Support manual admin password reset
Closed, ResolvedPublic



Enable admins to reset a user's password from the admin dashboard.


Especially in hosted environments, admins should be able to manually reset user passwords from the web interface.


Add a new "Reset Password" button to a user profile in the admin dashboard. When pressed, generate a password (similarly to what we do on and display it nicely to the admin, instructing them to send the new password to the user.

Related Objects


Event Timeline

matt triaged this task as High priority.Sep 10 2019, 10:07 PM
matt created this task.
matt moved this task from Backlog to Next Release on the WriteFreely board.

Here's some starter code for handling when an admin presses the "Reset Password" button (ideally, put this in admin.go). It either accepts a new password or generates a temporary one.

// import ""

// TODO: update signature
func adminResetPassword(u *User, w http.ResponseWriter, r *http.Request) error {
    pass := r.FormValue("pass")
    if pass == "" { 
        // Generate new random password since none supplied
        pass = passgen.NewWordish()
    hashedPass, err := auth.HashPass([]byte(pass))
    if err != nil {
        return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not create password hash: %v", err)}

    userIDVal := r.FormValue("user")
    log.Info("ADMIN: Changing user %s password", userIDVal)
    id, err := strconv.Atoi(userIDVal)
    if err != nil {
        return impart.HTTPError{http.StatusBadRequest, fmt.Sprintf("Invalid user ID: %v", err)}

    err = app.db.ChangePassphrase(int64(id), true, "", hashedPass)
    if err != nil {
        return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not update passphrase: %v", err)}
    Info.Printf("ADMIN: Successfully changed.")

    // TODO: output the generated password in an HTML page, etc.

The current UI status, showing the success message after submission.

Looks great 👍

I'd say we bring the explanation message into the same box that shows the actual password (the visual differentiation makes it seem like they're unrelated).

And let's just make do a single "Reset Password" button, instead of having the option to choose what it is. That'll keep it simple. And along those lines, we should probably add a Javascript confirmation that they want to reset. Maybe say something like: "Are you sure you want to reset this user's password? This will generate a new temporary password that you'll need to share with them."

ok, how about this:

I was trying it with the text centered but it looks a bit weird.

matt moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Oct 28 2019, 11:20 PM