Modify

Opened 4 years ago

Closed 3 years ago

Last modified 20 months ago

#7111 closed enhancement (fixed)

Password reset from admin page

Reported by: bjoern.riemer@… Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: passwort reset admin
Cc: Trac Release: 0.11

Description

Hi,
is there a way to do a password reset from the admin panel. Because our tzrac server forces us to use the apache authentication for trac. So the user cant click on the forgot password link to reset the password. But it would be nice if the admin can click a reset password button in the user manager to reset the password and send an email with the new temp password to the user.

Attachments (0)

Change History (11)

comment:1 Changed 4 years ago by hasienda

  • Keywords needinfo passwort reset admin added
  • Owner changed from mgood to hasienda

I suggest to enable a totally different admin-only password reset here, where the admin would sent a new/interim password generated outside of AccountManagerPlugin, correct?

comment:2 follow-up: Changed 4 years ago by bjoern.riemer@…

currently the admin logs in to trac and cganges the passwort of the user and sends the user the new password by mail from outlook. but this is not optimal because the admin has to do so many steps and he also knows the password afterwards. The password reset module (inside AccountManagerPlugin or outseide) should generate a interim password and send it to the user's mail address which is stored in the account properties.

comment:3 in reply to: ↑ 2 Changed 4 years ago by hasienda

Replying to bjoern.riemer@fokus.fraunhofer.de:

![...] The password reset module (inside AccountManagerPlugin or outseide) should generate a interim password and send it to the user's mail address which is stored in the account properties.

This clarifies things a lot.

Previously I thought, that you'd require password generation outside of the AccountManagerPlugin for some reason. So you can't use the standard login page, hence users have no reset option, but OTOH they can easily change their temporary password later, if logged in again.

Proposal for implementation: Add a second button "Reset passwords for selected accounts" below the user list and do the magic on all checked accounts with non-empty email. Would this be sufficient?

comment:4 Changed 4 years ago by anonymous

yes this would be the solution i'm looking for ;)

comment:5 Changed 4 years ago by hasienda

  • Keywords needinfo removed
  • Status changed from new to assigned
  • Type changed from defect to enhancement

Ok, so let's do this improvement, as soon as some urgent security related stuff is done.

comment:6 Changed 3 years ago by hasienda

(In [10313]) AccountManagerPlugin: Prepare password reset code for use by admins, refs #7111.

This includes an important fix: Username and email must match or a valid
temporary password for any existing account could be sent to an arbitrary
unauthorized email address for capturing that account by a third person.

Now set_user_attribute() reveals it's potential for code cleanup as well.

comment:7 Changed 3 years ago by hasienda

(In [10315]) AccountManagerPlugin: Add support for admin-triggered password-reset, refs #7111.

After improving the underlying system this is the polish on-top of it.

comment:8 Changed 3 years ago by hasienda

Beware: To really enforce a password change we'd also need to invalidate the old password, since the 'lost password' procedure has been changed lately, so by default it doesn't overwrite any password prior to first successful login with the new (temporary random) password.

So you may call the current state a 'soft' reset. Do you need a 'hard' one at all? Please discuss.

BTW, administrative approval/blocking of user accounts is a different thing (see #843, #8595).

comment:9 Changed 3 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [10393]) AccountManagerPlugin: Releasing version 0.3, pushing development to 0.4.

This new feature release finally propagates a number of solutions into an
official release, after some time of testing with trunk, so explicitely
closes #442, #816, #2966, #3989, #4160, #6821, #7111, #8534, #8549, #8663,
#8813, #8892, #8925, #8936 and #8939.

Should have made this months ago, but felt so many pending issues were too
bad for a new release. But it has been a tremendous ticket burndown since
last year, so it's really worth considering an upgrade now.
See fresh changelog for details.

comment:10 Changed 3 years ago by hasienda

(In [10395]) AccountManagerPlugin: Releasing version 0.3, pushing development to 0.4.

This new feature release finally propagates a number of solutions into an
official release, after some time of testing with trunk, so explicitely
closes #442, #816, #2966, #3989, #4160, #6821, #7111, #8534, #8549, #8663,
#8813, #8892, #8925, #8936 and #8939.

Should have made this months ago, but felt so many pending issues were too
bad for a new release. But it has been a tremendous ticket burndown since
last year, so it's really worth considering an upgrade now.
See fresh changelog for details.

comment:11 Changed 20 months ago by hasienda

(In [12441]) AccountManagerPlugin: Propagate errors from AccountModule._reset_password, refs #7111, #8927, #10700 and #10701.

Thanks for the recent, anonymous hint on this issue, that originates from
[10313] (btw, a fix for a much more serious issue).

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from hasienda. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.