Content
View differences
Updated by Max Mutzge about 5 years ago
To avoid confusion, improve the **As** an OpenProject user experience and reduce the workload for support (only small effect) <mention class="mention" data-id="3762" data-type="user" data-text="@Robin Wagner">@Robin Wagner</mention> and
**I want to** get an error message which doesn't tell me "your account is locked" or "you tried a wrong username/password multiple times" although this is not true when I propose the following changes:
Current situation: Basically, there are three cases (from enter a user's perspective):
* user forgot his/her password
* user forgot wrong username or misspelled his/her password and gets blocked temporarily
* user has been locked permanently by an admin
**so that** I don't get confused.
The current situation and the "process" can be found in this overview, as well as the proposed solution (desired changes marked with dotted box in the lower display):
<figure class="image op-uc-figure" style="width:75%;"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/20830/content"></div></figure>
**Acceptance criteria**
_("Optional" points can be dropped if the implementation effort would exceed the benefits)_
* Split error message in two cases:
* Change error message for wrong password and for temporary block to:
failed login attempt: "Invalid username user name or password.
If password entered. Please try again or use the link 'Forgot your credentials are correct, your account may have been blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.
For questions please contact your administrator."
password?'"
* Optional: Add If possible, link text "Forgot your password?" to the password reset screen, like so: "Invalid username or password. \[Click here if you forgot your password.\] <br> If ..."
screen (/account/lost\_password)
* Optional: Change Additional error message for permanently locked users to:
"Your when the user is blocked: "User account has been locked by an administrator.
For questions please contact your administrator."
* Optional: Unify behavior of the application after having entered an email address for password reset: Redirect temporarily due to sign multiple failed login attempts. It will be unlocked automatically in page also for non-existing (i.e. unknown) email addresses
* When a user who has been permanently locked tries to reset his/her password send this email instead of the password reset email:
"Your account has been permanently locked. For questions short time. Alternatively, please contact your administrator"
* Optional: Option for administrators admin to enter some form of contact details for contacting the admin
be unlocked."
**To be discussed**
* When a user who has been blocked temporarily resets his/her password he/she should be able to log in with the new password (currently user the block is Verify that these two cases do not lifted when resetting the password)
pose an additional security risk.
### Current situation
<figure class="image op-uc-figure"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/20367/content"></div></figure>
**I want to** get an error message which doesn't tell me "your account is locked" or "you tried a wrong username/password multiple times" although this is not true when
Current situation: Basically, there are three cases (from
* user forgot his/her password
* user forgot
* user has been locked permanently by an admin
**so that** I don't get confused.
The current situation and the "process" can be found in this overview, as well as the proposed solution (desired changes marked with dotted box in the lower display):
<figure class="image op-uc-figure" style="width:75%;"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/20830/content"></div></figure>
**Acceptance criteria**
_("Optional" points can be dropped if the implementation effort would exceed the benefits)_
*
*
If
For questions please contact your administrator."
"Your
For questions please contact your administrator."
* Optional: Unify behavior of the application after having entered an email address for password reset: Redirect
* When a user who has been permanently locked tries to reset his/her password send this email instead of the password reset email:
"Your account has been permanently locked. For questions
* Optional: Option for administrators
**To be discussed**
<figure class="image op-uc-figure"><div class="op-uc-figure--content"><img class="op-uc-image" src="/api/v3/attachments/20367/content"></div></figure>