forked from Pylons/cartouche
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO.txt
160 lines (89 loc) · 4.51 KB
/
TODO.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
``cartouche`` TOODs
===================
Registration
------------
- [X] Define "minimal" registration schema using ``deform``.
* ``email`` is only initially-required fields.
* Seve a quasi-random token in a persistent mapping,
keyed by e-mail address.
* Redirect to URL with ``email`` in query string.
* Send confirmation e-mail with token to be cut and pasted into
the second page.
* Include a link to the confirm page in the mail.
* Make confirmation URL configurable via Pyramid ``settings``.
- [Xj When token confirmed, add e-mail-confirmed user to ``ZODB`` user store.
* If an ``IAutoLogin`` utility is configured, use it to auto-login the
user; otherwise, generate a random password and e-mail it to the
user.
* Redirect to the "edit account" page by default (configurable
via the Pyramid ``settings``).
Update Account Login
--------------------
- [X] Update login / password / security question.
* Allow user to pick login name, defaulting to e-mail address.
* *If* the existing password is set, **require** it and check it.
* Allow the user to enter and confirm a password.
* Hash password using ``zope.password`` utility.
* Update the security question and answer.
* Store the updated record both by email and by (new) login;
remove any record for the old login.
* Check for uniqueness of login name.
* Make the "after edit" URL configurable via Pyramid ``settings``.
Login / Logout
--------------
- [X] Implement login view following the ``repoze.who`` 2.0 docs.
* Compare passwords using ``zope.password`` utility.
* Link to account recovery view.
* Link to password reset view.
* Handle ``came_from`` URLs properly.
* DO NOT inform the user if there is no matching login.
- [X] Implement logout view following the ``repoze.who`` 2.0 docs.
* Display a confirmation dialog and require POST.
* Make after-logout URL configurable via Pyramid ``settings``.
Account Recovery
----------------
- [X] Prompt the user for their e-mail address.
* On POST, send the user an e-mail reminding them of their login name,
and redirect to the login view.
* Make login URL configurable via Pyramid ``settings``.
* DO NOT tell the user if there is no matching email address.
Password Reset
--------------
- [X] Prompt the user for their login name.
* On POST without token, generate and seve a quasi-random token
on the user's record. Render the form showing the token and
password fields.
* Send the user an e-mail containing the token, directing them to
cut-and-paste it into the view.
* Include a link to the view in the e-mail.
* On POST with mismatched token, display an error.
* On POST with the matching token, if an ``IAutoLogin`` utility is
configured, use it to auto-login the user; then redirect to the
"after reset" URL.
* On POST with the matching token, if no ``IAutoLogin`` utility is
configured, generate a random password and e-mail it to the user;
then redirect to the "after reset" URL.
* Make "after reset" URL configurable via Pyramid ``settings``.
* DO NOT tell the user if there is no matching login.
``repoze.who`` Authentication Plugin
------------------------------------
- [X] Enable use of real persistent store for ``repoze.who`` API.
* Prefer a configured ``IPlugins`` adapter, if available.
* Else use the ``repoze.who.zodbconn`` in the environment, if present.
* Otherwise, use ``zodb_uri`` from plugin section of who config.
``pyramid`` Authentication Policy
---------------------------------
- [X] Implement interface for use within ``pyramid`` sans ``repoze.who`` m/w.
* N.B.: unlike the policy in ``pyramid_who``, do *not* use a
callback: instead, use the ``IRegistrations`` adapter to confirm user
existence, falling back to ``ConfirmedRegistrations(context)``.
* Add the ZCML directive to configure this policy.
* Document using the policy.
- [X] Extend ``effective_principals`` to include groups defined in admin UI.
User / Group Administration
---------------------------
- [X] Implement a storage for groups.
* Key group name -> member UUIDs
* Key member UUID -> group names
- [X] Add a command-line script to make an existing user an admin.
- [X] Add an admin overview view showing pending / confirmed users.