Jump to content
  • 0
blestatester

Multi-Company: Are user registrations shared or completey separate?

Question

Hi, I have been testing a multi-company setup with Blesta 4.1.1 and I thought that user registrations were unique and separate from one company to the other.

However:

  • I had a user, who is already registered with Company #1, try to make a purchase with Company #2
  • They were unable to register a new account with Company #2 using the same email address that they used with Company #1 --> "The username has already been taken"
  • BUT, they also couldn't use their login credentials from Company #1, at Company #2 --> "No match found for that user/password combination"
  • Trying the "Reset Password" option on Company #2, using the Company #1 credentials  --> "A confirmation email has been sent to the address on record", BUT no such email is actually sent (according to the Blesta logs  +  they didn't receive any reset email; they receive all other system emails just fine)

Note:  They were using email address as Username (does this cause the above?  i.e., is it just the Usernames are shared/used as an index, or is the entire User Registration information?)

Are the user registrations actually separate per company or not?

Thanks in advance

Share this post


Link to post
Share on other sites

21 answers to this question

Recommended Posts

  • 0
19 minutes ago, blestatester said:

@BlestaStore, thanks for your response.

Aside from the primary admin account, is an individual account valid (i.e., can authenticate) in both companies?

 

 

Users are unique per company, and a user cannot currently exist in multiple companies. This is something we may add in the future. (User logs in, then sees a "Choose your Company Screen", or auto select company based on hostname with ability to switch companies, similar to staff) You could make a feature request: https://requests.blesta.com

At the moment, a client can exist in multiple companies, but they would need a different user for each.

Share this post


Link to post
Share on other sites
  • 0
7 minutes ago, Paul said:

Users are unique per company, and a user cannot currently exist in multiple companies. This is something we may add in the future. (User logs in, then sees a "Choose your Company Screen", or auto select company based on hostname with ability to switch companies, similar to staff) You could make a feature request: https://requests.blesta.com

At the moment, a client can exist in multiple companies, but they would need a different user for each.

Hi Paul, thanks for your response.

I will have to create a feature request when I get a chance.

Is there a way to force registering users to only use Username instead of email address (i.e., not giving them that option)?

Share this post


Link to post
Share on other sites
  • 0
2 minutes ago, blestatester said:

Hi Paul, thanks for your response.

I will have to create a feature request when I get a chance.

Is there a way to force registering users to only use Username instead of email address (i.e., not giving them that option)?

You would have to modify the order templates to disable the email option in the HTML, or use Javascript to hide it. Usually people want to force the email option and hide the username option. /plugins/order/views/templates/

Share this post


Link to post
Share on other sites
  • 0
4 minutes ago, Paul said:

Usually people want to force the email option and hide the username option. /plugins/order/views/templates/

I definitely understand that, but I have multiple companies that may have (non-staff) users in common who would want to use their "well-known" email address.  :-(

Share this post


Link to post
Share on other sites
  • 0
40 minutes ago, Paul said:

Users are unique per company, and a user cannot currently exist in multiple companies. This is something we may add in the future. (User logs in, then sees a "Choose your Company Screen", or auto select company based on hostname with ability to switch companies, similar to staff) You could make a feature request: https://requests.blesta.com

At the moment, a client can exist in multiple companies, but they would need a different user for each.

just my opinion, for me it has no sense to have restriction in usernames in multiple companies, if i'm user of company 1 with username "blesta" or "paul<atttt>blesta.com", and i want to purchase from another company i will make my habitual usernames "blesta" or "paul<attttt>blesta.com", seeing this already used is something that make me confused.

i'm as a user company A is not company B . and it has no sense for me if in my account in company A seeing or i'm impacted by something else in Company B.

i'm as CEO or owner i don't need to reveal that i have 2 or 3 companies has the same database or they are related.

normally and logical company A is not Company B, and blesta should take care of some issues like those, or the multi-company has no sense or no advantage at all .

Edited by Paul
spambots email addy farming

Share this post


Link to post
Share on other sites
  • 0
1 minute ago, Blesta Addons said:

just my opinion, for me it has no sense to have restriction in usernames in multiple companies, if i'm user of company 1 with username "blesta" or "paul<atttt>blesta.com", and i want to purchase from another company i will make my habitual usernames "blesta" or "paul<attttt>blesta.com", seeing this already used is something that make me confused.

i'm as a user company A is not company B . and it has no sense for me if in my account in company A seeing or i'm impacted by something else in Company B.

i'm as CEO or owner i don't need to reveal that i have 2 or 3 companies has the same database or they are related.

normally and logical company A is not Company B, and blesta should take care of some issues like those, or the multi-company has no sense or no advantage at all .

