > > GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7 > > > > > > -- > > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > > _______________________________________________ > Koha-devel mailing list > Koha-devel@lists.koha-community.org > http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel > website : http://www.koha-community.org/ > git : http://git.koha-community.org/ > bugs : http://bugs.koha-community.org/ -- Tomás Cohen Arazi Theke Solutions (https://theke.io <http://theke.io/>) ✆ +54 9351 3513384 GPG: B2F3C15F
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/