Gitea: Option to require Users to change their password if they are created by an administrator

Created on 29 Jun 2018 · 11Comments · Source: go-gitea/gitea

Gitea version (or commit ref): 1.4.3
Git version: 2.18.0
Operating system: Ubuntu 14.04 LTS
Database (use [x]):
- [ ] PostgreSQL
- [X] MySQL
- [ ] MSSQL
- [ ] SQLite
Can you reproduce the bug at https://try.gitea.io:
- [ ] Yes (provide example URL)
- [ ] No
- [X] Not relevant
Log gist: Not relevant

Description

Hi,
I've disabled the registration of Users and manage them via the administrator interface. On creation, I give them a big, random password and ask them to change it on login. But I can't enforce the password change. I don't want to know their password and I assume they don't want me to know that either. It would be nice to have a checkbox on the account creation "Require Password Change" on login so the user is forced to change his password once he logs in.
This could be added to the edit user page as well so the administrator could force a password rotation if needed.

Screenshots

Not relevant

kinfeature kinproposal

Source

philiplb

👍5

Most helpful comment

I would work on that and send it as another PR

adelowo on 30 Jul 2018

👍2

All 11 comments

I support this suggestion, but as a workaround you could set up the mailer and have Gitea send out a registration e-mail after you create a user.

The registration notification e-mail reads the following by default:

Hi {username}, this is your registration confirmation email for {Instance name}!

You can now login via username: {username}.

https://yourinstanceurl/user/login

If this account has been created for you, please reset your password first. ('Reset your password' has a link to https://yourinstanceurl/user/forgot_password)

© {Instance name}

But I think your suggestion would be a nice addition to Gitea

dylanmaassen on 29 Jun 2018

I would like to work on this but I have been wondering how to identify users created by an admin.. Should I add a new field to the db and *User ?

cc @lafriks @JonasFranzDEV

adelowo on 15 Jul 2018

Yes new field would be fine but name it something like MustChangePassword or something like

lafriks on 15 Jul 2018

👍1

If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software?

Conversely, would it be possible to create accounts and never know the passwords to begin with, such as issuing a TOTP directly via email?

ghost on 15 Jul 2018

@jhabdas that is normal practice to need to change password that is issued when creating user, especially in companies

lafriks on 15 Jul 2018

Of course. The point I'm raising is that of roles and privileges. What I'm hoping to draw out are questions regarding who knows what and when.

It may be possible admins are being created when, in fact, a superuser is more desirable. But the bane of this issue seems moreso to be the fact OP ever had the users password to begin with, nuanced as it may be.

ghost on 15 Jul 2018

If you offer someone admin and ask them to change their password, and they don't, is it possible you dont actually want them administering your software?

@jhabdas I think permissions cannot be given to an inactive user

adelowo on 15 Jul 2018

I am currently working on this, would send a PR tomorrow

adelowo on 20 Jul 2018

👍1

A checkbox on the user maint page. Require password change on next login.