[Demexp-dev] Account creation documented and some remarks

[David MENTRE]

Hello Augustin et al.,

I've finally documented the whole account creation steps on the wiki
(for both cases, new user and previous hard client user):
  http://demexp.org/en/doku.php?id=drupal_and_demexp_account_creation

It seems to me quite complicated. For me the account manager, I don't
care, but for the user this is a big issue. I'm pretty sure that most
users won't make the difference between Drupal account, demexp account,
account validation, etc.

I think that to make the interface accessible to the wide public, we
must simplifiy the login procedure, even if we have separate Drupal and
demexp accounts.

In the following, I'm only considering the case of a user not having a
Drupal neither demexp account (i.e. first part of above URL).

I propose following changes:

 1. All the web server will be accessible though HTTPS (i.e. using SSL),
    so one can assume that everything that is displayed to the user is
    displayed in a secure way. We will put fingerprints of our web
    public keys in all emails sent to users;

 2. At step (2), when the user receives his password, we should *not*
    provide a way to change the password. The login message should make
    clear that this is only the *Drupal* login. Moreover, in English we
    call the project "the democratic experience" (in lower case). So I
    propose following message template:

"""
Toto,

Thank you for registering at the Drupal interface of the democratic
experience. You may now log in to http://demexp.ouvaton.org/user using
the following username and password:

username: Toto
password: ghjgqsjgds7676G

--  The democratic experience team
"""

    We such a procedure, step (3) no longer happens and the user is not
    forced to change his password in case he clicks on the activation
    link.

 3. At step (10), when the demexp account manager validates the demexp
    account on the Drupal interface, the demexp password should be saved
    and the Drupal interface for that user should be put into "Remember
    the password" state by default. Moreover, one should consider the
    user in the "Login" state by default.

    Therefore, at step (12), the user won't have to enter the password,
    chose the "Remember the password" setting and click "Login". The
    user can vote directly.

    Remembering the password might be less secure, but anyway security
    is currently not a strong point of demexp and I would prefer
    easiness to security[1]. Anyway, if the user prefers to enter the
    password each time he wants to vote, he still can do it.


I think and hope that those changes a minor to you, Augustin. I do
appreciate your hard work, especially the way you check that parameters
entered in the Drupal interface are valid on the demexp server.

What do you (and others) think of it?

Best wishes,
d.


Footnotes: 
[1]  Of course, that does not mean that in the long term demexp should
     not be strongly secure!

-- 
GPG/PGP key: A3AD7A2A David MENTRE <address@hidden>
 5996 CC46 4612 9CA4 3562  D7AC 6C67 9E96 A3AD 7A2A