Active
Project:
Party
Version:
7.x-1.x-dev
Component:
Party user
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
17 Aug 2012 at 15:02 UTC
Updated:
22 Aug 2012 at 20:17 UTC
We decided to investigate a real life case for one of our clients in order to handle a specific case where a user may want to obtain their party that has already been entered into the system. The issues can be picked up by the programmers when they start working on it.
In our situation we're handling a booking system where a Drupal User creates a "Booking Entity". The Drupal User then adds "Tickets" which are also entities that contain contain information.
Bell and Bill = B for Booking Manager
Tim = T for Tickets
Paul = P for Generic Party
Sarah = S for Generic Staff member using Party
Oscar = Grouch, he's mean
Scenario 1 - Basic Party Acquisition
Bell starts a booking in the system and books a ticket for Tim
6 Months later, Tim starts a booking for himself and buys his own ticket.
Bell starts a booking (entity) and adds a ticket (entity). A ticket is an entity in its own right from the booking system in a similar manner to a commerce order. However there is some information that would be useful for a party on the ticket such as name and Date of Birth and e-mail.
So the booking system would check if a party with that e-mail has already been created. If none is found it automatically creates a party and fills it with the relevant information from the Ticket.
ISSUE: Allow other systems to create a party if there isn't a party with that e-mail
#1742772: PartyQuery - API to help find parties...
Then when Tim starts a booking for himself later he logs into the website with the same e-mail that Bell used. When he creates a new Drupal User, AFTER the e-mail verification process he is presented a screen that asks him to confirm if the details the system has about him belong to him. If they do he clicks "accept" and acquires the party.
(Note: this e-mail verification process could become more secure and complicated: #1742646: [Doc] Party Acquisition Security issues)
ISSUE: Create an automatic party acquisition configuration UI selecting the field on a data set that is used for mergers and acquisitions.
ISSUE: Create a UI so that Drupal Users can confirm and edit their details.
ISSUE: Make it so that the merging e-mail field can be synced with the Drupal User E-mail.
Scenario 2 - Automatic Party Updating based on e-mail
Bill starts a booking in the system and books a ticket for Tim
6 Months later, Bell starts a booking in the system and books a ticket for Tim
6 Months later, Tim starts a booking for himself and buys his own ticket.
This requires Bill and Bell's information to impact Tim's party before he acquires it. The tickets are entities that are stored in their own right. We think that we should make it so that when a ticket is added it also updates Tim's party. This means that when Tim acquires his party he will see whatever information was the latest and he'll see all the previous tickets that have been attached to his party. We could potentially use party revisions but that is probably not necessary in this situation.
ISSUE: Enable other systems to update party information based on the e-mail used for merging.
Scenario 3 - Manual Party Input - Automatic Party Acquisition
Sarah a staff member enters Paul's information into the system
Paul signs up on the site and wants to claim it.
This is the more generic scenario and is essentially the same. However, because the party is manually entered into the system we need:
ISSUE: To make sure the process of adding a Party is easy
ISSUE: Make it possible to require e-mails to be unique.
ISSUE: Make it so that e-mail have to be verified by being input twice
Scenario 3b - Manual Tutor Party Input - Automatic Tutor Party Acquisition
Sarah, a staff member at a university, enters a module tutor, Ted's, information into the system so his profile is shown against the module he teaches.
Ted signs up on the site and the university want him to claim it and fill out his missing profile information.
This is a current real life version of Scenario 3 and there is currently nothing more Ted does.
Scenario 4 - Post - Party Acquisition
Tim books a ticket for himself and creates a Drupal User and Party
Bell starts a booking and adds a ticket for tim.
Tim needs a party to be created automatically with this ticket information stored in it.
Issue: Allow parties to be created automatically when a user signs up (already done I think)
Issue: Allow Tim to access his own party information
Then when Bell adds a ticket she is adding information to a party that already exists. This hasn't been fully discussed yet:
- Do we make it so that bell just types in the information and it automatically adds tim's ticket information to the party without her knowing?
- Do we allow her to explicitly add parties to her booking (Data protection issues here)
- If Bell adds tim's information but spells his name "Timothy", does it change anything on the party? Does it notify tim of something or does it do nothing (and just stay as Timothy on the ticket)
- http://drupal.org/project/email_confirm This may be important if we do some form of automatic merging at a later date.
----------------
Just thought I'd give you a heads up. We have a mini-party week next week. We're going to try and get a basic version of our "User integration" sorted. This is the issue where someone needs to "claim" their own party information when they register on the website at a later date or:
"Person A has their name, e-mail, address and number in Charity X's website set up by a staff member in a Party called Party A
Person A comes along and signs up to become Drupal User A
Person A gets access to update their own information in Party A
Nasty Person B has also tried to obtain Party A's information but they can't
We're going to talk about it on monday and start writing up issues of how we could potentially solve this. I'm feeling that Joachim had some ideas about this where making sure we have a verified e-mail address is something that is really important with making this work.
So I think the assumption we can make it "If Person A has access to Party A's primary E-mail account then Person A should have full access to Party A as if they set it up themselves"
Comments
Comment #1
joachim commentedSee #1679722: email confirmation when linking users to parties, where there is a patch needing review and a proposal to add a dependency on a contrib module.
What I wrote there:
And to summarize: we have to be certain that the person's whose data we have is the same person as the owner of the email address.
The other way in which this can go wrong is this scenario:
1. Alice writes down her email address, eg on a sign-up form
2. Bob enters the data, creating a party for Alice
3. At either of these stages, one of them makes a mistake. It so happens that the typos in Alice's email address turn it into Oscar's.
