[RFC] Create a new user account through the ACP

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
callumacrae
Former Team Member
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] Create a new user account through the ACP

Post by callumacrae »

DavidIQ wrote:
Oleg wrote:
imkingdavid wrote: [*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
Do we currently email users their passwords in any circumstances?
Can't of course as it is stored hashed, not encrypted. The only time the password is emailed is when a reset is requested where a generic password is generated and stored (after email link is clicked on) and we used to email the password with the account creation but that was removed 2 or 3 versions ago.
He could have been referring to on registration - far too many websites email passwords out in plain text.
Made by developers, for developers!
My blog

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Create a new user account through the ACP

Post by Oleg »

DavidIQ wrote:
Oleg wrote:
imkingdavid wrote: [*]Email is sent to user informing them that the account was created. If the administrator entered a password, it will be displayed in the email (not sure if this is good, since that would be insecure if someone else accessed that email). Otherwise, a link is provided with an activation key.
Do we currently email users their passwords in any circumstances?
Can't of course as it is stored hashed, not encrypted. The only time the password is emailed is when a reset is requested where a generic password is generated and stored (after email link is clicked on) and we used to email the password with the account creation but that was removed 2 or 3 versions ago.
There are two ways of doing password reset:

1. User clicks reset link -> we email them a new password.

2. User clicks reset link -> goes to a page where they enter a new password.

If we currently do option 1, I don't see a problem with emailing user their automatically generated password when their account is created in the acp.

If admin enters a password, which I suppose could be needed, I would be careful with emailing it in plaintext. Perhaps we should have an option to email user their password (this will be available regardless of whether password is generated or entered).

If we currently do option 2, I would be more inclined toward having an option to email the user their password, however it is specified, rather than emailing unconditionally.

Perhaps we can also (or alternatively) email an activation link instead of the password. Clicking this link then would allow a user to enter their desired password. This should be safe to do in all circumstances I would think.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] Create a new user account through the ACP

Post by DavidIQ »

We do option one. What I was suggesting was similar to that. Admin could put in the password and this would be somehow provided to the user. If none is provided then a generic password would be assigned that would not be made active until the link in the email is clicked on, just like it is now for password reset.
Image

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Create a new user account through the ACP

Post by imkingdavid »

I'd like to revisit this. Not being able to add a user via the ACP makes testing things that require multiple users take significantly longer.

I am going to try to make this quick and easy by just adding to the current user management module(this would require too much work, instead I'll just create a new module). Here's what I plan to do:
  • Alter current "Manage users" page to display a "Create new user" button next to the "Submit" button. I am doing this instead of adding a new module, one because it is faster/easier, and two because it is more consistent with the Group management module, which is not split between one module that adds groups and one that edits/deletes/etc. groups.
  • Add a new module called "Add user" below the current "Manage users" module (not above, or else it would be displayed by default).
  • On the new module page, display a form. This form will display fields for Username, Password, Email Address, Default Group (dropdown select box, defaults to Registered User group), and timezone (defaults to board default timezone)
  • Only username and Email address are required (of course, group and timezone will always be given a value because a default will be set; they are required as well, but you don't necessarily have to change them)
  • There will be a checkbox to specify whether or not an email should be sent. Note that if a password is NOT given, an email will be sent so the user will be able to login with the generated password.
  • When the form is submitted, the user is created and email is dispatched if password is empty or if box is selected.
  • If an email needs to be sent (i.e checkbox is checked or password was not specified), the work flow is EXACTLY the same as the current "Forgot my password" work flow.
    • In other words, that means the email will be sent with the password in plaintext format and an activation link. The user must click that link and then will be able to use the password or change it if he prefers. Until he clicks the link, his account will be inactive. So I guess it's a bit of a mix between password reset and user email activation.
  • If no email needs to be sent (i.e. password was given and checkbox was not checked) the user account is activated and the user will be able to login with the password right away.
This will all be explained on the form for the administrator.

I plan to get most of the work done on this tonight before bed, but we'll see.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Create a new user account through the ACP

Post by imkingdavid »

Okay, after looking through the acp_users.php file, I see that it's going to take some work to get it to do anything without a user_id specified. For that reason, it may be most ideal to create a new module. So I guess I'll do that for now.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Create a new user account through the ACP

Post by MichaelC »

+1 for simplicity, both on the frontend and backend and that seems to be a different module. ;)
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
John P
Posts: 157
Joined: Sun Nov 04, 2012 7:39 am
Location: Netherlands
Contact:

Re: [RFC] Create a new user account through the ACP

Post by John P »

You don't need a module. When searching for a user and not found, ask if admin want's to create a new user. If so jump to usermanagement.

User avatar
Jessica.
Registered User
Posts: 144
Joined: Wed Feb 09, 2011 8:17 pm
Location: Pennsylvania, USA
Contact:

Re: [RFC] Create a new user account through the ACP

Post by Jessica. »

Is this still considered? I'm hoping someone can create an extension for it in the meantime, if it won't be added till 3.2 or something.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] Create a new user account through the ACP

Post by DavidIQ »

I think the one by HoL should work in 3.1 without needing a whole lot of changes. It is already a drop-in MOD since it is its own standalone ACP module.
Image

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Create a new user account through the ACP

Post by imkingdavid »

Unfortunately, I never got around to it. It's still on the table for 3.2+ but not for 3.1.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

Post Reply