search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.43k stars 2.4k forks source link

User account activation #5112

Open MatthijsKrempel opened 4 years ago

MatthijsKrempel commented 4 years ago

We would like to be able to invite users and let them choose their own password.

Currently Orchard Core supports registration and approval or manual entry. We would like to have the option to invite users onto the platform and let them choose their password and then activate the account as currently we have to provide a password for them.

hishamco commented 4 years ago

Good feature for future releases

Skrypt commented 4 years ago

Not sure if I understand the difference between activation and IsEnabled now.

sebastienros commented 4 years ago

I would suggest to send then a reset email link. That ensures they own the account associated with the email.

MatthijsKrempel commented 4 years ago

@sebastienros I wanted to make the distinction between a reset password link and an account activation link. This way you can control user accounts by invite and not by approval.

MatthijsKrempel commented 4 years ago

@Skrypt you can now send an email to notify the user with a reactivation procedure. I will do a demo next week during the podcast.

hishamco commented 4 years ago

What if:

  1. Add invitation button next to each user in the users view

  2. Clicking the button will send an invitation link to the email

  3. Whenever the user click the link it automatically logon with a temp password

  4. Password dialog to show up to change the current password immediately

@MatthijsKrempel what of the these steps are done by your PR?

MatthijsKrempel commented 4 years ago

@hishamco What that would mean is that I invite the user, look him up after I have invited him, then change his roles. The flow I've made seems more natural, add user, assign him roles, send him an email and I am done.

hishamco commented 4 years ago

What happen after the user clicks the invitation email?

MatthijsKrempel commented 4 years ago

If he does not have a password, he has to provide one, then we activate the account.

hishamco commented 4 years ago

Creating any user in the system will require a password, Am I right?

Is this similar to what I mention in step 4 above?

MatthijsKrempel commented 4 years ago

No, creating a user does not require you to set a password.

That is a seperate step, I think this is a good practice. You want to enter users and don't bother with their passwords, the password belongs to the user, not to the admin.

hishamco commented 4 years ago

I'm fine with this, but it would be nice if he directed from the email a password dialog pops up to enforce enter a password immediately

MatthijsKrempel commented 4 years ago

He is, that is what the activationUrl is for.

hishamco commented 4 years ago

Looks good

Skrypt commented 4 years ago

Ok so if a user doesn't have a password ; his account is deactivated?

Skrypt commented 4 years ago

Ok let me rethink about this. When we create a user account in the admin without setting a password it should automatically send an email to confirm if the email set is valid. Though the process of creating a user doesn't set a password. You need to manually do that after having created the user.

So now at this point, we have a user which has no password and with which we can login without requiring a password and that has no email validated.

But now what you are adding is a second email confirmation for the user to set his password which is in this context the "activation process". So, if we checked the option to validate email on user accounts in the admin options this user will receive 2 different emails to "activate" his account?

Why not just always send an email to confirm that the user has an account created on website X when it's done from the admin and that a password requires to be set. If the user never receive the email then it means that this email is not valid and that the account should remain disabled.

Also, you need to look at the RegistrationController of the User module to adjust what it does when a user registers from the frontend website.

MatthijsKrempel commented 4 years ago

No, that scenario only applies when a user registers himself.

From: Jasmin Savard notifications@github.com Sent: Tuesday, December 24, 2019 6:15:25 PM To: OrchardCMS/OrchardCore OrchardCore@noreply.github.com Cc: Matthijs Krempel matthijs.krempel@hotmail.com; Mention mention@noreply.github.com Subject: Re: [OrchardCMS/OrchardCore] User account activation (#5112)

Ok let me rethink about this. When we create a user account in the admin without setting a password it should automatically send an email to confirm if the email set is valid. Though the process of creating a user doesn't set a password. You need to manually do that after having created the user.

So now at this point, we have a user which has no password and with which we can login without requiring a password and that has no email validated.

But now what you are adding is a second email confirmation for the user to set his password which is in this context the "activation process". So, if we checked the option to validate email on user accounts in the admin options this user will receive 2 different emails to "activate" his account?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/OrchardCMS/OrchardCore/issues/5112?email_source=notifications&email_token=AAMGIKS7O37JY3YVFQMHJNTQ2I7S3A5CNFSM4J6TZPZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHTOOOI#issuecomment-568780601, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAMGIKQWRFHZUY2VSENE5LTQ2I7S3ANCNFSM4J6TZPZQ.

Skrypt commented 4 years ago

Ok so the email confirmation is only sent when a user registers himself. Makes sense. But what makes the user account deactivated while it does not have any password set? Maybe I missed a property that gets affected somewhere in your PR...

MatthijsKrempel commented 4 years ago

I believe you are not able to login when you do not have a password. External logins are stored also in this manner, a local account without a password with an external login. So we should be covered.

From: Jasmin Savard notifications@github.com Sent: Tuesday, December 24, 2019 6:35:03 PM To: OrchardCMS/OrchardCore OrchardCore@noreply.github.com Cc: Matthijs Krempel matthijs.krempel@hotmail.com; Mention mention@noreply.github.com Subject: Re: [OrchardCMS/OrchardCore] User account activation (#5112)

Ok so the email confirmation is only sent when a user registers himself. Makes sense. But what makes the user account deactivated while it does not have any password set?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/OrchardCMS/OrchardCore/issues/5112?email_source=notifications&email_token=AAMGIKRK7PPU7BTKUWDRSHTQ2JB4PA5CNFSM4J6TZPZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHTPARA#issuecomment-568782916, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAMGIKVZUZ77R4MIDG2AGUDQ2JB4PANCNFSM4J6TZPZQ.

Skrypt commented 4 years ago

hmm I think the only reason is because the password field on a login form is required. I will try removing that [required] attribute on the viewmodel and test this.

Skrypt commented 4 years ago

Ok it fails login from the _signInManager.CheckPasswordSignInAsync(user, model.Password, lockoutOnFailure: false); which is perfect. Though you can still change the PasswordValidator to allow for empty passwords. Then it will still require to do a different method than _signInManager.PasswordSignInAsync() to login the user. More likely directly _signInManager.SignInAsync().

All good then.