revolution
revolution copied to clipboard
modxcms
MODX 3: Users - Password notification method missing. Bug or by design?
Summary
There is a large gap where the Password notification method use to be. Also, the Password notification method is missing from a users profile - is this a bug or by design?
When "Let MODX generate a password" or "Let me specify the password" is selected on save, the password is presented on screen - no email is sent.
Step to reproduce
- Edit a users profile
- Go to the new password area
- Try to specify a password and email the user
Observed behavior
Password notification method missing
Expected behavior
To show Password notification method options
Environment
MODX3 Alpha v 3.0.0-dev From https://github.com/Sterc/modx3builds/raw/master/latest/modx3-alpha-regular.zip Chrome Version 67.0.3396.99
I believe that to be by design; doesn't it send the user an email to change their pass always now? Maybe the text needs updating.
I thought that also @Mark-H. But I didn't receive the email when I selected "Let MODX generate a password" and hit save. Plus there is a gap in the design where the password notifications use to be.
There are a lot of times I don't want an email to be send when a (new) password is made for a user. I really don't hope this will be the default behaviour.
I may be wrong and mixing up the manager reset password feature and changing the password from the back-end. Stuff happened in that department, but I don't immediately have it clear what did and didn't change, so this issue would warrant double checking at the least.
Actually, we should consider removing the option for sending the password over email. It is very insecure and considered a terrible practice.
How about adding a 3rd option "Let the user choose their own password via email", which would work like the forgotten password tool on the manager login page (it sends them a hashed link that takes them to the login screen to reset their password)
That way, we have the same functionality but is more secure (no plain text passwords over email)?
Or was the plan for new users to just reset their password on the login manager page?
I do not know if there are any plans about what to do next really. But a reset password link the a token that expire is a much better approach than sending the actual password in clear text.
There should always be a possibility to view the generated link. Certainly for situations where it's not possible to send an e-mail (new install without the e-mail settings being configured).
In #12162 @rtripault said:
@electrickite if you bridge Revo to a third party authentication system, i would say you should not have to manually create the modUser. Your bridge should take care of that on first logging attempt (but i might be missing some use case ^^)
In some cases, the external authentication system does not handle authorization. A user account is "pre-created" in MODX and given appropriate permissions. The external provider then matches the authenticated user to a MODX account.
I use "show on screen" ALL THE TIME! Please do not remove it. What is the problem with this when I'm sitting here all by myself? In a crowded public place, maybe you don't want to show the password on screen, so just add a third option to neither email nor show on screen.
Some of my clients are very tech un-savvy, so I set up passwords, then call them and give them the password (or email the password by itself with nothing else at all in the email, so that no one intercepting it could have any clue what it's for). I don't want to have to require clients to use a password reset at the outset. Also, at times (for these tech-unsavvy people), I need to have a record of their password so that if anything goes wrong I can log in as them to troubleshoot a problem.
I do not think removing the show on screen option has been brought up here?
This issue is about the "show on screen option" not being there in 3.x.
Oh, I am so sorry. The discussion derailed a bit in the later comments. Then I agree, the show on screen should be added back, despite the fact that this approach is horrible from a security standpoint.
@rainbowtiger One concern is network security, as the password now is sent both to and from the server in clear text.
What's the current thinking on this? In MODX 3 now, there is just "show the new password on the screen" as an option, with no way to turn it off or select something else. If the plan is to only show it on the screen, why do we need this at all?
Please note #15461 proposed some additions but requested changes were never made, so that's not been merged.
@SnowCreative We had to return the radio option, without it there was a bug and the password was not shown on the screen, see in https://github.com/modxcms/revolution/pull/15629
