Development Discussion Board

[MichaelC]

Password could be left blank I think. Upon account creation if the password is not provided the email address that was assigned would receive a hash for activation at which point a password assignment is required.

+1

So the admin can set the password or one can be generated.

DavidIQ did not say that a password would be generated, he said a hash would be generated that would slow them to set their password (like resetting it does). It's a far better approach.

Oh yeah, sorry. That would be an even better idea.

[DavidIQ]

Password could be left blank I think. Upon account creation if the password is not provided the email address that was assigned would receive a hash for activation at which point a password assignment is required.

+1

So the admin can set the password or one can be generated.

DavidIQ did not say that a password would be generated, he said a hash would be generated that would slow them to set their password (like resetting it does). It's a far better approach.

Yes that is exactly right. I kind of meant a link with a hash in it but whichever approach taken should be fine. Right now password reset does not force you to change the generated password so that logic might need a little massaging.

[MichaelC]

Password could be left blank I think. Upon account creation if the password is not provided the email address that was assigned would receive a hash for activation at which point a password assignment is required.

+1

So the admin can set the password or one can be generated.

DavidIQ did not say that a password would be generated, he said a hash would be generated that would slow them to set their password (like resetting it does). It's a far better approach.

Yes that is exactly right. I kind of meant a link with a hash in it but whichever approach taken should be fine. Right now password reset does not force you to change the generated password so that logic might need a little massaging.

And maybe while its being done adapt password reset to get you to change the password?

[imkingdavid]

And maybe while its being done adapt password reset to get you to change the password?

IMO that would be a separate RFC since it would be a part of other features than this one (i.e. password reset)

[jsebean]

So an email confirmation would be sent out to the new user regardless if the admin chose the password or not, and explain the admin of "such and such board" has created your account or something like that.

[imkingdavid]

So an email confirmation would be sent out to the new user regardless if the admin chose the password or not, and explain the admin of "such and such board" has created your account or something like that.

Here's the flow as I see it now:

• Admin goes to new section in ACP to add a new user
• Admin fills out the form with registration details (i.e. email, username, optional password), sets profile info (including custom fields), and chooses user's group (defaults to newly registered group), etc.
• Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
• The user visits the link and is required to enter a new password.

EDIT: For the reason I mentioned above (i.e. security) I'm wondering if we should just not bother with allowing the admin to set a password, but rather leave that up to the user. Thoughts?

[Oleg]

And maybe while its being done adapt password reset to get you to change the password?

IMO that would be a separate RFC since it would be a part of other features than this one (i.e. password reset)

Yes, if you want to do this please do it separately.

[Oleg]

[*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.

Do we currently email users their passwords in any circumstances?

[MichaelC]

Maybe a setting to set where the user requires email activation or will be automatically activated (especially for boards with admin activation)?

[DavidIQ]

[*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.

Do we currently email users their passwords in any circumstances?

Can't of course as it is stored hashed, not encrypted. The only time the password is emailed is when a reset is requested where a generic password is generated and stored (after email link is clicked on) and we used to email the password with the account creation but that was removed 2 or 3 versions ago.