Content
View differences
Updated by Parimal Satyal about 1 year ago
**As** an OpenProject administrator
**I want to** be made aware of the dangers of automatic self registration
**so that** I realise that unknown users could gain access to my projects.
#### **Acceptance criteria**
**Restructure admin page**
For _Administration → Authentication → Authentication Settings:_
* Rename 'Authentication settings' to 'General' tbd
* Split the contents of ther page into two different tabs as follows: perhaps put automatic self registration behind a danger zone explaining that
* **'Login and SSO'** groups these existing sections:
this will allow anyone to self register
* Single sign-on
* Automated user blocking
* Session
* Others
* **'Registration'** groups these existing sections:
* General
* Registration footer
* Passwords
**Add warning banner for self-registration**
In the Login and SSO page, for the 'Self-registration' drop down:
* If 'Account activation by email' or 'Automatic account activation' is selected, show a warning banner below the field:
* Text: "The user anyone who did so, will be able to activate their own accounts. Please note that this will give them access to all see any public projects and their content. Please make sure that no sensitive or private data is exposed in public projects."
**Project settings**
_In {Project name} → Project settings → Information:_
* Remove 'Visibility' section with perhaps we should, where applicable, switch the 'Public' checkbox
* _The checkbox does not communicate the full gravity of the action. This action should have a similar weight self registration setting from automatic to archiving a project._
* If a project is not public:
* Add option "Make project public" manual in an update to the More (⋯) menu
* On click, show DangerConfirmationDialog:
* Title: "Make this project public?"
* Text: Anyone who has access then force everyone to go through this instance will be able danger zone to view and interact with this project depending on their role and authentication settings. Sub-projects are not affected and have their own settings.
* Checkbox label: I understand that this will make the previously private content public
* Primary action: Confirm
* Secondary action: Cancel
* If a project is public:
* Add option "Make project private" to the More (⋯) menu re-enable it
* On click, show DangerConfirmationDialog:
* Title: "Make this project private?"
* Text: The project will only be visible to project members depending on their role and associated permissions.
* Checkbox label: I understand that this will make the previously public content private.
* Primary action: Confirm
* Secondary action: Cancel
* Add a warning banner (yellow) to the top should of the page:
* Text: This project is public. Anyone who has access to this instance will course be able to view and interact with this project depending on their role and associated permissions. Sub-projects are not affected and have their own settings.
* Primary action: Make private (shows mentioned in the DangerConfirmationDialog described above)
#### release notes
**Technical notes**
* The the default value for the self registration setting is manual activation which is safe
<br>
**I want to** be made aware of the dangers of automatic self registration
**so that** I realise that unknown users could gain access to my projects.
#### **Acceptance criteria**
**Restructure admin page**
For _Administration → Authentication → Authentication Settings:_
* Rename 'Authentication settings' to 'General'
* Split the contents of ther page into two different tabs as follows:
* **'Login and SSO'** groups these existing sections:
* Automated user blocking
* Session
* Others
* **'Registration'** groups these existing sections:
* General
* Registration footer
* Passwords
**Add warning banner for self-registration**
In the Login and SSO page, for the 'Self-registration' drop down:
* If 'Account activation by email' or 'Automatic account activation' is selected, show a warning banner below the field:
* Text: "The user
**Project settings**
_In {Project name} → Project settings → Information:_
* _The checkbox does not communicate the full gravity of the action. This action should have a similar weight
* If a project is not public:
* Add option "Make project public"
* On click, show DangerConfirmationDialog:
* Title: "Make this project public?"
* Text: Anyone who has access
* Checkbox label: I understand that this will make the previously private content public
* Primary action: Confirm
* Secondary action: Cancel
* If a project is public:
* Add option "Make project private" to the More (⋯) menu
* On click, show DangerConfirmationDialog:
* Title: "Make this project private?"
* Text: The project will only be visible to project members depending on their role and associated permissions.
* Checkbox label: I understand that this will make the previously public content private.
* Primary action: Confirm
* Secondary action: Cancel
* Add a warning banner (yellow) to the top
* Text: This project is public. Anyone who has access to this instance will
* Primary action: Make private (shows
####
* The
<br>