Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2020-12-20 13:14:09

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Admin-side login name - can it be an email address?

Can someone logging into Textpattern use their email address instead of their real name or username?

Assumptions: an email address is unique, two user accounts cannot have the same email address, so it’s not a stretch to permit email-address-as-an-identifier for logins…right?

(I have gone back and forth on whether I should know this, but it’s Sunday and I’m very low on sleep so cut me a little slack before you berate me. Thaaaaaanks.)

Offline

#2 2020-12-20 13:59:02

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,595
GitHub Twitter

Re: Admin-side login name - can it be an email address?

Absolutely agree!

That’s a feature I would like to see for Textpattern: an email address is simpler to memorize than a name/identifier, too.


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#3 2020-12-20 14:01:23

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Admin-side login name - can it be an email address?

They can’t login using the email address at present, no. Unless when the account is set up, the email address is also used as their login name.

It might be a nice idea if the incoming login name looks like an email address to match on that column. Any security implications here, given that we’d also have to open it up to the “forgot password” too? Seems fine to me.

Could be a feature request that I don’t think would be hard to implement. Though if anybody is currently using the email address as a login name, that might break their experience (though the same email is used in both fields so it should work okay). I know of at least one system in the wild doing this.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#4 2020-12-20 17:22:35

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Admin-side login name - can it be an email address?

Thanks, Bloke. Thanks, Pat64. Extra brains are greatly appreciated!

github.com/textpattern/textpattern/issues/1614 for consideration.

Offline

#5 2020-12-21 07:56:22

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,529
Website GitHub Twitter

Re: Admin-side login name - can it be an email address?

Hi

Dont forget that you can have multiple account using the same email in textpattern.

Cheers.

Offline

#6 2020-12-21 08:01:55

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Admin-side login name - can it be an email address?

Dragondz wrote #327711:

Dont forget that you can have multiple account using the same email in textpattern.

Rabah is correct.

Today I learned >1 account can have the same email address. Hmm.

Offline

#7 2020-12-21 09:51:17

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Admin-side login name - can it be an email address?

gaekwad wrote #327712:

>1 account can have the same email address.

Good catch. I forgot I actually use this feature to bypass the ‘one concurrent login’ restriction on the admin side. See GitHub discussion for more.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#8 2020-12-21 10:35:26

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Admin-side login name - can it be an email address?

Bloke wrote #327713:

I forgot I actually use this feature to bypass the ‘one concurrent login’ restriction on the admin side.

I should know this…what’s the rationale behind the rule? I know there’re CSRF implications but since it’s trivial to have an additional user logged in (per your workaround), do we have enough clout to make that “the way” if someone wants to do this?

Offline

#9 2020-12-21 10:44:50

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Admin-side login name - can it be an email address?

gaekwad wrote #327714:

what’s the rationale behind the rule?

I have no idea! Ruud implemented it in, what, 4.0.6? Just been that way ever since.

do we have enough clout to make that “the way” if someone wants to do this?

I was thinking about this. The only way I can think of doing it is with a pref ‘maximum simultaneous logins’ or somesuch. But then there’s the issue of which one’s oldest – which do you kick off when the limit’s exceeded, given we don’t know when someone logged in (beyond the month, thanks to the vagaries of the login cookie)?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#10 2020-12-21 10:57:02

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Admin-side login name - can it be an email address?

Bloke wrote #327715:

The only way I can think of doing it is with a pref ‘maximum simultaneous logins’ or somesuch.

I think that’s too much choice, honestly. If there’s an appetite for multiple login sessions (e.g. one at work, one from home), that should be possible. The token will match per-browser, so there’s minimal CSRF impact, and an average user will be logged in at ~1 place at once. There’s a collision risk of two people doing something on the same account on the same content at the same time, but it’s minimal.

If people are sharing accounts, that’s understandable, but we could reinforce the importance of having atomic logins for people since personnel change over time and any admin worth their salt will want to keep things safe (e.g. not having a single user with shared credentials…hello there, SolarWinds).

Offline

#11 2020-12-21 11:19:24

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Admin-side login name - can it be an email address?

gaekwad wrote #327716:

There’s a collision risk of two people doing something on the same account on the same content at the same time, but it’s minimal.

There’s a collision risk of two people doing something from different accounts on the same content at the same time :) Not much we can do about that. We sort of guard against it in the Write panel, and it’d be interesting to note (if and when we permit multiple logins) whether changing something in one browser will cause the warning to appear in another browser using the same login.

EDIT: Interestingly, we could extend this to templates now. We added a lastmod field to pages, forms and styles for another part of the theme engine that never got implemented. By adding ‘lastmodby’ and sticking the author in there, we could then popup a warning if the content has been modified by someone else in the meantime.

If people are sharing accounts, that’s understandable

My guess is this is the main rationale behind the restriction. Especially publisher accounts: we don’t want sharing under normal circumstances.

So how about a yes/no pref? Enable multiple logins from the same account? With it set to No by default to preserve today’s world?

Last edited by Bloke (2020-12-21 11:21:38)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#12 2020-12-21 11:21:51

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Admin-side login name - can it be an email address?

Bloke wrote #327720:

So how about a yes/no pref? Enable multiple logins from the same account? With it set to No by default to preserve today’s world?

Subject to security implications checks, extra eyeballs would be useful, that sounds appropriate. Great idea.

Offline

Board footer

Powered by FluxBB