Option to require Users to change their password if they are created by an administrator

[philiplb]

• Gitea version (or commit ref): 1.4.3
• Git version: 2.18.0
• Operating system: Ubuntu 14.04 LTS
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: Not relevant

Description

Hi,
I've disabled the registration of Users and manage them via the administrator interface. On creation, I give them a big, random password and ask them to change it on login. But I can't enforce the password change. I don't want to know their password and I assume they don't want me to know that either. It would be nice to have a checkbox on the account creation "Require Password Change" on login so the user is forced to change his password once he logs in.
This could be added to the edit user page as well so the administrator could force a password rotation if needed.

Screenshots

Not relevant

[mozoarella]

I support this suggestion, but as a workaround you could set up the mailer and have Gitea send out a registration e-mail after you create a user.

The registration notification e-mail reads the following by default:

Hi {username}, this is your registration confirmation email for {Instance name}!

You can now login via username: {username}.

https://yourinstanceurl/user/login

If this account has been created for you, please reset your password first. ('Reset your password' has a link to https://yourinstanceurl/user/forgot_password)

© {Instance name}

But I think your suggestion would be a nice addition to Gitea

[adelowo]

I would like to work on this but I have been wondering how to identify users created by an admin.. Should I add a new field to the db and *User ?

cc @lafriks @JonasFranzDEV

[lafriks]

Yes new field would be fine but name it something like MustChangePassword or something like

If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software?

Conversely, would it be possible to create accounts and never know the passwords to begin with, such as issuing a TOTP directly via email?

[lafriks]

@JHabdas that is normal practice to need to change password that is issued when creating user, especially in companies

Of course. The point I'm raising is that of roles and privileges. What I'm hoping to draw out are questions regarding who knows what and when.

It may be possible admins are being created when, in fact, a superuser is more desirable. But the bane of this issue seems moreso to be the fact OP ever had the users password to begin with, nuanced as it may be.

[adelowo]

If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software?

@JHabdas I think permissions cannot be given to an inactive user

[adelowo]

I am currently working on this, would send a PR tomorrow

[mcg1103]

A checkbox on the user maint page. Require password change on next login.

[lafriks]

@mcg1103 this can be added as separate PR later when this is merged

[adelowo]

I would work on that and send it as another PR