+1 never been a big fan of the duplicate. Would still be better to have a migration in case someone used the new disabled property to avoid bad surprises with security

Le jeu. 22 août 2019 à 16:01, Simon Urli <simon.urli(a)xwiki.com> a écrit : > Hi everyone, > > I recently (in XWiki 11.6RC1) introduced a new property "enabled" in > XWiki.User as part of https://jira.xwiki.org/browse/XWIKI-12654 to > distinguish between inactive users (who have not confirm their > registration with the token sent by email), and disabled users (who are > deactivated by an admin, or by a security mechanism). > > Now as Marius noticed those two properties are quite redundant, > especially when you want to know which users are really active. > So it introduces unnecessary complexity and we might even need to change > existing extension to check enabled users (cf the last comments on > XWIKI-12564). > > So before doing those changes, I propose to fix immediately the issue by > removing that newly introduced property and by introducing a new > property only for assessing that users' email are checked. > > Then we will only have to check "active" property to check if a user is > active or not, and we could rely on it to set them enabled or disabled > in the admin. > The email_check property would be used only for the check email > mechanism, so it will avoid any confusion in the semantic. > > WDYT? > Simon > > -- > Simon Urli > Software Engineer at XWiki SAS > simon.urli(a)xwiki.com > More about us at http://www.xwiki.com >

Hello Simon, while writing GPDR-compliant “technical organisation’s measures”, I’ve been insertion a statement that says that users who do not respond to an actualisation wish of the terms-of-conditions are automatically erased. The reason this is needed lies in the fact that an explicit agreement is always needed to any change in the data-privacy-policy as long as the user-profile contains personal information (generally, it does). As a result, it seems to me that one of these fields should be a date: “last activated” or something last this. Per default, we’d just make sure that this date is not the date zero. An authenticator that a would enable a wiki to be GPDR compliant with TOS and privacy notices would then check that the last-activated is later than the last modification date of these documents. I entirely agree that a second property stating that a user is disabled because his profile looks to be spam is a necessary thing. Here, I do not see a date requirement.

thanks Paul On 22 Aug 2019, at 16:01, Simon Urli wrote: > Hi everyone, > > I recently (in XWiki 11.6RC1) introduced a new property "enabled" in > XWiki.User as part of https://jira.xwiki.org/browse/XWIKI-12654 to > distinguish between inactive users (who have not confirm their > registration with the token sent by email), and disabled users (who > are deactivated by an admin, or by a security mechanism). > > Now as Marius noticed those two properties are quite redundant, > especially when you want to know which users are really active. > So it introduces unnecessary complexity and we might even need to > change existing extension to check enabled users (cf the last comments > on XWIKI-12564). > > So before doing those changes, I propose to fix immediately the issue > by removing that newly introduced property and by introducing a new > property only for assessing that users' email are checked. > > Then we will only have to check "active" property to check if a user > is active or not, and we could rely on it to set them enabled or > disabled in the admin. > The email_check property would be used only for the check email > mechanism, so it will avoid any confusion in the semantic. > > WDYT? > Simon > > -- > Simon Urli > Software Engineer at XWiki SAS > simon.urli(a)xwiki.com > More about us at http://www.xwiki.com