Open Zeitsperre opened 1 month ago
fmigneault
commented
1 month ago Ideally, this feature would be used instead: https://pavics-magpie.readthedocs.io/en/latest/authentication.html#user-registration
This way, there is no need for the user to change password at all, and there's no need for the admin to generate any temporary user account/password.
tlvu
commented
1 month ago no need for the admin to generate any temporary user account/password.
@fmigneault This would work if we allow everybody to create an account. But the reality is we do not accept all applications for account so by generating the first password ourselves, we can control who we allow to connect to the server.
With our non stop growing user base, some users start to forget their password or want to change their password. That's the reason behind @Zeitsperre request. Once we allow a user on our server, we would prefer the user to be completely autonomous with respect to managing their password.
fmigneault
commented
3 weeks ago There is an option (MAGPIE_USER_REGISTRATION_APPROVAL_ENABLED) to have an intermediate admin approval step. Users will not have an account unless that step is approved by the admin. I assume enabling this feature would essentially become the same has the kind of emails you must already receive from users to create new accounts.
As for the second point, part of the user registration workflow could be reused to send an email to the user upon a "reset password" button press (to be implemented). Once logged in with the temporary auto-generated password sent by email, users could themselves change it on their profile (already possible).
Is your feature request related to a problem? Please describe. When new accounts are created, the creator (admin) is responsible for creating passwords for accounts. We can use advanced password generators, but we can retain these passwords if we wish to.
When users then log in, there's no pressure for them to change the password that we've generated for them, so the admin more than likely has workspace access if the user doesn't change it. This is also true for password rests requests.
Describe the solution you'd like A "first-login" mode that forces users to change their passwords would be a welcome addition. This could also be triggered via a toggle on the account management page.
Describe alternatives you've considered Alternatively, having Magpie send out an anonymized password on account creation would be a welcome addition. Having a case-sensitive email-based password reset would be helpful as well.