OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Security issue with Reviewer Registration help required urge

OJS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
Developer Resources:

Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page.

Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.

Bugzilla: You can access our Bugzilla report tracker here.

Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.

Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a technical support question, try the OJS Technical Support subforum.

Security issue with Reviewer Registration help required urge

Postby ushasharma84 » Sun Aug 29, 2010 11:47 pm

We have a security issue regarding Reviewer Registartion. We have enabled the Reviewer Registration Option in Journal Setup as we want to populate reviwer database with more and more potential reviwers .
Now the problem is if anybody knows reviewers Email Id and he enrolles a person using his information and Email-id as Reviwer Then he can access his account as he will be knowing his password. Now can password option be omitted from regsitration and password will be generated randomly which will be available with email as in case of batch import and send me a notification in email should be mandatory. Can it be considered as Feature request or can u give us some pointers on this as we want it to implement as soon as possible.
Thanks in advance :roll:
ushasharma84
 
Posts: 108
Joined: Wed Mar 31, 2010 11:58 pm
Location: delhi

Re: Security issue with Reviewer Registration help required urge

Postby jmacgreg » Mon Aug 30, 2010 4:04 pm

Hi ushasharma84,

Am I right in understanding that you are basically worried about a malicious user impersonating another unregistered possible by registering with their email address? I haven't heard of this happening before, although of course as you point out there's nothing to stop it from happening. I think that a) making it so that a confirmation email is sent out that must be checked as part of the registration process; and b) sending a new user notification email to the journal's primary contact or Journal Manager are two decent feature requests, but I want to make sure I'm understanding the problem correctly before processing them.

Cheers,
James
jmacgreg
 
Posts: 4181
Joined: Tue Feb 14, 2006 10:50 am

Re: Security issue with Reviewer Registration help required urge

Postby ams.jour » Mon Aug 30, 2010 10:46 pm

We faced the same problem by malicious user so we closed the reviewer's self registration.

But I also feel that password supply through e-mail is the best option at the time of registration.

-AMS
ams.jour
 
Posts: 21
Joined: Sun Jun 29, 2008 10:57 pm

Re: Security issue with Reviewer Registration help required urge

Postby ushasharma84 » Wed Sep 01, 2010 12:09 am

Hi James
You got it right and according to me generating random password and sending it through Email is right option to prevent malicious users.
ushasharma84
 
Posts: 108
Joined: Wed Mar 31, 2010 11:58 pm
Location: delhi

Re: Security issue with Reviewer Registration help required urge

Postby jmacgreg » Thu Sep 02, 2010 8:12 pm

Hi all,

Thanks for the feedback! See http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=5877 and http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=5878. Please feel free to CC yourselves to either or both of those reports for future updates.

Cheers,
James
jmacgreg
 
Posts: 4181
Joined: Tue Feb 14, 2006 10:50 am

Re: Security issue with Reviewer Registration help required urge

Postby jaik_70 » Sat Mar 05, 2011 9:59 pm

Hi
My OJS have User registrartion with CAPTCHA.

Rcecently, I observed that some users register at my OJS with fake email id.

This happen because in present system of OJS give instant access just after the register with athentication of e-mail id.

It will be useful and secure if OJS send first authentical to the new user the allow the access.

-JAIK
jaik_70
 
Posts: 42
Joined: Tue Jun 02, 2009 5:49 am


Return to OJS Development

Who is online

Users browsing this forum: No registered users and 2 guests