Brainstorm: Improving user management in Plone

The internals of Plone’s user & groups system got massively upgraded in Plone 2.5 with the inclusion of PAS (Plugabble Auth System).  Behind the scenes, we now have an impressively powerful, extremely flexible system for managing the entire authentication system.  It’s a great foundation. But while the foundation is sound, the more external-facing parts of the system could use some freshening up.

Here are what I see as the main problems facing site administrators and integrators:

  • Poor usability of user/group administration screens for site managers.  Think of how much we streamlined the “Sharing” tab from Plone 2.5 to Plone 3.  We need a similar effort here
  • It’s too hard to customize  member profiles — it requires changing lots of scattered forms & scripts.  Membrane and Remember offer a path to using Archtypes objects as member/group sources, which is a good idea.  But we can (I think) do even better soon.
  • User registration and user administration both use the same join_form.  That is somewhat inflexible.
  • Password confirmation/reminder messages have some rough usability edges.
  • Deleting users can orphan content they’ve created without an owner — need a way to reassign a user’s content objects when deleting the user.

Users & Groups in Plone 4: My vision

I think the key elements of Plone 4’s users & groups story could be:

  1. Dexterity-powered membership objects (“Membrane NG” if you will)  and reimplemented user management UI so it is powered by these Dexterity objects (“Remember NG”)  This should be Plone’s OOTB story.  This will give us easy user/group profile configurability.  Users are just content objects.
  2. Big usability cleanup to user management UI.
  3. Use PFG (or its Plone 4 successor) to create public user registration/profile forms

Other ideas

  • Include LDAP support out of the box (included but disabled) — review its usability so it is as easy as possible to configure.
  • We probably need a better story for attachig to a SQL source for user/group data.  (Problem with SqlPASPlugin is that it stores all newly created users in SQL, there’s no choice to store some users locally.)   Such a system probably needs to be made to use SQLAlchemy at its heart.
  • Password strength requirements w/ interactive feedback.
  • Through-the-web customization of registration confirmation and password reminder emails.
  • We need a really good tool for importing memberlists via CSV

Ok, that’s my first brain dump.  What’s on your mind?  How should Plone’s users & groups system be improved?  And more importantly, who can step forward as a champion for this important but often-neglected component?  This is a big opportunity to take ownership of a critical piece of Plone’s future.

3 thoughts on “Brainstorm: Improving user management in Plone”

  1. The LDAP config needs to be config-able with a file, template, buildout variables or some such; the current PloneLDAP config can only be done through the web (or excruciating AppInstall contortions) which foils automated deployment and testing of sites; it’s not genericsetup-able.

    Many government sites have password policy requirements such as strength (easy), max password duration, prevent reuse of past N passwords, lockout after M failures, etc. This may be a bit out of scope of what Plone should do, versus the authentication system, but might help get Plone in the door of .gov and other large orgs with similar security policies.

  2. Jon,

    Pretty much every one of my customers wants to use their email address as their login name – I’d add that to the feature list if I could!

  3. I can only agree with you. User management has been a shame on Plone for years now and it’s time to get things moving. I wish to emphasis the poor LDAP plugins state and the fact they rely on half cooked project and ageing ones, such as LDAPMultiPlugin and other very old, uncomplete and erratic *UserFolders.

    I’m currently working on a big project that made me think a lot about all these issues and i’m developing a new kind of user management based on my homemade content type system, called spear and membrane. Membrane is soon to be replace by another PAS module, but you can already have a look at transition.org : http://tracker.trollfot.org/browser/projects/transition

Comments are closed.