Bug 51001
| Summary: | Improve usability if password self reset is disabled | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
| Component: | Self Service | Assignee: | Dirk Wiesenthal <wiesenthal> |
| Status: | CLOSED FIXED | QA Contact: | Johannes Keiser <keiser> |
| Severity: | enhancement | ||
| Priority: | P5 | CC: | best, botner, markus.daehlmann, steuwer, wiesenthal |
| Version: | UCS 4.4 | ||
| Target Milestone: | UCS 4.4-4-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | Bug Report | What type of bug is this?: | 2: Improvement: Would be a product improvement |
| Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 1: Nuisance – not a big deal but noticeable |
| User Pain: | 0.034 | Enterprise Customer affected?: | |
| School Customer affected?: | Yes | ISV affected?: | |
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Usability | |
| Max CVSS v3 score: | |||
| Attachments: | Screencapture of self service | ||
I'ts uncommon to activate the self service without password reset functionality. If needed the links of the SAML login page can be configured to guide the user - see #50609 #50610 #50608 This Bug should address the links in the self service itself and remove the "password forgotten" functionality if deactivated. Using this bug to make it configurable whether you want to see a subpage (for every subpage): New: umc/self-service/passwordchange/frontend/enabled umc/self-service/passwordreset/frontend/enabled umc/self-service/protect-account/frontend/enabled Already existed: umc/self-service/account-verification/frontend/enabled umc/self-service/account-registration/frontend/enabled umc/self-service/profiledata/enabled Furthermore, we can also disable the backend (raising a UMC Error if the umc action of the self service module is called): umc/self-service/passwordreset/backend/enabled umc/self-service/protect-account/backend/enabled Does not make sense for umc/self-service/passwordchange/backend/enabled (and therefore it does not exist) as the backend functions are not in the UMC module, but are built in the UMC server directly. If you navigate to the self service page with a certain subpage that is disabled, you now get a 404 message. univention-self-service 4.0.3-19 univention-management-console 11.0.4-62 Added 83_self_service/07_test_frontend_links in ucs-test 9.0.3-189A~4.4.0.202004201338 It only tests the frontend UCR variables, though. please have a look at the test 83_self_service.01_test_reset_via_email.master091 83_self_service.04_user_invitation.master091 83_self_service.07_test_frontend_links.master091 these test are broken now Fixed the tests. OK: 404 page OK: passwordreset (Password forgotten) - frontend OK: passwordreset (Password forgotten) - backend OK: setcontactinformation (Protect account) - frontend OK: setcontactinformation (Protect account) - backend OK: passwordchange (Password change) - frontend OK: passwordchange (Password change) - backend // no UCR var since no umc command OK: doc OK: defaults are still the same OK: yaml (In reply to Felix Botner from comment #4) > please have a look at the test > > 83_self_service.01_test_reset_via_email.master091 > 83_self_service.04_user_invitation.master091 > 83_self_service.07_test_frontend_links.master091 > > these test are broken now OK: fixed -> verified |
Created attachment 10331 [details] Screencapture of self service If the password reset self service is deactivated via UCR, there is still room for improvement in terms of usability. The standard login page and the single sign-on login page contain a link ("Forgot password") that refers directly to the self service. In the self service, the three actions/tabs "Forgot password", "Protect account access" and "Change password" are then offered. But only the last item can be used by the user. With the first two points, one is first offered a login and then, after entering the credentials, the user is informed that this function has been deactivated via UCR. This warning message is not understood by all users. Why don't we hide the two actions "Forgot password" and "Protect account access" completely if the UCR variable deactivates this? See also the attached screencapture.