As an admin, I have the ability to reset the password for another user.
But when i do that, the new password appears in clear in the popup !
It seems that the wrong key is called for popup creation.
Seems a bit of a security issue…
Using docker dev edition 1.7.0
This falls in the category: It’s not a bug, it’s a feature. This is the intended behavior.
Why should the system admin not see the password? The system admin has superuser rights anyway.
This said: I appreciate your security-oriented mindset. If I were you, I would enable the ‘force password change’ option in the settings (see below). Then the user can use this password just once.
Frankly, I do not see any reason why an admin would get such easy access to the user password.
An admin can be created by the it guys, with no access to the server by itself. And he should not be allowed to see other users passwords.
I think you are right. Although there’s a historic reason to this, especially an API request for the team admin to reset one’s password, but as soon as they have any personal bases created in their library, the admin shouldn’t have any chance to access those data. I’ll write a ticket for this. Thanks!
For some self-hosted environment, system emails are not configured. Showing the password to the admin when resetting the password is the only way to copy and send new password to the user.
OK, but that’s really a ‘non usual’ setup, seems that shall not be the default behavior.
Or at least a switch should be present in the config file to avoid this security flaw.