Comments (6)
I would like nothing to require e-mail validation, since one of the current project I am working on, there is no mail server. Overriding the register action of the RegisterController is easy enough to avoid e-mail if you just create this configuration option locally and then do an if/else case. The real security issues comes in with trying to make sure people can use the Forgot Password functionality. I am going to work around that by using challenge questions and as a fall back if they forget the challenge questions then tell the user to e-mail an admin.
Ignoring the issues with Forget Password there are four use cases where email validation comes into the picture. Validation on registration only, Never use e-mail validation, Validation for both registration and forgot password, and l validation on Forget Password only.
One option would be to make two properties like you have suggested.
grails.plugin.springsecurity.register.requireEmailValidation=True/False (default True)
grails.plugin.springsecurity.forgot.requireEmailValidation=True/False (default True)
The issue comes in if there are new e-mail validation flows added in the future, then we have to keep adding new properties. The other option would be a generic configuration property named grails.plugin.springsecurity.requireEmailValidation which would be a list of flows where you want e-mail enabled. The default would be
grails.plugin.springsecurity.requireEmailValidation= [REGISTRATION, FORGOT]. Then if more e-mail flows are added in the future, the list of Values would be updated. For my use-case of never wanting e-mail I would make the config an empty list or null, which not matter how many new flows where added would never use e-mail. Applications using the default additionally wouldn’t need to make any changes. It would cause each application that wanted a partial e-mail validation to consider e-mail validation if a new flow was added and e-mail validation would be disabled until it was added since you were overriding the plugin default config, this maybe a good until since each developer can evaluate if the application warrants having e-mail validation turned on.
In circling back to the Forgot Password I think by default it should not allow password rests if e-mail validation is disabled. I would think you want to tell users to email some address that you can put in by customizing a view or would require the developer to override the controller action with an alternate flow (as I am doing).
I would want Burt/Graeme to weight in before I made a Pull request to determine how they would envision such a feature, if they would even accept a Pull request for it.
from grails-spring-security-ui.
I have finished writing the code for this but still have to do the testing. I wrote it against the master branch which is probably not what I should have done 😞 I would want to go in the latest/next version of the code base, is that the 3.0.x branch?
I ended going with my two parameter system and then added some additional parameter around Password Reset validation that can be used with/without e-mail validation. The MVP feature was to add one parameter that a user could enter to compare against but that parameter can be stored in any domain object so long as that domain object has a reference back to the user.
Please check out the code in my branch and let me know any feedback before I submit a pull request...also if anybody want to write some tests that would be great!
from grails-spring-security-ui.
I just created a Pull Request #94. I would still be open to some feedback on what I did or at least a code review
from grails-spring-security-ui.
@amondel2 let me know if you'd like assistance with documentation. I'm happy to help.
from grails-spring-security-ui.
I did check in most of configuration sections with the commit you already reviewed, but it hasn't grammar and spell checked. I also think I need some screen shots for some of the other sections so maybe if you could get them. I was meaning to get to it two days go but new goal is now this weekend.
from grails-spring-security-ui.
Reviewed, squashed and merged.
All of your hard work is very much appreciated.
Thank-you @amondel2 ! ✨ 🎉
from grails-spring-security-ui.
Related Issues (20)
- Create the default role specified in config during registration if it doesn't exist HOT 1
- bump up spring security core Version to 3.2.3
- Feature request: Add Challenge Questions to the Tabs when a User Search is Preformed HOT 1
- Saving a User with no Roles leaves the tab blank HOT 2
- Removing a Role throws an execption HOT 1
- Verifying a new user account does not unlock that account. HOT 6
- Does not behave well with Postgresql datasource configuration HOT 2
- In a Grails multi-project, there are errors when the User/Role domain classes are in a separate plugin subproject HOT 4
- Grails 4 Compatibility HOT 2
- User update removes all user roles (removeUserRole A bug has occurred to remove all user-roles) HOT 7
- Feature Request: tokenExpiration for RegistrationCode instances
- new users are not unlocked upon finishing the registration HOT 1
- Add support for role groups
- Flaws in Spring Security UI Plugin - Reference Documentation HOT 1
- Add/Remove Role from an User gives error when SpringSecurityCore classes are customized
- No plugin [spring-security-ui-1.0-RC3] installed, cannot uninstall HOT 1
- JDK 17 - Spring Security UI 4.0.0.M1 (Latest) "Failed to compile s2ui-override.groovy" HOT 2
- Dependency Dashboard
- Grails 6 support
- Create an issue template similar to what is used in the grails-data-mapping plugin HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grails-spring-security-ui.