Enable admins to reset a user's password from the admin dashboard.
Especially in hosted environments, admins should be able to manually reset user passwords from the web interface.
Add a new "Reset Password" button to a user profile in the admin dashboard. When pressed, generate a password (similarly to what we do on Write.as) and display it nicely to the admin, instructing them to send the new password to the user.
| rWF WriteFreely | |||
| rWF5839c2ac4da3 Merge pull request #192 from writeas/T695-reset-user-pass | |||
| rWFa9b5bb2f6bab Fix reset user's email address display | |||
| rWFd5dd007ff738 Change Reset Password button style | |||
| rWF3e8d1014d9c8 Tweak admin reset confirmation copy | |||
| rWF422c16f39a6c Tweak admin user pass reset success copy | |||
| rWFf673f9b562fa Reset password to sorta-sensical string | |||
| rWF6d4ec0b17db8 Remove extra OwnUserPage field | |||
| rWF6e09fcb9e2a3 Change password reset endpoint to /admin/user/{Username}/passphrase | |||
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Restricted Maniphest Task | ||||
| Resolved | matt | T508 Password resetting | ||
| Resolved | robjloranger | T695 Support manual admin password reset |
Here's some starter code for handling when an admin presses the "Reset Password" button (ideally, put this in admin.go). It either accepts a new password or generates a temporary one.
// import "github.com/writeas/web-core/passgen"
// TODO: update signature
func adminResetPassword(u *User, w http.ResponseWriter, r *http.Request) error {
pass := r.FormValue("pass")
if pass == "" {
// Generate new random password since none supplied
pass = passgen.NewWordish()
}
hashedPass, err := auth.HashPass([]byte(pass))
if err != nil {
return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not create password hash: %v", err)}
}
userIDVal := r.FormValue("user")
log.Info("ADMIN: Changing user %s password", userIDVal)
id, err := strconv.Atoi(userIDVal)
if err != nil {
return impart.HTTPError{http.StatusBadRequest, fmt.Sprintf("Invalid user ID: %v", err)}
}
err = app.db.ChangePassphrase(int64(id), true, "", hashedPass)
if err != nil {
return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not update passphrase: %v", err)}
}
Info.Printf("ADMIN: Successfully changed.")
// TODO: output the generated password in an HTML page, etc.
}Looks great 👍
I'd say we bring the explanation message into the same box that shows the actual password (the visual differentiation makes it seem like they're unrelated).
And let's just make do a single "Reset Password" button, instead of having the option to choose what it is. That'll keep it simple. And along those lines, we should probably add a Javascript confirmation that they want to reset. Maybe say something like: "Are you sure you want to reset this user's password? This will generate a new temporary password that you'll need to share with them."
