When email login enabled, the `email` of a user should also be his "user id" just as his `id`

(This post somehow continues the discussion in Getting a user id through REST API: vicious circle, or how to get this user id just from his email? .)

When email login is enabled on a Plone site, the email of a user should also be his "user id", just as his id. Hence, for a user such as:

  "@id": "http://localhost:55001/plone/@users/noam", 
  "description": "Professor of Linguistics", 
  "email": "noam.chomsky@example.com", 
  "fullname": "Noam Avram Chomsky", 
  "home_page": "web.mit.edu/chomsky", 
  "id": "noam", 
  "location": "Cambridge, MA", 
  "portrait": null, 
  "roles": [
    "Member"
  ], 
  "username": "noam"

the "@id" should also be:

http://localhost:55001/plone/@users/noam.chomsky@example.com

or at least this should silently redirect to

http://localhost:55001/plone/@users/noam

This would make simpler the life of the manager of a site as he would just have to deal with emails and wouldn't have to be bothered with the "real" id.

Well, I disagree. The user ID is static and whats stored, the login name can change over time (i.e. new email address). I tend to use UUIDs as user ID anyway, such fullname and e-mail may change w/o any implications.

But since its a setting it doable to add a new checkbox in the settings and change Plone to use the email as user ID, if there is the need. Pull requests appreciated!

Well, I disagree. The user ID is static and whats stored, the login name can change over time (i.e. new email address). I tend to use UUIDs as user ID anyway, such fullname and e-mail may change w/o any implications.

Ah... I thought the logins were impossible to change and hence enabling email login made impossible to change the email login address (but still allow to change the email used e.g. for the password reminder, modifiable at .../@@personal-information).

The problem is, with email login enabled, it is a track game to figure out what is the id of a user, sometimes needed, e.g. for getting all details of a user through Plone RESTful API.

But since its a setting it doable to add a new checkbox in the settings and change Plone to use the email as user ID, if there is the need. Pull requests appreciated!

Well, far beyond my skills :slight_smile:

Not using UUIDs as users ID might be a security risk (?) since it is possible that a new user has the same email that another user once had.

Someone correct me if I am wrong, but I think this could happen.

  1. user john@somecompany.com has been added to the admin group or been shared a folder

  2. user john leaves the company and user is deleted

  3. Another employee gets the john@somecompany.com email and registers with this

  4. The 'new' John has access to the shared folder (etc.)

1 Like

Yes recycling of emails (using email as login) may result in security problems (but this is valid for other sectors of the organization too).

Also a manual selected userid (or derived from the name) may result in issues. If a user is removed from the system, the owner and local roles information may still contain this name, which is fine. If a new user joins then and has the same userid, she will have all those roles and is owner of content.

So, using UUID as userid saves a lot of possible security related issues.

In high secure system we also never delete users, just deactivate them. This way we also have always the users Metadata available and we can show the name of a deleted user. A new user is then really new to the system.

Hint: With LDAP (pas.plugins.ldap) we support industry standard expiration settings of users in LDAP. After expiration date the user can not login anymore.

1 Like

Not sure what GDPR etc. says about it, but if they username is the email it is visible in history (manage_undoForm) and (maybe) in logs.

I would say that there is bigger chance of mis-use (of those emails) than if you have to get the info 'with two steps'

Do you mean enabling emails as logins is a bad idea?

I see.

At ...//@@security-controlpanel, "Use UUID user ids" comment says:

Use automatically generated UUIDs as user id for new users. When not turned on, the default is to use the same as the login name, or when using the email address as login name we generate a user id based on the fullname.

So, for a Plone site that didn't enable the "Use UUID user ids" option at the beginning, and plan to enable this option for new users, there is no way to go back for already subscribed members?

As mentioned by @espenmn, I wonder if this is GDPR compatible.

Login name as email is fine, but userid not - it is the thing that is stored in the DB on every content item as owner or in Sharing ACLs.

It would be doable with a custom migration script - which goes complex, but out of the box there is nothing I know of.

Good point. Probably not. But you still can delete the user and if the userid was a UUID the name wont appear (in contrast to fullname-derived or email-derived userids)

Plone Foundation Code of Conduct