Add functionallity to User create

We want to add to the “user create” the functionality to send password to the user and auto generate the password like in other web system.
Now you must put a password and that is not a good security practice.

  • add send password by email to validate email
  • auto generate password (admin doesn’t know it)
1 Like

There is a fundamental flaw in sending password by email because it is clear text.
I think the flaw can be mitigated if it is a one-time password that is sent with an expiration date.
Also sending email will be an option only once issue3553 will be implemented because it should be transactional.

I think this should not only limited to the wizard but also to the form. The administrator should be able to reset a password in case the user forgot it.

Indeed I think we could use the session. This mean that the user/password should be checked against the real password but also against the active session.

Also I think the workflow to reset the password will be to remove the current one and just send a session by email. Then when the user login, we have a wizard to set the password if the user has no password.
We could also have on the client side a way to request to reset the password and sent it by email but in this case we should not clear the password because it could become a way to denial the user.

@ced I agree with all your comments: one-time password and the “The administrator should be able to reset a password in case the user forgot it”.
Maybe it will be useful that the user can recovery password without the administrator. Thanks

There is a module of Nantic that maybe is usefull for the development:

Hi Pablo

Make Tryton PAM[1] aware would nice. I wrote a proposal[2] some weeks ago.

Bests !

2.- Message 24736 - Tryton issue tracker

With the customizable login process, the default login process could check if there is a password set for the user and if not request the one send by email. So we don’t need to use a session but just a generated password stored in a separate table which expire quickly.

I have made an implementation of this feature at Issue 7037: Add reset password - Tryton issue tracker

1 Like

Great! we will test it

This topic was automatically closed after 13 days. New replies are no longer allowed.