-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to require Users to change their password if they are created by an administrator #4340
Comments
I support this suggestion, but as a workaround you could set up the mailer and have Gitea send out a registration e-mail after you create a user. The registration notification e-mail reads the following by default:
But I think your suggestion would be a nice addition to Gitea |
I would like to work on this but I have been wondering how to identify users created by an admin.. Should I add a new field to the db and cc @lafriks @JonasFranzDEV |
Yes new field would be fine but name it something like |
If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software? Conversely, would it be possible to create accounts and never know the passwords to begin with, such as issuing a TOTP directly via email? |
@JHabdas that is normal practice to need to change password that is issued when creating user, especially in companies |
Of course. The point I'm raising is that of roles and privileges. What I'm hoping to draw out are questions regarding who knows what and when. It may be possible admins are being created when, in fact, a superuser is more desirable. But the bane of this issue seems moreso to be the fact OP ever had the users password to begin with, nuanced as it may be. |
@JHabdas I think permissions cannot be given to an inactive user |
I am currently working on this, would send a PR tomorrow |
A checkbox on the user maint page. Require password change on next login. |
@mcg1103 this can be added as separate PR later when this is merged |
I would work on that and send it as another PR |
[x]
):Description
Hi,
I've disabled the registration of Users and manage them via the administrator interface. On creation, I give them a big, random password and ask them to change it on login. But I can't enforce the password change. I don't want to know their password and I assume they don't want me to know that either. It would be nice to have a checkbox on the account creation "Require Password Change" on login so the user is forced to change his password once he logs in.
This could be added to the edit user page as well so the administrator could force a password rotation if needed.
Screenshots
Not relevant
The text was updated successfully, but these errors were encountered: