How can Administrator change user password from Mantis?

Post about your customizations to share with others.

Moderators: Developer, Contributor

Post Reply
Nickless
Posts: 9
Joined: 07 Mar 2008, 05:36

How can Administrator change user password from Mantis?

Post by Nickless »

HI all. Sorry for my English - I’m from Russia :)
Can you help me in one problem/question?
I just try to change page "manage_user_edit_page.php" and add password changing function with fields "Password" and "Confirm Password".
I want that Administrator can change the user password from this page.
Can you describe me in details how to do it correctly.

Thanks :)
Your system is great for helpdesk :)
Nickless
Posts: 9
Joined: 07 Mar 2008, 05:36

Re: How can Administrator change user password from Mantis?

Post by Nickless »

Mantis version - 1.1.1
smig1o
Posts: 39
Joined: 30 Nov 2006, 12:26
Location: Poznan - PL
Contact:

Re: How can Administrator change user password from Mantis?

Post by smig1o »

I just dont understand.. why do you want to set a password directly. It isnt possible due to security reasons...
'Press any key to continue or any other key to quit'
vboctor
Site Admin
Posts: 1292
Joined: 13 Feb 2005, 22:11
Location: Redmond, Washington
Contact:

Re: How can Administrator change user password from Mantis?

Post by vboctor »

Mantis allows you to "Reset Password" for a user. This triggers an email to the user's email address which allows the user to login and change their password. If email notifications are disabled, then the password is reset to a blank password.
Migrate your MantisBT to the MantisHub Cloud
Nickless
Posts: 9
Joined: 07 Mar 2008, 05:36

Re: How can Administrator change user password from Mantis?

Post by Nickless »

To smig1o

Can you tell me about what security reasons may stop changing user password directly by the Administrator? For example. You is administrator in a big commercial firm. Do you want that users can change passwords or not? I think - NOT. Because it may be very bad. User can say you "I forgot my password, can you help me?" And we have about 20 users with that problem in 24 hours... If administrator can change manually passwords - it is great!!!

And the second reason - control function!!!
Nickless
Posts: 9
Joined: 07 Mar 2008, 05:36

Re: How can Administrator change user password from Mantis?

Post by Nickless »

To vboctor

Thank you!
But we want to change user password from manage_user_edit_page.php, for example. Because it is very difficult to describe to all people who work with tickets how to reset user password, how to loggin in as user, how to change password... If you are administrator - it is good to have that function - user password changing without reseting and other manually operations!
vboctor
Site Admin
Posts: 1292
Joined: 13 Feb 2005, 22:11
Location: Redmond, Washington
Contact:

Re: How can Administrator change user password from Mantis?

Post by vboctor »

You can report a feature request in the bug tracker. Reporting it there will provide more exposure to the issue and we will get more feedback. If someone contributes a patch, it is more likely to get in. I don't expect that developers will jump on it.
Migrate your MantisBT to the MantisHub Cloud
switch120
Posts: 1
Joined: 01 Apr 2008, 18:46

Re: How can Administrator change user password from Mantis?

Post by switch120 »

I've been using Mantis now for about a week, and it's definitely a great utility. I do, however, find some smaller more desirable features lacking - like the ability for an administrator to manually set a password. I'm not confident enough that our user base will choose "smart" passwords, and I also need the ability to use Proxy accounts for my Mantis Connect C# Rich Client implementation to report "On behalf of" other users. That means I've got several Proxy accounts with fake emails as they're just "placeholders" so that each user that uses my application is not required to have a login/pass - as long as they exist, the MantisConnect will report the issue on their behalf.

So on short, I mucked around a bit and found a quick (not ideal - a "quick") fix. Follow these steps:

1. Edit your manage_user_edit_page.php file.
2. Locate "<!-- Email -->
3. Paste this just above it:

Code: Select all

<!-- Password -->
<tr <?php echo helper_alternate_class( 1 ) ?>>
	<td class="category" width="30%">
		<?php echo "Password (change only)" ?>:
	</td>
	<td width="70%">
		<input type="text" size="16" maxlength="100" name="password" value="" />
	</td>
</tr>
4. If you're worried about folks looking over your shoulder, change the type="text" to type="password". I keep my door shut and prefer to see the text rather than mess around with an additional "confirm password" box.
5. Edit your manage_user_update.php file.
6. Under the $f_user_id line, paste this line:

Code: Select all

$f_pass = gpc_get_string('password');
7. Scroll down to the line that reads: $result = db_query( $query );
8. Paste this code above it:

Code: Select all

//Reset the password if specified.
if ($f_pass) user_set_password($f_user_id, $f_pass);
Save all your files. There will now be a password field that you can manually edit. Saves me a ton of time and aggravation. If you leave the field blank, it will not reset your password - leaves it as is.