4. Oscar is now able to create an account on the site and claim Alice's data.
AFAICT there is no way to guard against this.
Comment #2
joachim commentedThinking about this more, this is a problem that any website has if it has a workflow that involves Bob entering Alice's email. The paper part is superfluous -- if Alice is speaking to Bob on the phone it can go wrong too.
We could split up Bob's step:
2A. Bob creates a new *STUB* party, containing only Alice's email address.
2B. Alice receives an email asking her to confirm her address.
2C. When Bob sees Alice has reponded, he continues entering data.
But in 2B, this could still be Oscar!
The problem is that unlike in a system like Drupal's user module account creation, the step of account (here, party, but same thing) creation and email confirmation, the two actions are split across two different people.
Comment #3
rlmumfordWe could send a sum up of the information to the email address and say 'Is this you?'
Comment #4
joachim commented> We could send a sum up of the information to the email address and say 'Is this you?'
But then if it's Oscar's email address, Oscar can just lie and say 'Yes, it's me!'.
I think all we can do is:
- make site builders and admin users aware of the problem
- force double-entry of email addresses (and use JS to block paste. I've seen it done on site, it's annoying as hell, but there's a good reason for it)
- encourage site builders to use a pattern where users initially create their own accounts/parties
Comment #5
andrewbelcher commentedYeah, I've been thinking about it as well and I can't think of a way to do it 'automatically' without there being risk involved. The only 'risk free' method I can think of is manually merging, in which the person doing the merging is essentially validating that the two are the same.
The only thing I can think of is introducing some additional security questions or validating additional data (such as an address and an email address), but even those are no guarentee.
I think the best that we are going to get is to do email matching, making sure that we only attach parties to user accounts with verified email addresses (so we only ever do it on account creation), or, as Joachim suggested, trying to make it so that people register their own accounts as much as possible, maybe to the extent that we don't automatically give access to anything.
http://drupal.org/project/email_confirm provides the ability to make sure user account emails don't get changed scrupulously, which I suppose may mean we can make it so that automatic matching doesn't only happen at account creation...
Thinking more about it, I think there are two fundamental issues...
a) Verifying that an account and a party are the same.
This one we can go some way to solve, but in many ways is the less important one...
b) Verifying that a party is actually the right person before attaching sensitive information.
This one I'm not sure we can solve. An example would be I meet someone face to face and record some information about them. Someone registers through the web with the same information. We don't actually know that the two are the same. Even without malicious intent, we could find situations where we get that crop up just by things like two people having the same name etc. This is a generic data protection issue.
Comment #6
rerooting commentedIn several of our use cases, we have this cropping up. We are still developing a plan of attack, and are unsure of whether to use an email confirmation to claim accounts or deduplicate on account creation. Either way, email seems to be the best option for us so far. Email_confirm seems like it could work quite well!
Comment #7
yautja_cetanu commentedmoved this to the summary
Comment #7.0
yautja_cetanu commentedAdded issue to scenario 1
Comment #8
joachim commentedI'd say email_confirm is essential.
Comment #8.0
yautja_cetanu commentedAdded my comments about this
Comment #9
yautja_cetanu commentedI'm holding off on dealing with email_confirm until we worry about scenario 1. In scenarios 1-3 nothing really happens after Tim signs up with an account and so his changing his e-mail without things being verified is not an issue.
I'm sure it will be but I'd like to find out specific cases where we're doing things for real people where e-mail confirm is necessary so that we know how it needs to work. (For example, if someone changes their e-mail but doesn't confirm it. What happens and what do we need to happen to deal with the security issues?)
Scenario 4 has quite a few complications regarding data security. What would be nice is if we could have a party lookup that allows you to type an e-mail or the name, browse through some pictures and select someone... this obviously can't happen! So whatever we do will probably be messy.
-----------
But one question. Do you think it would matter if Party User required email_confirm?
Personally I think it wouldn't matter because I think something like email_confirm should be part of core drupal anyway?
Comment #10
spencerfromsc commentedI would suggest that if there is already personal information being stored and you are possibly giving outside users access to that information, then there needs to be at least some minimal level of additional security. With some companies, you may need to verify an account number, but that may not be appropriate in all situations. It could be simpler, like my Internet provider does whenever I can't remember the bizarre userid they assigned me. They just do a quick challenge where I have to select from a series of choices which information from my account, in this case my address, is correct. It takes two seconds is very non-intrusive. This is not exactly high security, but I still need to know my password in this case; however the technique could probably be modified to more securely enable linking new accounts to Parties.
Comment #10.0
spencerfromsc commentedAdded Log for names
Comment #11
rerooting commentedOh hey, verifying with an account number is a great idea, that just solved an issue on one of our projects!
Potentially we could provide a simple module with party_user that allows you to identify a confirmation and/or deduplication field for all party_users, that is attached to the user dataset (i.e. profile fields). This way, one could choose usernmame, email, or a numerical ID, etc.
Comment #12
rlmumfordWe've been focusing on Scenario 3B today.
With regard to the acquisition we had to make a decision on whether to join a new user to a party upon the user being first saved or when the email is confirmed. We decided to do it in hook_user_insert for the following reasons.
If the user who is registering deliberately puts in a fake email, we join that user to a party, then the user doesn't have access to the information until he can confirm his email address anyway.
Comment #13
joachim commented> then the user doesn't have access to the information until he can confirm his email address anyway.
Could you review my patch on the other issue please?
Comment #13.0
joachim commentedIntroduce a current real work scenario 3b.