There are potential security implications of allowing the same username to be used multiple times, but I understand what you're saying. You could create a feature request for this, and we could investigate to see how big of a deal it would be to change this and make usernames company unique, meaning that you could have the same username in a different company and it be a unique account.. though that would probably conflict with the feature of having a single user have access to multiple companies with the same login.

Share this post


Link to post
Share on other sites
  • 0
5 minutes ago, Paul said:

There are potential security implications of allowing the same username to be used multiple times, but I understand what you're saying. You could create a feature request for this, and we could investigate to see how big of a deal it would be to change this and make usernames company unique, meaning that you could have the same username in a different company and it be a unique account.. though that would probably conflict with the feature of having a single user have access to multiple companies with the same login.

limiting the username in 1 company is reasonable, but limiting in in multiple companies is not reasonable, the behavior can be change as i think, and when make the validation should be related to the company not the whole system .

i have not used the multi-company fro some issue i have fronted in the past, like the themes and the users ids and the usernames and others i can't remember them now, so i have opted for other license . i will not open any feature request as i think what is opened now is more priority that that one :)

Share this post


Link to post
Share on other sites
  • 0
19 minutes ago, Blesta Addons said:

just my opinion, for me it has no sense to have restriction in usernames in multiple companies, if i'm user of company 1 with username "blesta" or "paul<atttt>blesta.com", and i want to purchase from another company i will make my habitual usernames "blesta" or "paul<attttt>blesta.com", seeing this already used is something that make me confused.

i'm as a user company A is not company B . and it has no sense for me if in my account in company A seeing or i'm impacted by something else in Company B.

i'm as CEO or owner i don't need to reveal that i have 2 or 3 companies has the same database or they are related.

normally and logical company A is not Company B, and blesta should take care of some issues like those, or the multi-company has no sense or no advantage at all .

This.  Exactly.

I thought that the registration databases would have been "separate but unequal" (i.e., not the same). 

This is causing me to take a step back after learning this.

Share this post


Link to post
Share on other sites
  • 0
36 minutes ago, Paul said:

There are potential security implications of allowing the same username to be used multiple times, but I understand what you're saying. You could create a feature request for this, and we could investigate to see how big of a deal it would be to change this and make usernames company unique, meaning that you could have the same username in a different company and it be a unique account.. though that would probably conflict with the feature of having a single user have access to multiple companies with the same login.

Paul, believe me I know the security implications more than you can imagine.

I've worked with a number of "multi-tenant" setups (particularly Drupal) and also, more recently, WordPress.

I was hoping that your implementation would have been similar to Drupal's:

  • Separate databases (i.e., with completely separate tables, user registrations, etc)
  • One codebase (which you have) -- so that upgrading once, upgrades many
  • This also means that if you want to do a high-availability setup, each company database would have be replicated separately

Given that it is not this approach (with individual database), this likely has some other far-reaching implications ... i.e., PCI.  :-(

The current implementation:

  • Shares a database (and in particular, usernames)
  • Could potentially expose data elements from multiple companies in a single attack


The "right" way (from a security perspective) to do a multi-tenant setup ... is with completely separate databases. 
(Though admittedly, true security purists would frown upon any shared anything.  We all realize that some compromises have to be made with this type of setup).

 

I am not criticizing, I am merely summarizing what I have literally learned today in this thread.  Your corrections to my understanding are certainly welcome.

Thanks

Share this post


Link to post
Share on other sites
  • 0
38 minutes ago, blestatester said:

Separate databases (i.e., with completely separate tables, user registrations, etc)

That would make the database massive though and confusing to browse? I haven't had any issues with multi-company people just have one username for one and another for the other. 
 

Share this post


Link to post
Share on other sites
  • 0
10 hours ago, BlestaStore said:

That would make the database massive though and confusing to browse? I haven't had any issues with multi-company people just have one username for one and another for the other. 
 

Disagree.  It would make multiple databases each of similar size (because they contain all of the necessary tables necessary to run Blesta).  So, maybe more storage requirement overall. 

In summary:

  1. It possibly requires more storage because each database would require any required elements that Blesta needs upon creation of a new company
    • Databases would only be "massive" if you had "massive" amounts of data associated with a particular company.
  2. It would in fact make the databases easier to browse because each database would only contain data associated with the specific company it represents
  3. It is better from a security perspective as well
    • All data, including user registrations. would be separated -- with separate database credentials to even open the database
    • It would also be irrelevant what username/email address someone wants to use if they had business with each company -- they could use the same or different if they wanted to
    • In fact, you could have completely independent ADMIN user for each site
  4. It would potentially reduce customer confusion for those who use multi-company that may have customers in common
    • This particular case became a problem for me because of customer confusion when they tried to make a purchase from the 2nd/unrelated company and they couldn't register with their preferred username (their email address) which should be uniquely theirs
    • So, the question then asked of me was "how did someone else register in your secure system with my email address??"
    • I had to then figure out what was going on ... and here we are
  5. This would make Blesta be true "multi-tenant" and not just "multi-site"
    • Reference: (rudimentary explanation of WordPress multi-tenancy vs multi-site, add http  : //) 
      • torbjornzetterlund.com/multi-tenant-wordpress-enterprise/
    • Reference: (explanation of Drupal multi-tenancy vs numerous other options, add http : //)
      • drupal.stackexchange.com/questions/78328/does-drupal-support-multitenancy
    • This could be an additional selling point and differentiator for Blesta vs competitors

