Request Account Module
Overview
The Request Account Module allows users to request their own accounts, specifying their own preferred username and preferred password. An administrator can then approve or deny pending account requests.
Without this module an administrator must preemptively create a user account, and communicate its password to the intended user.
Security Implications
This module allows users to request their own password, so the administrator doesn't need to know it, and he/she doesn't need to communicate a password to the users, which frequently happens over unsecure email.
The downside of this module is that it stores the users requested password in the database in plain text for a short time. This plain text password is never displayed in the web application, and it is cleared as soon as the account is approved or denied.
In most situations this should be a significant improvement in security, but as administrator you should be aware of the implications.
This security issue could probably be fixed with some more programming (by storing pre-hashed passwords), so if someone wants to tackle that, please let me know. -Darius
Instructions
Download and install the module. Hopefully the screenshots below are clear enough to not require further instructions.
Screenshots
Requesting an account
Click "Sign Up":
Fill out your details:
Wait for approval:
Reviewing account requests
The administration page has a link to an "Approve Accounts" page.
To approve an account, you need to choose which roles the new user should have. You may do this in either of two ways:
Choose an existing user as a template. All their roles will be copied over to the new user
Specify the new user's roles manually
Or you may deny an account request:
Release Notes
Version 1.2
Requires OpenMRS 1.6
Also tested to work with OpenMRS 1.7 and 1.8.
Doesn't let you assign the "Anonymous" or "Authenticated" roles
Version 1.1
Requires OpenMRS 1.5
Does not work on OpenMRS 1.6+
Use validatePassword method from OpenMRS core, so the system's custom password-strength rules will be used.
Version 1.0
Initial release
Required Privileges
Requesting an account does not require any privileges (obviously).
Approving/denying accounts requires the "Add Users" privilege
Known issues and TODOs
No notification is sent when an account is requested. (Should this be via email, or an in-OpenMRS notification sent to administrators?)
Security issue mentioned above where the requested password is temporarily stored as clear text
Special releases
If you want to use this module on 1.4.0-1.4.4, you need this special version of the omod file: Requestaccount-1.0-for-1.4.0.omod