HTH

(I suppose this goes without saying, but I'm not responsible for any irreparable damage caused by misreading my instructions on how to hack your Mantis installation.)
Starbuck
Posts: 217
Joined: 14 Feb 2006, 02:53
Location: USA
Contact:

Re: How can Administrator change user password from Mantis?

Post by Starbuck »

I just came back to this forum for this same topic. I can understand that some people might not want to work on this particular feature because they don't believe in its value. However, there are many sites that would want this feature. The question is more a matter of whether the package should support "desirable" features compared to those features only desired by a limited group of people. As I look at the responses here that seem to shut out administrators because of differing opinions, the work "elitist" comes to mind. Don't get me wrong, I understand the security issues that developers are trying to manage here, and the OP was properly referred to the tracker to enter a formal request. That's the right process, and has been here since the beginning. But the initial "you don't want that" type of response isn't response isn't appropriate when an admin is stuck with users and management demanding access to a system and the admin has to tell them he doesn't have full control, "here's the process that we all need to follow". That's completely out of touch with the real world.

Why did I just come to the forum looking for this? Because I just got this email from one of my clients who happens to be an avid FLOSS supporter:
Your tracking system sucks. Clicked on the last confirmation link I received and actually got to a page where I was requested to change my password. I tried to change password and e-mail. Each time I hit "Update User" button, it just came back to the same screen, but since the new e-mail address was there, I assumed it took the new password as well. I guess not, because now I can't log in using any combination of old or new email address and my password, or the password you sent me. I really don't need to be on the tracking system that badly. I just need a working copy of *software*.
Let's not analyze the specifics here. The long-term solution is to figure out what happened and try to make the experience better. The short-term issue is for me to just be able to give this guy a valid user ID and password so that he can use the system. That's a valid application for an administrator to have complete control over all aspects of his site. Any argument about why an admin should have full control of his own environment is seriously missing the big picture. Software should not limit the capabilities of human beings who are responsible for achieving specific tasks.

BTW, a search for the word "password" in this forum returned an error that it's too common a word. Great, another bit of software (phpBB) that doesn't give me even a subset of what I want, ironically because too many people are already talking about it. Folks, take these as examples - the software is here to serve us, but we keep getting backed into these situations where the people who use and support FLOSS/LAMP look really stupid when we choose tools that don't allow us to get through the most basic tasks.

What's the answer? Use different indexing tools like Google? Hire PHP developers to customize the code we have? Good answers, but also completely missing the point. My solution to searching for this issue was to brute-force searching this forum and hoping I'd find a similar topic. Yay, success, and (this time) without wasting much time. My solution to the client password situation is to change their email to a proxy created just for the purpose, reset their password, then change the password back. Stupid. My solution to all similar OSS issues is to guarantee that returns from some sales go to funding software changes that we want, and then of course to re-contribute back to the project. Yes, that's the way it all "should" be but getting to that point is very difficult.
vzw614
Posts: 143
Joined: 15 May 2008, 14:59

Re: How can Administrator change user password from Mantis?

Post by vzw614 »

Put a "Feature" request in the Mantis BT system and maybe someone will develop a patch for the feature. It appears that someone above has brute forced a way to do this but I can also think of several other things that would be good to have if this feature were implmented.

A config setting to disallow users from changing their passwords for example.

http://www.mantisbt.org/bugs/login_page.php
DutchUncle
Posts: 2
Joined: 02 Jul 2009, 15:29

Re: How can Administrator change user password from Mantis?

Post by DutchUncle »

Responding to 20070713 post from Starbuck:

Absolutely. I'm trying to convince people to use this great open-source application rather than the Post-It / Excel spreadsheet / email patchwork we rely on, and the InstantMantis demo I threw together knocked socks off. Then I had to leave the passwords blank because I can't go out through the "secure" corporate email, and I can't override the passwords when people forget them, and practical usability looks half-baked.

