btbonval
commented
11 years ago This should actually be fairly simple to implement. While trying to reset a password by hand, I found that a user's hashed password and salt may be changed using the password attribute. The reset_key attribute allows the user to reset his or her password by typing in the generated key; this should probably be done using the pre-existing functions.
For a quick preview, it might look like this:
if current_user && current_user.role != 'moderator' && current_user.role != 'admin':
flash[:error] = 'YOU SHALL NOT PASS!'
else:
user = User.find_by_whatever(something distinct)
user.password = random_generator()
user.reset_key = key_generator()
user.save!
email_key_to_user()I can't test this personally due to #166
jywarren
It'd be nice to have a feature for admins which allows them to forcibly change a user's password to some kind of internally generated nonsense, which is emailed to the user. The admin need never see the generated password.
If an account is compromised, this would be a simple fix so long as the user's email address is a trusted out of band communication channel.