I am not trying to imply that this would be trivial for the Blesta team to code -- I understand and appreciate the complexities and prioritization needed here.

But, it is a better solution for the long-run.

And, for me, this is a of a show-stopper with what I thought multi-company could do, and what I had hoped to use it for.

Thanks

Share this post


Link to post
Share on other sites
  • 0
18 hours ago, blestatester said:

Paul, believe me I know the security implications more than you can imagine.

I've worked with a number of "multi-tenant" setups (particularly Drupal) and also, more recently, WordPress.

I was hoping that your implementation would have been similar to Drupal's:

  • Separate databases (i.e., with completely separate tables, user registrations, etc)
  • One codebase (which you have) -- so that upgrading once, upgrades many
  • This also means that if you want to do a high-availability setup, each company database would have be replicated separately

Given that it is not this approach (with individual database), this likely has some other far-reaching implications ... i.e., PCI.  :-(

The current implementation:

  • Shares a database (and in particular, usernames)
  • Could potentially expose data elements from multiple companies in a single attack


The "right" way (from a security perspective) to do a multi-tenant setup ... is with completely separate databases. 
(Though admittedly, true security purists would frown upon any shared anything.  We all realize that some compromises have to be made with this type of setup).

 

I am not criticizing, I am merely summarizing what I have literally learned today in this thread.  Your corrections to my understanding are certainly welcome.

Thanks

You make a very good case for just having a separate license & separate installation. If PCI is a concern between companies, they should have separate code bases as well. If the server was compromised, the attacker would have the details they need to get into either database. Multi-company with multiple databases is not something we plan to implement, in fact, it would introduce a host of other issues.

We understand that for some, a separate installation is preferable to a multi-company installation, and that's ok.

Share this post


Link to post
Share on other sites
  • 0

regarding the OP question.

for me at least, the multi-company provided now in blesta is enough, i can only request some more flexibility around the separation of companies. one database is the goal for this multi-company system announced .

if we talk about multi-tenant we are talking about another level of software design and architect . for me multi-tenant in blesta equal a separate installation.

i can make blesta multi-tanant with 1 condition i get the full open source of file that include the config file, maybe it app_model.php, then you can hook the files to include a custom config file based on the hostname :)

Share this post


Link to post
Share on other sites
  • 0

Hello,

Does someone know if is there any progress on this issue? I am starting working with Blesta for my new projects and thinking in multi-company (for every brand) but I find it a problem.

As some said there are users that would like to use 1 email address (or username) for their services. And more important for me, it doesn't look clear from a customer perspective to know they can't use their own email address when buying a service because is used in another diferent service, doesn't make sense (in my opinion :D).

I really think it needs to have unique email/username limited to every company (or brand), not the whole system. I think this option isn't too hard to implement, is just one more filter in the login proccess (multi-brand does it with every entity and other parts of the system). Or at least shared users, what i think is more dificult to implement and maybe not correct from a business perspective (or yes, idk).

Thank you,

regards.

Share this post


Link to post
Share on other sites
  • 0

@Mariano have you tested it?   I haven't but I did setup my own testing client using the same email account on two different companies.  Maybe it only rejects it if it's done via the client signup and not via the admin area?  Don't have time to test it but I can say it is possible to have the same email address used on two different companies.

Share this post


Link to post
Share on other sites
  • 0
3 hours ago, WebhostingNZ.com said:

@Mariano have you tested it?   I haven't but I did setup my own testing client using the same email account on two different companies.  Maybe it only rejects it if it's done via the client signup and not via the admin area?  Don't have time to test it but I can say it is possible to have the same email address used on two different companies.

Hello,

are you able to register with the same email address in both companies using the "Use email as username" option? I understand it is possible using the "Specify a username" option (and setting diferent usernames for each company) but not using the previous option (Use email as username).

Regards.

Share this post


Link to post
Share on other sites
  • 0
6 hours ago, Mariano said:

Hello,

are you able to register with the same email address in both companies using the "Use email as username" option? I understand it is possible using the "Specify a username" option (and setting diferent usernames for each company) but not using the previous option (Use email as username). 

Regards.

the limit is based on the username not email address. so if the username is the email then is limited .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×