[RFC] Create a new user account through the ACP

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Create a new user account through the ACP

Post by MichaelC » Wed Mar 14, 2012 10:27 am

callumacrae wrote:
Unknown Bliss wrote:
DavidIQ wrote:Password could be left blank I think. Upon account creation if the password is not provided the email address that was assigned would receive a hash for activation at which point a password assignment is required.
+1

So the admin can set the password or one can be generated.
DavidIQ did not say that a password would be generated, he said a hash would be generated that would slow them to set their password (like resetting it does). It's a far better approach.
Oh yeah, sorry. That would be an even better idea.
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] Create a new user account through the ACP

Post by DavidIQ » Wed Mar 14, 2012 12:38 pm

callumacrae wrote:
Unknown Bliss wrote:
DavidIQ wrote:Password could be left blank I think. Upon account creation if the password is not provided the email address that was assigned would receive a hash for activation at which point a password assignment is required.
+1

So the admin can set the password or one can be generated.
DavidIQ did not say that a password would be generated, he said a hash would be generated that would slow them to set their password (like resetting it does). It's a far better approach.
Yes that is exactly right. I kind of meant a link with a hash in it but whichever approach taken should be fine. Right now password reset does not force you to change the generated password so that logic might need a little massaging.
Image

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Create a new user account through the ACP

Post by MichaelC » Wed Mar 14, 2012 2:47 pm

DavidIQ wrote:
callumacrae wrote:
Unknown Bliss wrote:
DavidIQ wrote:Password could be left blank I think. Upon account creation if the password is not provided the email address that was assigned would receive a hash for activation at which point a password assignment is required.
+1

So the admin can set the password or one can be generated.
DavidIQ did not say that a password would be generated, he said a hash would be generated that would slow them to set their password (like resetting it does). It's a far better approach.
Yes that is exactly right. I kind of meant a link with a hash in it but whichever approach taken should be fine. Right now password reset does not force you to change the generated password so that logic might need a little massaging.
And maybe while its being done adapt password reset to get you to change the password?
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Create a new user account through the ACP

Post by imkingdavid » Wed Mar 14, 2012 4:00 pm

Unknown Bliss wrote:And maybe while its being done adapt password reset to get you to change the password?
IMO that would be a separate RFC since it would be a part of other features than this one (i.e. password reset)
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
jsebean
Registered User
Posts: 165
Joined: Wed Nov 17, 2010 1:40 am
Location: Atlantic Canada

Re: [RFC] Create a new user account through the ACP

Post by jsebean » Wed Mar 14, 2012 5:57 pm

So an email confirmation would be sent out to the new user regardless if the admin chose the password or not, and explain the admin of "such and such board" has created your account or something like that.
-Jonah

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Create a new user account through the ACP

Post by imkingdavid » Wed Mar 14, 2012 7:45 pm

jsbean wrote:So an email confirmation would be sent out to the new user regardless if the admin chose the password or not, and explain the admin of "such and such board" has created your account or something like that.
Here's the flow as I see it now:
  • Admin goes to new section in ACP to add a new user
  • Admin fills out the form with registration details (i.e. email, username, optional password), sets profile info (including custom fields), and chooses user's group (defaults to newly registered group), etc.
  • Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
  • The user visits the link and is required to enter a new password.
EDIT: For the reason I mentioned above (i.e. security) I'm wondering if we should just not bother with allowing the admin to set a password, but rather leave that up to the user. Thoughts?
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Create a new user account through the ACP

Post by Oleg » Wed Mar 14, 2012 10:13 pm

imkingdavid wrote:
Unknown Bliss wrote:And maybe while its being done adapt password reset to get you to change the password?
IMO that would be a separate RFC since it would be a part of other features than this one (i.e. password reset)
Yes, if you want to do this please do it separately.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Create a new user account through the ACP

Post by Oleg » Wed Mar 14, 2012 10:13 pm

imkingdavid wrote: [*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
Do we currently email users their passwords in any circumstances?

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Create a new user account through the ACP

Post by MichaelC » Wed Mar 14, 2012 10:45 pm

Maybe a setting to set where the user requires email activation or will be automatically activated (especially for boards with admin activation)?
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1731
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] Create a new user account through the ACP

Post by DavidIQ » Wed Mar 14, 2012 11:10 pm

Oleg wrote:
imkingdavid wrote: [*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
Do we currently email users their passwords in any circumstances?
Can't of course as it is stored hashed, not encrypted. The only time the password is emailed is when a reset is requested where a generic password is generated and stored (after email link is clicked on) and we used to email the password with the account creation but that was removed 2 or 3 versions ago.
Image

Post Reply