Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to require Users to change their password if they are created by an administrator #4340

Closed
2 of 7 tasks
philiplb opened this issue Jun 29, 2018 · 11 comments · Fixed by #4489
Closed
2 of 7 tasks
Labels
type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first.
Milestone

Comments

@philiplb
Copy link

  • Gitea version (or commit ref): 1.4.3
  • Git version: 2.18.0
  • Operating system: Ubuntu 14.04 LTS
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist: Not relevant

Description

Hi,
I've disabled the registration of Users and manage them via the administrator interface. On creation, I give them a big, random password and ask them to change it on login. But I can't enforce the password change. I don't want to know their password and I assume they don't want me to know that either. It would be nice to have a checkbox on the account creation "Require Password Change" on login so the user is forced to change his password once he logs in.
This could be added to the edit user page as well so the administrator could force a password rotation if needed.

Screenshots

Not relevant

@mozoarella
Copy link

I support this suggestion, but as a workaround you could set up the mailer and have Gitea send out a registration e-mail after you create a user.

The registration notification e-mail reads the following by default:

Hi {username}, this is your registration confirmation email for {Instance name}!

You can now login via username: {username}.

https://yourinstanceurl/user/login

If this account has been created for you, please reset your password first. ('Reset your password' has a link to https://yourinstanceurl/user/forgot_password)

© {Instance name}

But I think your suggestion would be a nice addition to Gitea

@daviian daviian added type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first. labels Jul 2, 2018
@adelowo
Copy link
Member

adelowo commented Jul 15, 2018

I would like to work on this but I have been wondering how to identify users created by an admin.. Should I add a new field to the db and *User ?

cc @lafriks @JonasFranzDEV

@lafriks
Copy link
Member

lafriks commented Jul 15, 2018

Yes new field would be fine but name it something like MustChangePassword or something like

@ghost
Copy link

ghost commented Jul 15, 2018

If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software?

Conversely, would it be possible to create accounts and never know the passwords to begin with, such as issuing a TOTP directly via email?

@lafriks
Copy link
Member

lafriks commented Jul 15, 2018

@JHabdas that is normal practice to need to change password that is issued when creating user, especially in companies

@ghost
Copy link

ghost commented Jul 15, 2018

Of course. The point I'm raising is that of roles and privileges. What I'm hoping to draw out are questions regarding who knows what and when.

It may be possible admins are being created when, in fact, a superuser is more desirable. But the bane of this issue seems moreso to be the fact OP ever had the users password to begin with, nuanced as it may be.

@adelowo
Copy link
Member

adelowo commented Jul 15, 2018

If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software?

@JHabdas I think permissions cannot be given to an inactive user

@adelowo
Copy link
Member

adelowo commented Jul 20, 2018

I am currently working on this, would send a PR tomorrow

@mcg1103
Copy link

mcg1103 commented Jul 30, 2018

A checkbox on the user maint page. Require password change on next login.

@lafriks
Copy link
Member

lafriks commented Jul 30, 2018

@mcg1103 this can be added as separate PR later when this is merged

@adelowo
Copy link
Member

adelowo commented Jul 30, 2018

I would work on that and send it as another PR

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
type/feature Completely new functionality. Can only be merged if feature freeze is not active. type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants