search

getgrav / grav-plugin-login

Grav Login Plugin
http://getgrav.org
MIT License
44 stars 54 forks source link

resetting user password #167

Closed finanalyst closed 5 years ago

finanalyst commented 6 years ago

I'm having a problem resetting a user's password.

When I create a new user and set a password using the CLI, and then login with the new user, everything runs well.

If I create a new user with the admin-addon-user-manager but make an error in the password (user-admin plugin does not have option to see the password, and does not require confirmation of password), I cannot find a way to change the password.

I have tried to change the password using bin/plugin login passwd, but this fails. I have tried to clear the browser history, and the whole cache, but this fails.

What do I need to do to change a user's password? Either using CLI or the admin user manager addon?

mahagr commented 6 years ago

How does the CLI command fail?

finanalyst commented 6 years ago

By 'fails' I meant the same behaviour as in the admin-addon-user-manager. So I changed the password with the CLI, then I tried to login to the user with the new password and got a login failure.

However!

After creating a completely new user, I have discovered the following:

Admittedly, having written this out, I can see that what I was doing was not a correct interpretation of the login logic.

site.login.false prevents a login altogether. A user can login without site.login being defined, so site.login.true is equivalent to site.login not being set. There doesn't seem to be anything in the documentation about this.

The description of site.login occurs in relation to access in pages. So I thought I could create a special user that could be allowed access to only one 'registration' page, to which all other visitors could be excluded. Any registered user, but not the special user, could access other private pages.

The use case is to be able to have a page that selected users could be given access to because they would have the special user name and password. On this page they could register with a Login form, and associate themselves with data that had already been collected in another web site. Having registered, they can then use the data in other pages.

My work around is to have two groups, a special one that grants site.special.true and a pre-registration group that grants site.register.true. All defined users have site.login.true.