Cms: Allow users with permissions to administrate users to manually activate users

> Posted by Fletcher Bugg ([email protected]) on 2015/03/13 22:58:12 +0000

We also have the same situation where a client manages and approves their member base. I've had to make them a full admin so they can activate users. (Sending verification emails is not required as they manually approve each membership request.)

> Posted by MattP ([email protected]) on 2016/01/11 18:32:18 +0000

Thanks for considering this, Brendan.

I completely appreciate that there's a level of risk - would a simple checkbox under Users > Administrate Users > e.g. "Manually activate User accounts" would allow a client-user to add staff for example without having to call their agency.

> Posted by Chris Southam ([email protected]) on 2015/09/23 12:44:32 +0000

Have to say I've come across this on a new project recently.
To go back to a client who requires this functionality and say it's not possible at all, in a CMS as flexible as Craft has become an issue.
Personally, I feel that if a CMS user has the ability to Create, Edit and Delete users then the ability to set their passwords and log into their accounts on their behalf - especially if they have the ability to administer those accounts.
If it's a permissions check and set as within ACL then I can't think of an issue.

> Posted by Visiluna ([email protected]) on 2015/06/16 22:04:13 +0000

Wow. This is actually almost a showstopper or me on a project that's almost finished (my first Craft project).

Here's my use case:

I'm a developer building a site for a client organization (non-profit). The client wants members ("Members" user group), but not the general public to be able to add calendar events to an "Events" channel.

In order to do this, new users ("Members") need to be created by an admin ("Member Admin" user group). A "Member Admin" is usually just a volunteer in the membership department of the organization and, as such, should ONLY have the ability to create new users in the "Member" user group.

I've already figured out that I can't restrict a "Member Admin" user to creating users within a specific group (see my related Feature Request), but I'll try to work around that in training for now.

But a Member Admin will most definitely need to be able to activate the new members they create. I know they have the ability to send the activation email, but they really need the ability to just create active users, or activate pending users, without generating an email.

Now I get to figure out how to explain that one to the client.

> Posted by Brandon Kelly ([email protected]) on 2015/03/06 03:54:45 +0000

This is by design; we want to err on the side of caution when it comes to which user administration functions non-admins should be allowed to do. Open to hearing what others have to say, though.

Please. I can understand Brandon's view with regards to erring on the sie of caution but if the alternative is we have to give clients full admin access then the decision is actually making things worse.

Can it be made it a permissions option that's not selected automatically when hitting 'Select All' for users?

@cliveportman We’re definitely not going to add it to Craft 2 at this point, but a plugin could add it as an option using the addUserAdministrationOptions hook.

Just noticed this at the end of a very large project which relies on this to activate new members. Major bummer! I understand the security risks, but wouldn't it seem likely that a client needs to be able to decide who gets access to his website's walled off content?

I've thrown together a plugin to handle exactly this: https://github.com/billythekid/activateusers

I’d like to add our voice to this as well please. An option to enable this for a specific member group would be really useful.

Going beyond this, accepting the security argument, an extra option for ‘login as member’ would also be helpful for one of our use cases, but appreciate the extra concerns this might add.

+1 For this. 3 projects recently where this became a massive issue for client

The ability to just create active users, or activate pending users, without generating an email.

+5 Adding to this. We just launched a Craft Commerce project and not having this ability is a customer support nightmare.

The reason this isn’t currently possible is because the ability to manually activate users would introduce a new permission escalation vector.

1. Admin user creates new user account (“User A”) with various permissions including “Edit users” (or perhaps even a new admin account).
2. A user with “Administrate users” permission (“User B”) can now copy User A’s activation URL, go to it, and set their password / activate their account.
3. Now User B can log into User A’s account with the password they just set, edit their own account (User B), and grant themselves whatever permissions User A has (or grant themselves Admin status if User A is an admin).

That said, a similar vector already exists, via the “Change users’ emails” permission.

1. Admin user creates new user account (“User A”) with various permissions including “Edit users” (or perhaps even a new admin account).
2. A user with “Change users’ emails” permission (“User B”) can now edit User A’s email to an email address that they control, and then resend an account activation email, or a password-reset email, etc., and set their password that way.
3. Now User B can log into User A’s account with the password they just set, edit their own account (User B), and grant themselves whatever permissions User A has (or grant themselves Admin status if User A is an admin).

Considering that, I’m thinking maybe we should rename the “Change users’ emails” permission to “Activate user accounts and change emails”; there won’t be a significantly increased risk of permission escalation for users that already have that permission.

This will be resolved in Craft 3.1 (currently in Dev Preview).

• The old “Administrate users” permission has been renamed to “Moderate users”.
• The old “Change users’ emails” permission has been renamed to “Administrate users”, and now comes with the ability to activate user accounts and reset their passwords.

This is partial broken on my Craft CMS 3.3.0.1 Pro version. When a pending user has already set a password, the option "Copy activation URL" is still available in the CP.
The $user->password in vendor/craftcms/cms/src/controllers/UsersController.php on line 648 is empty, but the user record in the db has a password set.

@bytebrain How did the user have a password set without activating their account?

@brandonkelly Through the frontend, with a registration form.

@bytebrain Duh, of course. Just fixed that for the next release, thanks for pointing it out.