Even atomic clocks get a second added now and then. You always need to be able to control your system, and if that looks like "breaking the paradigm", well, the paradigm is for the normal case when things are working. Even a Bugatti Veyron needs a tire iron.
Kirill
Posts: 619
Joined: 25 Nov 2007, 08:05
Location: Kaliningrad, RF
Contact:

Re: How can Administrator change user password from Mantis?

Post by Kirill »

vboctor wrote:You can report a feature request in the bug tracker. Reporting it there will provide more exposure to the issue and we will get more feedback. If someone contributes a patch, it is more likely to get in. I don't expect that developers will jump on it.
Victor, I think it can be doing with plugin not in core.
bahaa_issa83
Posts: 4
Joined: 22 Jun 2009, 11:34

Re: How can Administrator change user password from Mantis?

Post by bahaa_issa83 »

mr. switch120
thanks very much for this nice steps to allow administrator creat the password for users
scheidelg
Posts: 2
Joined: 25 Feb 2010, 18:50

Re: How can Administrator change user password from Mantis?

Post by scheidelg »

I ran into this issue yesterday, and created a patch to address this for my environment.

At a high level, it modifies the manage_user_edit_page.php page to include "Password" and "Confirm Password" text boxes.

In more detail:

manage_user_edit_page.php

- Add a new "Password" and "Confirm Password" text boxes consistent with the way password is set on account_page.php (when a user sets their own password).

- If the administrator can now change the password directly from the GUI, then there is no reason for the previous "Reset Password" button to have dual functionality of either (a) triggering the 'password reset via e-mail' process or (b) resetting the password to an empty string... The administrator can just specifically change the password to an empty string. So:

a. Change the previous "Reset Password" button to "Trigger Password Reset via E-mail"

b. Disable the previous "Reset Password" button (now "Trigger Password Reset via E-mail") if notifications are not enabled

c. Get rid of the additional text displayed alternately as "Reset Password sends the confirmation URL via e-mail." or "Reset Password resets the password to be blank"

manage_user_update.php

- Gather "Password" and "Confirm Password" form field values.

- Change the password if:

a. The administrator made a change to the field values

b. The "Password" and "Confirm Password" field values match

c. Other updates were successfully applied (i.e., don't change the password when other updates fail).

- Include "password changed" information in notifications via e-mail and browser page.

manage_user_reset.php

No longer using alternate "reset password to blank" functionality when notifications are disabled, since the administrator can just directly set the password to an empty string if they so desire.

account_page.php; account_update.php

For consistency and UI enhancement, populate "Password" and "Confirm Password" fields with a dummy string so that bullets/asterisks/whatever are displayed on screen.

core/authentication_api.php

Added auth_gen_dummy_password() function, to generate the dummy string used in initial display of password fields.

core/user_api.php

In user_reset_password(), don't reset the password to blank when notifications are disabled; just return false.

lang/strings_english.txt

- Removed $s_reset_password_button: No longer need "Reset Password" button text.

- Removed $s_reset_password_msg and $s_reset_password_msg2: No longer using alternate text messages displayed on the page for whether the previous "Reset Password" button (a) sends confirmation URL via e-mail or (b) resets the password to be blank.

- Added $s_email_rest_password_button: Need additional text string to change the text of the previous "Reset Password" button to "Trigger Password Reset via E-mail".

- Added $s_password_update_not_requested and $s_password_not_updated: Needed additional notifications to administrator in manage_users.php regarding whether a password change was requested, and if so whether it was successful.

- Removed $s_account_reset_msg2: No longer using alternate "reset password to blank" functionality when notifications are disabled, since the administrator can just directly set the password to an empty string if they so desire.

NOTE: I made these changes only to strings_english.txt, and no other language files.

