Request Account Module

Owned by Former user (Deleted)
Last updated: Jan 14, 2011 by Darius JazayeriVersion comment
3 min read

Overview

The Request Account Module allows users to request their own accounts, specifying their own preferred username and preferred password. An administrator can then approve or deny pending account requests.

Without this module an administrator must preemptively create a user account, and communicate its password to the intended user.

Security Implications

This module allows users to request their own password, so the administrator doesn't need to know it, and he/she doesn't need to communicate a password to the users, which frequently happens over unsecure email.

The downside of this module is that it stores the users requested password in the database in plain text for a short time. This plain text password is never displayed in the web application, and it is cleared as soon as the account is approved or denied.

In most situations this should be a significant improvement in security, but as administrator you should be aware of the implications.

This security issue could probably be fixed with some more programming (by storing pre-hashed passwords), so if someone wants to tackle that, please let me know. -Darius

Instructions

Download and install the module. Hopefully the screenshots below are clear enough to not require further instructions.

Screenshots

Requesting an account

Click "Sign Up":

Fill out your details:

Wait for approval:

Reviewing account requests

The administration page has a link to an "Approve Accounts" page.

To approve an account, you need to choose which roles the new user should have. You may do this in either of two ways:

  • Choose an existing user as a template. All their roles will be copied over to the new user
  • Specify the new user's roles manually

Or you may deny an account request:

Release Notes

Version 1.2

  • Requires OpenMRS 1.6
  • Also tested to work with OpenMRS 1.7 and 1.8.
  • Doesn't let you assign the "Anonymous" or "Authenticated" roles

Version 1.1

  • Requires OpenMRS 1.5
  • Does not work on OpenMRS 1.6+
  • Use validatePassword method from OpenMRS core, so the system's custom password-strength rules will be used.

Version 1.0

  • Initial release

Required Privileges

Requesting an account does not require any privileges (obviously).
Approving/denying accounts requires the "Add Users" privilege

Known issues and TODOs

  • No notification is sent when an account is requested. (Should this be via email, or an in-OpenMRS notification sent to administrators?)
  • Security issue mentioned above where the requested password is temporarily stored as clear text

Special releases

If you want to use this module on 1.4.0-1.4.4, you need this special version of the omod file: Requestaccount-1.0-for-1.4.0.omod