|
|
|
|
@ -529,6 +529,36 @@ for every assignment of the same exercise. This separation is natural for all
|
|
|
|
|
users, in CodEx it is implemented in similar way and no other considerable
|
|
|
|
|
solution was found.
|
|
|
|
|
|
|
|
|
|
### Forgotten password
|
|
|
|
|
|
|
|
|
|
With authentication and some sort of dealing with passwords is related problem
|
|
|
|
|
with forgotten passwords. People easily forget them and there has to be some
|
|
|
|
|
kind of mechanism to retrieve new password or change old one. Problem is it
|
|
|
|
|
cannot be done in totally secure way but we can at least come quite close to it.
|
|
|
|
|
But lets start from the beginning there are ways to handle that which are
|
|
|
|
|
absolutely not secure and recommendable, for example sending old password
|
|
|
|
|
through email. Better solution but still not secure is to generate new one and
|
|
|
|
|
again send it through email. This solution was provided in CodEx, users had to
|
|
|
|
|
write email to administrator who generated new password and sent it back to
|
|
|
|
|
sender. This simple solution could be also automated but administrator had quite
|
|
|
|
|
a big control over whole process which might come in handy there could be some
|
|
|
|
|
additional checkups for example, but on the other hand it can be quite time
|
|
|
|
|
consuming.
|
|
|
|
|
|
|
|
|
|
Probably the best solution which is quite used and fairly secure is following.
|
|
|
|
|
Lets consider only case in which all users have to fill email addresses into
|
|
|
|
|
system and these addresses are safely in the hands of the right users. At the
|
|
|
|
|
beginning user finds out that he/she does not remember password after that user
|
|
|
|
|
requests password reset and fill in his/her unique identifier, it might be email
|
|
|
|
|
or unique nickname. Based on matched user account system generates unique access
|
|
|
|
|
token and sends it user email address. Tokens should be time limited and usable
|
|
|
|
|
only once so they cannot be misused. User then takes token or address which was
|
|
|
|
|
provided in email and go to system in appropriate section, where new password
|
|
|
|
|
can be set. After that user can sign in with his new password. As stated this
|
|
|
|
|
solution is quite safe and user can handle it on its own administrator does not
|
|
|
|
|
have to worry about it. That is why this approach was chosen to be used in
|
|
|
|
|
ReCodEx.
|
|
|
|
|
|
|
|
|
|
### Evaluation unit executed by ReCodEx
|
|
|
|
|
|
|
|
|
|
One of the bigger requests for the new system is to support a complex
|
|
|
|
|
@ -1455,8 +1485,6 @@ thanks to the simple authentication flow. Replacing these services in a Nette
|
|
|
|
|
application is also straightforward, thanks to its dependency injection
|
|
|
|
|
container implementation.
|
|
|
|
|
|
|
|
|
|
@todo: solution of forgotten password, why this in particular
|
|
|
|
|
|
|
|
|
|
@todo: rest api is used for report of backend state and errors, describe why and other possibilities (separate component)
|
|
|
|
|
|
|
|
|
|
@todo: mail reports - to users, admins
|
|
|
|
|
|
Martin Polanka
8 years ago