Re: [Gnumed-devel] Managing staff (user accounts)

[Jim Busser]

On 2011-05-25, at 5:37 AM, Karsten Hilbert wrote:

> The function gm.create_user() duly applies the ENCRYPTED keyword.
> 
> The actual encryption method is PostgreSQL business.
> 
>> (since I am gathering that the
>> setting in pg_hba.conf merely instructs what to use to authenticate an
>> offered password against the stored value) ?
> 
> MD5, yes. Actually, the password isn't really stored anywhere. Only
> its (salted) hash.

so… an encrypted form of the salted hash?

Also, any user should want to be able to alter their own password. Is it 
possible for them to be able to do this through the

        Edit staff list

dialog? Maybe add a line with

        Password: < >   New password: < >       Re-enter new password: < >

and, if they cannot now alter it without knowing

        gm-dbo

then let them at least input the information and, if all was ok with the three 
password fields above, then evoke the prompt for an administrator to supply the 
gm-dbo password, with the instruction:

        Please get your database administrator to authorize this change:

                gm-dbo password: <      >