Vincent Panel wrote:
Thanks, but as discussed, even creating a user able to reset all the
userPassword attributes of all other users is not security risk free.
This is what I call a privileged user and I would like to avoid it.
You can't avoid it if the reset service has to run automagically.
Drupal already supports such a solution, but I don't find it
secure
enough.
Then you have to add some human admin interaction.
I had an interesting suggestion on the list : to create a database
of
temporary security objects where drupal is the only one who knows the
passwords. Each temporary security object is able to reset one
password in the main database (by the use of regex ACLs) and only
once.
Yes, but these "temporary security objects" have to be generated. If you
do this automagically you have a privileged service account which resets
the user's password in combination with a e-mail based
challenge-response check. I don't think it's a big security issue
though. IMO if you suspect your password reset web component being
compromised you should worry about much more in the whole system.
Ciao, Michael.