User can edit profile through My Preference and can set duplicate username

User can edit User Name from My Preferences page.

As such it is possible for user to set a user name which is already being used.

And if that happens, all the login attempts with any user with that user name fails.

Users should not be allowed to edit User name from My Preference page and there should be a check for duplicate User name.

Title changed from **User can edit hiw profile through My Preference and can set duplicate username ** to **User can edit profile through My Preference and can set duplicate username **

Confirmed.

But, you have to put your "Preferences" page into Edit View first though. The username field is not editable in Detail View.

You probably just need to change the displaytype of the username field to "2". Not tried it but should probably work. It is currently set as "1".

@lord_alan yes that is correct, ajax edit is not working on User name field. But if we enter Edit view then we can change the User name.

This could be problematic in scenarios where we need to address users by some thing uniqueness (Like User name, or Firstname + Lastname, Email etc.). If user could change the details, it could cause Data security issues. As one user could amend its details in a way so that he gets access to other User's data.

This issue is faced by us while customizing comments for a client. We needed a way so that if a certain combination of User detail is present in the field's value then that user must be notified.

But as far as we can see now there seems no such probability.

Change displaytype to 2 in vtiger_field. This will stop anyone from changing a username as the field is hidden in Edit View.

@lord_alan we have already done that. But would this change be considered in Vtiger next release ?

Hopefully they will pick this issue up shortly. This is exactly what happens in On-Demand now... It seems the right way to do it to me.

@lord_alan and what about admin, if we do that admin can add users with duplicate User name. There should be a check for duplicate User name as well.

No. You can't create a new user with the same username. Try it.

Confirmed, cannot create a new user with duplicate name.

So summarizing following are the issues:

1. non-admin user should not be allowed to edit the User name field
2. if admin user is changing the User name field, duplicate check must happen (though admin user cannot create a new user with duplicate user name he can later edit an existing user and enter duplicate user name)

@lord_alan , please confirm if I missed something

@nilay.automatesmb Your point 2. is wrong if you set the displaytype of the user_name field to 2.

Then even for admin the Username field becomes invisible once the user has first been created and you try to edit.

@lord_alan , but should that happen or admin should be allowed to edit the User name?

I think that is correct once a user is created no one should be allowed to change the user name.

I think it is a good idea to have the capability to change user names at least for security reasons. What is missing is the user name validation by the save operation to avoid duplicates.

I've noticed when changing the displaytype to 2 in vtiger_field that when you add a new user, the username does not get saved, it appears blank. I have tried several times to replicate and it happens every time the displaytype is set to 2 in vtiger_field for username.

Any updates?

@lord_alan displaytype of the user_name field to 2 breaks installation don't know why

Confirmed what says @adam.faughnan . Displaytype = 2 is not a good solution.

Edit: displaytype = 4 did the trick. However, you cant see the field in DetailView. Only in ListView. At least, its something.

mentioned in issue #289 (closed)

mentioned in merge request !98 (merged)

mentioned in commit 865d313d

mentioned in commit 5450b7d3

Status changed to closed

mentioned in issue #289 (closed)

mentioned in issue #314 (closed)