Support manual admin password reset
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	matt
	Sep 10 2019, 10:07 PM

Description

Overview

Enable admins to reset a user's password from the admin dashboard.

Background

Especially in hosted environments, admins should be able to manually reset user passwords from the web interface.

Implementation

Add a new "Reset Password" button to a user profile in the admin dashboard. When pressed, generate a password (similarly to what we do on Write.as) and display it nicely to the admin, instructing them to send the new password to the user.

Revisions and Commits

rWF WriteFreely
	rWF5839c2ac4da3 Merge pull request #192 from writeas/T695-reset-user-pass
	rWFa9b5bb2f6bab Fix reset user's email address display
	rWFd5dd007ff738 Change Reset Password button style
	rWF3e8d1014d9c8 Tweak admin reset confirmation copy
	rWF422c16f39a6c Tweak admin user pass reset success copy
	rWFf673f9b562fa Reset password to sorta-sensical string
	rWF6d4ec0b17db8 Remove extra OwnUserPage field
	rWF6e09fcb9e2a3 Change password reset endpoint to /admin/user/{Username}/passphrase

Related Objects
Search...

Status	Assigned	Task
		Restricted Maniphest Task
Resolved	matt	T508 Password resetting
Resolved	robjloranger	T695 Support manual admin password reset

Event Timeline

matt triaged this task as High priority.Sep 10 2019, 10:07 PM

matt created this task.

matt moved this task from Backlog to Next Release on the WriteFreely board.

Here's some starter code for handling when an admin presses the "Reset Password" button (ideally, put this in admin.go). It either accepts a new password or generates a temporary one.

// import "github.com/writeas/web-core/passgen"

// TODO: update signature
func adminResetPassword(u *User, w http.ResponseWriter, r *http.Request) error {
    pass := r.FormValue("pass")
    if pass == "" { 
        // Generate new random password since none supplied
        pass = passgen.NewWordish()
    }    
    hashedPass, err := auth.HashPass([]byte(pass))
    if err != nil {
        return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not create password hash: %v", err)}
    }    

    userIDVal := r.FormValue("user")
    log.Info("ADMIN: Changing user %s password", userIDVal)
    id, err := strconv.Atoi(userIDVal)
    if err != nil {
        return impart.HTTPError{http.StatusBadRequest, fmt.Sprintf("Invalid user ID: %v", err)}
    }    

    err = app.db.ChangePassphrase(int64(id), true, "", hashedPass)
    if err != nil {
        return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not update passphrase: %v", err)}
    }    
    Info.Printf("ADMIN: Successfully changed.")

    // TODO: output the generated password in an HTML page, etc.
}

The current UI status, showing the success message after submission.

Looks great 👍

I'd say we bring the explanation message into the same box that shows the actual password (the visual differentiation makes it seem like they're unrelated).

And let's just make do a single "Reset Password" button, instead of having the option to choose what it is. That'll keep it simple. And along those lines, we should probably add a Javascript confirmation that they want to reset. Maybe say something like: "Are you sure you want to reset this user's password? This will generate a new temporary password that you'll need to share with them."

ok, how about this: