dirkmoors
commented
10 years ago Also, the same goes for the change_password command; I want to be able to reset a user's password without know his current password.
Open dirkmoors opened 10 years ago
dirkmoors
commented
10 years ago Also, the same goes for the change_password command; I want to be able to reset a user's password without know his current password.
jadahl
commented
10 years ago I see three options:
Either you create new request types to mod_restful_register (for example "force_change_password" and "force_remove_account") which handles changes when the old password is not known
Or you add an option making the existing API not take password parameters.
Or you use the interface that talks directly to ejabberd admin API.
The API was designed to act as a backend to a change password forms, where the user may only change the password/remove an account if he/she know the current password.
When implementing the mod_restful api, I noticed that I would require the user's password to remove an ejabberd user-account?
The use case -were I needed mod_restful for in the first place- was to be able to have my user management system (written in Python/Django) create and remove ejabberd user-accounts, to keep them in sync with the Django user accounts. Since I do not know the user passwords in my backend (and for security reasons, I don't want to know them), I'm not able to supply the password to the "unregister" function. Is there no way around this? I would like to use the mod_restful module as an administrator interface, it won't be exposed to the outside world. Moreover, only "admin" accounts (or when I use the shared key) would be able to call the mod_restful api's)