User account creation

[iangreenleaf]

Various things for the standard authentication system:

• Login page
  • Helpful errors when login fails
• Forgot password page
• User account creation
  • Special constraints - you get an account if you confirm ownership of a .grinnell.edu email address. Otherwise it gets moderated by the admins. Probably just mimic whatever process happens on the current site.
• Limit access of most pages to logged-in users
• Ability to log out

A lot of this stuff already exists, but I do not know exactly what. And some of it probably needs some polishing.

[iangreenleaf]

I know @JanKoszewski was experimenting with replacing authlogic with devise, but I don't know the status of that experiment.

[lundersaur]

regarding "Helpful errors when login fails", do we want to identify incorrect password vs unknown username? its a potential vulnerability to give outsiders a view of valid usernames.

of course, i'm not sure that we need to be too worried about that, but it's something to consider.

[iangreenleaf]

For now? Either way.

I always think it's bullshit when sites refuse to tell me which one I got wrong, since I think it's rare that there's not an oracle for that information elsewhere (usually in that site's "forgot password?" flow). But the most common practice is to do it that way, so who am I to complain?

[jamesprior]

Currently the login page says "Username/Password combination is not valid" when it fails, the PHP version say says "Invalid username or password. " That seems sufficient to me for the login page.

The forgot password page needs creating

The user account creation page sends an email. but the link in email is unroutable. The forgot password page needs a working link in the email and the pages could do with a layout.

Most pages limit access, but the admin pages need to be limited.

The logout action seems to work

[iangreenleaf]

Looks like this is all fixed. Thanks for all your hard work, @jamesprior!