He could have been referring to on registration - far too many websites email passwords out in plain text.DavidIQ wrote:Can't of course as it is stored hashed, not encrypted. The only time the password is emailed is when a reset is requested where a generic password is generated and stored (after email link is clicked on) and we used to email the password with the account creation but that was removed 2 or 3 versions ago.Oleg wrote:Do we currently email users their passwords in any circumstances?imkingdavid wrote: [*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
[RFC] Create a new user account through the ACP
- callumacrae
- Former Team Member
- Posts: 1046
- Joined: Tue Apr 27, 2010 9:37 am
- Location: England
- Contact:
Re: [RFC] Create a new user account through the ACP
Re: [RFC] Create a new user account through the ACP
There are two ways of doing password reset:DavidIQ wrote:Can't of course as it is stored hashed, not encrypted. The only time the password is emailed is when a reset is requested where a generic password is generated and stored (after email link is clicked on) and we used to email the password with the account creation but that was removed 2 or 3 versions ago.Oleg wrote:Do we currently email users their passwords in any circumstances?imkingdavid wrote: [*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
1. User clicks reset link -> we email them a new password.
2. User clicks reset link -> goes to a page where they enter a new password.
If we currently do option 1, I don't see a problem with emailing user their automatically generated password when their account is created in the acp.
If admin enters a password, which I suppose could be needed, I would be careful with emailing it in plaintext. Perhaps we should have an option to email user their password (this will be available regardless of whether password is generated or entered).
If we currently do option 2, I would be more inclined toward having an option to email the user their password, however it is specified, rather than emailing unconditionally.
Perhaps we can also (or alternatively) email an activation link instead of the password. Clicking this link then would allow a user to enter their desired password. This should be safe to do in all circumstances I would think.
- DavidIQ
- Customisations Team Leader
- Posts: 1904
- Joined: Thu Mar 02, 2006 4:29 pm
- Location: Earth
- Contact:
Re: [RFC] Create a new user account through the ACP
We do option one. What I was suggesting was similar to that. Admin could put in the password and this would be somehow provided to the user. If none is provided then a generic password would be assigned that would not be made active until the link in the email is clicked on, just like it is now for password reset.
- imkingdavid
- Registered User
- Posts: 1050
- Joined: Thu Jul 30, 2009 12:06 pm
Re: [RFC] Create a new user account through the ACP
I'd like to revisit this. Not being able to add a user via the ACP makes testing things that require multiple users take significantly longer.
I am going to try to make this quick and easyby just adding to the current user management module(this would require too much work, instead I'll just create a new module). Here's what I plan to do:
I plan to get most of the work done on this tonight before bed, but we'll see.
I am going to try to make this quick and easy
Alter current "Manage users" page to display a "Create new user" button next to the "Submit" button. I am doing this instead of adding a new module, one because it is faster/easier, and two because it is more consistent with the Group management module, which is not split between one module that adds groups and one that edits/deletes/etc. groups.- Add a new module called "Add user" below the current "Manage users" module (not above, or else it would be displayed by default).
- On the new module page, display a form. This form will display fields for Username, Password, Email Address, Default Group (dropdown select box, defaults to Registered User group), and timezone (defaults to board default timezone)
- Only username and Email address are required (of course, group and timezone will always be given a value because a default will be set; they are required as well, but you don't necessarily have to change them)
- There will be a checkbox to specify whether or not an email should be sent. Note that if a password is NOT given, an email will be sent so the user will be able to login with the generated password.
- When the form is submitted, the user is created and email is dispatched if password is empty or if box is selected.
- If an email needs to be sent (i.e checkbox is checked or password was not specified), the work flow is EXACTLY the same as the current "Forgot my password" work flow.
- In other words, that means the email will be sent with the password in plaintext format and an activation link. The user must click that link and then will be able to use the password or change it if he prefers. Until he clicks the link, his account will be inactive. So I guess it's a bit of a mix between password reset and user email activation.
- If no email needs to be sent (i.e. password was given and checkbox was not checked) the user account is activated and the user will be able to login with the password right away.
I plan to get most of the work done on this tonight before bed, but we'll see.
- imkingdavid
- Registered User
- Posts: 1050
- Joined: Thu Jul 30, 2009 12:06 pm
Re: [RFC] Create a new user account through the ACP
Okay, after looking through the acp_users.php file, I see that it's going to take some work to get it to do anything without a user_id specified. For that reason, it may be most ideal to create a new module. So I guess I'll do that for now.
Re: [RFC] Create a new user account through the ACP
+1 for simplicity, both on the frontend and backend and that seems to be a different module.
Formerly known as Unknown Bliss
No unsolicited PMs please except for quotes.psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
Re: [RFC] Create a new user account through the ACP
You don't need a module. When searching for a user and not found, ask if admin want's to create a new user. If so jump to usermanagement.
- Jessica.
- Registered User
- Posts: 144
- Joined: Wed Feb 09, 2011 8:17 pm
- Location: Pennsylvania, USA
- Contact:
Re: [RFC] Create a new user account through the ACP
Is this still considered? I'm hoping someone can create an extension for it in the meantime, if it won't be added till 3.2 or something.
- DavidIQ
- Customisations Team Leader
- Posts: 1904
- Joined: Thu Mar 02, 2006 4:29 pm
- Location: Earth
- Contact:
Re: [RFC] Create a new user account through the ACP
I think the one by HoL should work in 3.1 without needing a whole lot of changes. It is already a drop-in MOD since it is its own standalone ACP module.
- imkingdavid
- Registered User
- Posts: 1050
- Joined: Thu Jul 30, 2009 12:06 pm
Re: [RFC] Create a new user account through the ACP
Unfortunately, I never got around to it. It's still on the table for 3.2+ but not for 3.1.