Users

The initial design called for users to be central to most functions of the website including applications for events, table purchases and administration functions. However at the request of the client Dave on August 10th 2018 users have been limited.

The user system is now limited to administration access only.

Sam Grant has expressed concern that this might limit our ability to restrict event applications allowing a site guest to spam the database with records. This could be used to damage, limit access or the overall effectiveness of the application. We will attempt to adjust this by using a google captcha and the standard CSRF protection. -- 24th August '18

Auth & Sessions

Accounts can be registered by using the /register route:

• Email addresses must be unique
• Passwords require six or more characters
• User accounts will be inactive and must be activated by another admin before they can access the admin panel.
• Accounts can be deleted by an admin. There is no UI to re-enable an account. Disabled accounts cannot be used for login and they cannot be re-registered.

Users can login here /login:

• Too many unsuccessful attempts result in the guest being throttled.
• A successful login will result in an auth session that lasts for 48 hours or until the cookie is cleared by the user. The session will be encrypted.

Password Resets

• A user can request a password reset here /password/reset.
• Once a user requests a new password they will be sent an email with instructions on resetting their account.

User Management

The user management system can be accessed by administrators here /a/user-management.

Because we will only have user accounts for administrators this page lists every account. If the user system is ever required for event applications and/or other features we might have to adjust this view to make it easier.

From left to right:

• Name
• Email (mailto link)
• Account status (Active/Inactive/New - Can the user access the admin pages - New if user is yet to set their password)
• Updated Timestamp - An easy way to see when the account was last updated.
• Activate/Deactivate - Toggle the account
• Delete Account - soft deletes with the ability to restore

New User Creation

An user is able to create new users using the 'Add User' button on the user management page. Visitors to the site are not able to make their own accounts, for security reasons.

This leads to a form where the name and email of the new user is created. The password is initially set to a random string, and will need to be reset prior to the new user logging in. When the new user form is submitted, and email is sent to the supplied email address, prompting the new user to reset their password. The link will expire after 24 hours, beyond which time the user will have to request another via the 'forgot my password' link. Until the new user has set a password, their account will show as a 'New Account' in the user management table.

Limitations

• Any admin can disable or delete the account of any other admin
• Any admin can enable or restore the account of any other admin.
• Admins cannot disable or delete their own accounts.

Only give admin rights to trusted people.

Files or Views of interest

• Database /database/migrations/CreateUsersTable.php
• Database /database/migrations/CreatePasswordResetsTable.php
• Model /App/User.php
• Controller /App/Http/Controllers/Auth/*
• Controller /App/Http/Controllers/Admin/UserManagementController.php
• Middleware /App/Http/Middleware/ActiveUser.php
• Middleware /App/Http/Middleware/maintenanceModeOverride.php
• Views /resources/views/auth/*
• Views /resources/view/admin/userManagement.blade.php

Unit/Application Testing:

The User model is tested with the UserTest class, using faker generated users created by the UserFactory class. The methods tested are:

• enable()
• disable()

The UsersManagementController methods are NOT tested by this class.

To run all tests, execute ./vendor/phpunit/phpunit/phpunit