don't send out password for admin created users
Bug #1045123 reported by
Hugh Davenport
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
When an admin creates a user with a set password. It should be assumed that this password is delivered to the user out of band, and shouldn't be sent in clear text.
If the password field is left blank, we should treat that the same as if we just finished a registration, the user gets a one time URL to click on which forces them to set a password.
security vulnerability: | no → yes |
Changed in mahara: | |
milestone: | 1.7.0 → 1.8.0 |
Changed in mahara: | |
milestone: | 1.8rc1 → 1.8.0 |
Changed in mahara: | |
milestone: | 1.8.0 → 1.9.0 |
Changed in mahara: | |
assignee: | nobody → Son Nguyen (ngson2000) |
status: | Triaged → In Progress |
Changed in mahara: | |
milestone: | 1.9.0 → 1.10.0 |
Changed in mahara: | |
milestone: | 1.10.0 → 1.11.0 |
Changed in mahara: | |
milestone: | 15.04.0 → 15.04.1 |
Changed in mahara: | |
milestone: | 15.04.1 → 15.10.0 |
Changed in mahara: | |
milestone: | 15.10.0 → 16.04.0 |
Changed in mahara: | |
status: | In Progress → Confirmed |
importance: | Medium → Wishlist |
assignee: | Son Nguyen (ngson2000) → nobody |
milestone: | 16.04.0 → none |
To post a comment you must log in.
Hi Hugh;
The password field is required when you create a user. It can not be blank.
IMHO, we can remove the password field. An email without password including a one time URL will be sent to the new user's email address like self-registration.
Users will force to change the password when follow the URL.
Does it sound OK for you?
Cheers,
Son