userService is based on jsonService , with some extra features for security added.

When reading a user record, userService obfuscates the password field with a '<hidden>' value.

When writing a user record, userService checks that the user has the right permissions to make the changes to email, password and roles that they want to make. It also handles the password field so that if the '<hidden>' value is set, it is not changed, but if another value is set, that is hashed and set as the new password.

User records need to contain some core fields, and beyond that they can have any additional fields needed. These are:

  • email: the user's email, used as the user's unique identifier throughout the system
  • password: generally this field is obfuscated as described above, internally it contains the hashed password
  • roles: the roles the user is a member of, this is a space separated string of role codes. A role identifier can be any string without a space. The system has 3 built-in roles, U: site user, E: content editor, A: administrator.
  • token, tokenExpiry: this is a time-limited token which can be used for password resets