don't send out password for admin created users

Bug #1045123 reported by Hugh Davenport on 2012-09-02
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

When an admin creates a user with a set password. It should be assumed that this password is delivered to the user out of band, and shouldn't be sent in clear text.
If the password field is left blank, we should treat that the same as if we just finished a registration, the user gets a one time URL to click on which forces them to set a password.

security vulnerability: no → yes
Aaron Wells (u-aaronw) on 2013-04-19
Changed in mahara:
milestone: 1.7.0 → 1.8.0
Aaron Wells (u-aaronw) on 2013-09-30
Changed in mahara:
milestone: 1.8rc1 → 1.8.0
Aaron Wells (u-aaronw) on 2013-10-01
Changed in mahara:
milestone: 1.8.0 → 1.9.0
Son Nguyen (ngson2000) wrote :

Hi Hugh;

The password field is required when you create a user. It can not be blank.

IMHO, we can remove the password field. An email without password including a one time URL will be sent to the new user's email address like self-registration.
Users will force to change the password when follow the URL.

Does it sound OK for you?


Aaron Wells (u-aaronw) wrote :

The one problem with that is during development work, when I want to be able to create new users and use them without having to check my email (maybe I've even got $cfg->noemail = true;). Would that use-case still be possible?


Aaron Wells (u-aaronw) wrote :

Another scenario when the password field has come in handy for me, was during a support call by a client doing Mahara training. Her students were supposed to have registered their Mahara accounts prior to the class, but there were a couple who hadn't, and so I needed to create accounts for them and give them their login info over the phone, because the class was in progress and it was essential to get it done fast without having to wait to check emails.

So I think we should leave the password field as an option, but have it be disabled by default. Like, have a checkbox that says "manually assign password?" (unticked by default) and when it is unticked the password field is grayed out. That will encourage admins to use the email confirmation process instead, while still leaving the manual password process as an option when needed.


Aaron Wells (u-aaronw) wrote :

Hugh has pointed out via IRC that for a dev or admin who wants to manually assign a password, you could do this:

1. Use the "Add User" page to add a user.

2. The next page load takes you to their Account Settings page, and you can manually set their password there.

So maybe eliminating the password field altogether is a good idea after all. :)

We need to keep in mind bulk user creation. Currently, you create accounts and can email the password to the users, but at the same time force them to change it. Isn't that pretty much like a link you click to change your password?

Son Nguyen (ngson2000) wrote :

Hi Kristina;

Yes, it is. In the email sent to users, there is a link to change the password instead of the preset password in plain text.

Son Nguyen (ngson2000) on 2014-03-23
Changed in mahara:
assignee: nobody → Son Nguyen (ngson2000)
status: Triaged → In Progress

Son, can you please provide some testing instructions as this is quite a lot of functionality that you changed?

Son Nguyen (ngson2000) wrote :

Test case 1: Admin manually can add a new user via Administration/Users/Add user
1. Admin adds user's info without default password.
2. An account with no password will be created.
3. An email notification without password but a reset password link will be sent to user's email address.
Note: the admin can manually change the new account password in the next screen or click to username link.

Test case 2: Admin can add new users via Administration/Users/Add users by CSV
1. Admin uploads a CSV file to create user accounts. A row in the file may NOT include password field.
2. For each new user,
 - An account with password(optional) will be created.
 - An email notification without password but a set password link will be sent to user's email address.

Test case 3: Admin can add new users via admin/users/bulkimport.php
1. Admin uploads a CSV file and zip files to create user accounts. The password field in the leap2a file is not required.
2. For each new user,
 - An account with password(optional) will be created.
 - An email notification without password but a set password link will be sent to user's email address.

Aaron Wells (u-aaronw) on 2014-04-15
Changed in mahara:
milestone: 1.9.0 → 1.10.0
Changed in mahara:
milestone: 1.10.0 → 1.11.0
Aaron Wells (u-aaronw) wrote :

We should include these options (inspired by what Moodle has):

1. Checkbox (ticked by default): "Send one-time login link to user" If this is ticked, it greys out the other options.

2. Text box: "Password"

3. Checkbox (ticked by default): "Force password change"

If you tick box #1, it should send you an email with a link that lets you reset your password and log in, the same as the forgotten password page, forgotpass.php. But it should have text welcoming you to the site, rather than text about how you've forgotten your password. And it should lead to a new page, because it would be confusing if the URL in the welcome email was "forgotpass.php".

+1 for Aaron's options

Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
milestone: 15.04.0 → 15.04.1
Aaron Wells (u-aaronw) on 2015-04-21
Changed in mahara:
milestone: 15.04.1 → 15.10.0
Aaron Wells (u-aaronw) on 2015-10-23
Changed in mahara:
milestone: 15.10.0 → 16.04.0
Changed in mahara:
status: In Progress → Confirmed
importance: Medium → Wishlist
assignee: Son Nguyen (ngson2000) → nobody
milestone: 16.04.0 → none
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers