Page MenuHomewrite.as

Support manual admin password reset
Closed, ResolvedPublic

Description

Overview

Enable admins to reset a user's password from the admin dashboard.

Background

Especially in hosted environments, admins should be able to manually reset user passwords from the web interface.

Implementation

Add a new "Reset Password" button to a user profile in the admin dashboard. When pressed, generate a password (similarly to what we do on Write.as) and display it nicely to the admin, instructing them to send the new password to the user.

Related Objects

StatusAssignedTask
Openmatt
Resolvedrobjloranger

Event Timeline

matt created this task.Sep 10 2019, 10:07 PM
matt moved this task from Far Future to Next Release on the WriteFreely board.
matt triaged this task as High priority.
matt reassigned this task from matt to robjloranger.Oct 2 2019, 6:04 PM

Here's some starter code for handling when an admin presses the "Reset Password" button (ideally, put this in admin.go). It either accepts a new password or generates a temporary one.

// import "github.com/writeas/web-core/passgen"

// TODO: update signature
func adminResetPassword(u *User, w http.ResponseWriter, r *http.Request) error {
    pass := r.FormValue("pass")
    if pass == "" { 
        // Generate new random password since none supplied
        pass = passgen.NewWordish()
    }    
    hashedPass, err := auth.HashPass([]byte(pass))
    if err != nil {
        return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not create password hash: %v", err)}
    }    

    userIDVal := r.FormValue("user")
    log.Info("ADMIN: Changing user %s password", userIDVal)
    id, err := strconv.Atoi(userIDVal)
    if err != nil {
        return impart.HTTPError{http.StatusBadRequest, fmt.Sprintf("Invalid user ID: %v", err)}
    }    

    err = app.db.ChangePassphrase(int64(id), true, "", hashedPass)
    if err != nil {
        return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not update passphrase: %v", err)}
    }    
    Info.Printf("ADMIN: Successfully changed.")

    // TODO: output the generated password in an HTML page, etc.
}

The current UI status, showing the success message after submission.

matt added a comment.Oct 3 2019, 7:10 PM

Looks great 👍

I'd say we bring the explanation message into the same box that shows the actual password (the visual differentiation makes it seem like they're unrelated).

And let's just make do a single "Reset Password" button, instead of having the option to choose what it is. That'll keep it simple. And along those lines, we should probably add a Javascript confirmation that they want to reset. Maybe say something like: "Are you sure you want to reset this user's password? This will generate a new temporary password that you'll need to share with them."

ok, how about this:

I was trying it with the text centered but it looks a bit weird.

matt added a comment.Oct 3 2019, 8:38 PM

Yep, looks good

matt moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Mon, Oct 28, 11:20 PM