I want to run something by you guys.... and that is the subject of security with this site. I believe the security model is pretty good as is, but I would like to get your opinions.
First, let me say that I strongly believe that we should not require the teacher to enter a username/password combination when reporting. I believe that if we require this, it will cause way too much complication and significantly decrease the percentage of results reported by the teachers.
That being said, let me explain how the security currently works.
The url that the users link to contains a User ID, a User Code, and verification Key.
is an integer that tells the system which group the user belongs to.
The User ID
is an integer that tells the system which user is logging in.
is a 3 - 5 digit hex number that is automatically generated by the system when the users e-mail address is set up. This password does not (and cannot) change unless the teacher's e-mail address is remove and re-added. If this password changes, all previous links sent to the teacher will no longer work.
is an 8 digit hex number that ensures that the url has not been altered. If the url is altered, the system will display a message stating as such and not allow the teacher to report.
In addition to these three pieces of information contained in the url, the teacher is required to enter the first part of his or her e-mail address before accessing the reporting screen. This ensures that if the link gets into the wrong hands, that person must also have the necessary e-mail address.
All information transferred to and fron the site is encrypted using SSL, so the data cannot be intercepted between the client and the server.
Additionally, the links expire after 2 months so even if they did get into the wrong hands, they wouldn't be of much value.
Each teacher can be assigned an access level of Teacher, Supervisor, or Presidency Member. Only Presidency Members have the ability to change the access levels. Those who have Presidency Member access will notice an "Admin Menu" button in the upper right-hand corner when they access their reporting screen for which they can easily access the 'Admin Menu.' Supervisors also see the 'Admin Menu' button, but they will not have access to all the menu-items available on the 'Admin Menu.'
I believe that things are pretty darn secure as is, but I think it could be improved.
The specific questions I have for you are:
1. Do you think the Presidency Members should have a username/password? If their link got into the wrong hands and that person knew the first part of their e-mail address, they could run a-muck if they wanted to.
2. What do you think of the "no username/password" for teachers model? In my opinion, it is absolutely critical, but I'm guessing some of you may disagree with me.
3. If a teacher does not want their name in the system at all, how should it be handled? The teacher would still need to be in the church's records... just not online for HT/VT Reporting purposes. I'm envisioning an option for the Presidency to add a particular teacher to a list of "removed" teachers and the system would make that person pretty much invisible.