put a flag on the login entity, canresetpassword. it is only set true when the customer loging is first created. This way others not normally able to canresetpassword can be manually set can also add properties like canresetinternalorgpasswrod so an scheduled service can verify nightly that the rules are complied with.
Mike sent the following on 7/30/2011 7:41 AM: > There must be something more. Any organization would have generic > logins, like "sales", or it would be easy to guess employee logins > from the "about us" page. It makes sense that the password reset > should be intended ONLY for customers, not (any) system-type login. > > I would think that the password reset feature should be limited to > certain roles, like "Customer". > > On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman <bjf...@free-man.net> wrote: >> for production systems do not use "admin" as a lognin. >> it is never created. >> >> Mike sent the following on 7/30/2011 12:10 AM: >>> Why is it that *any* user can, using the password reset or "Forgot >>> Your Password" can actually force "admin" to change the password? Is >>> there a way to turn this off? >>> >> >
