No method present to alter/update user passwords

[PhilLastLocket]

I have been trawling through the documentation available at https://helpcenter.onlyoffice.com & https://api.onlyoffice.com

The only mention of updating, changing, or resetting a user password is at: https://helpcenter.onlyoffice.com/userguides/groups-gettingstarted-people.aspx The only problem is: The method describe in this documentation does not exist. I just stood up onlyoffice community server with a only office docs backend. There is no apparent way to change a user password. Either by the admin or by the account holder. The only place and time you can set a user password is when the admin first creates the user or when the user first creates their own account using their auth token.

The only method of changing a password after it has been initially set is to use what is known in every other project that has ever breathed fresh air as the "Reset password" or "Forgot password" function. Which is available to both the admin & the account holder.

This is not a password update/change function

The only other mention I can find of anything user-account password related is this issue that was opened in 2015 https://github.com/ONLYOFFICE/CommunityServer/issues/29

In that issue user @alexeybannov suggests modifying user passwords using the Api. There is no reference to his method listed in the official Api documentation https://api.onlyoffice.com/portals/method/people/put/api/2.0/people/%7buserid%7d

User @AnaMih commented on the aforementioned issue #29 stating `Unfortunately, there is no way to change a password. We'd recommend to do the following:

Enable logging in file:/var/www/onlyoffice/WebStudio/web.log4net.config
logger name="ASC.Notify.Messages" additivity="false"
appender-ref ref="Notify"/
level value="ALL"/
/logger
Close the sending port.
Copy the password changing link from the log file.

` These directions seem to be incomplete, as I was not able to get them to generate the appropriate log file. I also don't know what is meant by "Close the sending port." I assume he meant the SMTP ports 25 or some such but again. There are no clear instructions

Is the onlyoffice's Dev teams stance that changing passwords is a frivolous technology that should only be facilitated through an entirely separate server (SMTP) I simply fail to see why such a basic functionality is lacking in a otherwise very flushed out product.

[PhilLastLocket]

I have been digging around for methods to manually change the passwords. It appears that the user info is store in a table called core_user & the passwords are stored in a separate table called core_usersecurity as hashes (Thank god)

core_user is for all the "cleartext" info such as first & last name. email etc. core_usersecurity seems to be exclusively for storing the password hashes as the only fields are tenant userid pwdhash LastModified To identify which password hash belongs to which user you simply have to match the "id" field in core_user to the "userid" field listed in core_security. However simply inserting a new hash does not successfully change the user password. I am assuming that is because the pwdhash is seeded by the userid or some other obscure data field to "increase security". I assume changing the "id" fields in the core_user table will result in broken file permissions. I will test later

[andreysavihin]

Hi @PhilLastLocket !

Password can be changed on a separate page.

The password change link is sent to users at the specified email address.

User email must be activated!

There are several ways for account owner to send a link to themselves: 1) on the authorization page using the Forgot your password option; 2) on the profile page – either using the corresponding option in the actions menu or clicking the pencil icon next to the current password.

Account owner can also reset the password on the profile page using the Active connections option (Active connections -> Log out from all active connections -> Log out and Change Password). This option will immediately redirect you to the password change page without sending an email.

Administrator of the People module can send instructions to user to the registered email or set a new email in case of losing access to it.

[PhilLastLocket]

Hi @andreysavihin !

Thank you for taking the time to reply. Please read the issue fully before commenting.

I am aware of the password reset function.

1. This is not usable for anyone without access to an smtp server on their network.
2. This is uniquely complicated for a custodial function. Why is basic functionality missing from user management?

I am aware Onlyoffice has a smtp server available for public use. This is does not solve the problem, rather this creates more problems

1. Requires access to the internet/onlyoffice's services.
2. Requires trusting a 3rd party service for basic custodian functions
3. Even if the 3rd party service is trusted. Why should the user be sending auth tokens to a 3rd party? Every time the admin needs to update his password, he has to give a 3rd party mail server a auth token to the admin account of the server

I assume/hope the auth tokens are properly deactivated after first use. That doesn't excuse the needless attack vector.