Code

I'd prefer to upload the replacement and/or diff files, but since I can't add attachments to a post, here are the individual diff's.

manage_user_edit_page.php

Code: Select all

--- \MantisBT.orig\manage_user_edit_page.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\manage_user_edit_page.php	Fri Feb 26 13:49:50 2010
@@ -14,6 +14,36 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+#----------
+# Modification: Allow Administrator to directly reset password
+#
+# Modification to allow the administrator to change the user's password
+# directly from the GUI.
+#
+#  - Add a new "Password" and "Confirm Password" text boxes consistent
+#    with the way password is set on account_page.php (when a user sets
+#    their own password).
+#
+#  - If the administrator can now change the password directly from the
+#    GUI, then there is no reason for the previous "Reset Password"
+#    button to have dual functionality of either (a) triggering the
+#    'password reset via e-mail' process or (b) resetting the password
+#    to an empty string... The administrator can just specifically
+#    change the password to an empty string.  So:
+#
+#     - Change the previous "Reset Password" button to "Trigger Password
+#       Reset via E-mail"
+#
+#     - Disable the previous "Reset Password" button (now
+#       "Trigger Password Reset via E-mail") if notifications are not
+#       enabled
+#
+#     - Get rid of the additional text displayed alternately as "Reset
+#       Password sends the confirmation URL via e-mail." or "Reset
+#       Password resets the password to be blank"
+#
+# Greg Scheidel 2010.02.25
+
 	/**
 	 * @package MantisBT
 	 * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
@@ -46,6 +76,18 @@
 
 	$t_ldap = ( LDAP == config_get( 'login_method' ) );
 
+      # Set a string that we can use to pre-populate password fields
+      # so that asterisks/bullets/whatever are displayed, but that
+      # the user will not enter themselves so that we can check after
+      # form submission to see if the user has changed the field
+      # contents.
+      #
+      # Note that this will pre-populate the fields even if the
+      # actual password is an empty string.  The administrator should
+      # not have any clue as to the user's actual password (including
+      # whether it is currently empty) from the page rendering.
+      $s_dummy_password = auth_gen_dummy_password();
+
 	html_page_top();
 
 	print_manage_menu();
@@ -95,6 +137,33 @@
 	</td>
 </tr>
 
+<!-- Password -->
+<tr <?php echo helper_alternate_class() ?>>
+	<td class="category">
+		<?php echo lang_get( 'password' ) ?>
+	</td>
+	<td>
+<?php if ( $t_ldap ) { ?> <!-- With LDAP -->
+		<?php echo lang_get( 'no_password_change' ) ?>
+<!-- Without LDAP -->
+<?php } else { ?>
+		<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password" value="<?php echo $s_dummy_password ?>" />
+<?php } ?> <!-- End LDAP conditional -->
+	</td>
+</tr>
+
+<!-- Password Confirmation -->
+<?php if ( !$t_ldap ) { ?> <!-- Without LDAP -->
+<tr <?php echo helper_alternate_class() ?>>
+	<td class="category">
+		<?php echo lang_get( 'confirm_password' ) ?>
+	</td>
+	<td>
+		<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password_confirm" value="<?php echo $s_dummy_password ?>" />
+	</td>
+</tr>
+<?php } ?> <!-- End LDAP conditional -->
+
 <!-- Email -->
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category">
@@ -161,11 +230,20 @@
 
 <!-- RESET AND DELETE -->
 <div class="border center">
-<!-- Reset Button -->
-	<form method="post" action="manage_user_reset.php">
+<!-- Trigger Reset via E-mail Button -->
+	<form 
+
+<?php
+	if ( !( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) ) {
+		echo 'disabled';
+	}
+?>
+            method="post" action="manage_user_reset.php">
+
+
 <?php echo form_security_field( 'manage_user_reset' ) ?>
 		<input type="hidden" name="user_id" value="<?php echo $t_user['id'] ?>" />
-		<input type="submit" class="button" value="<?php echo lang_get( 'reset_password_button' ) ?>" />
+		<input type="submit" class="button" value="<?php echo lang_get( 'email_reset_password_button' ) ?>" />
 	</form>
 
 <!-- Delete Button -->
@@ -179,7 +257,8 @@
 <?php } ?>
 </div>
 <br />
-<div align="center">
+
+<!-- <div align="center">
 <?php
 	if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
 		echo lang_get( 'reset_password_msg' );
@@ -188,7 +267,7 @@
 	}
 ?>
 </div>
-
+-->
 
 <!-- PROJECT ACCESS (if permissions allow) and user is not ADMINISTRATOR -->
 <?php if ( access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
@@ -244,7 +323,7 @@
 	</td>
 </tr>
 
-<!-- Submit Buttom -->
+<!-- Submit Button -->
 <tr>
 	<td class="center" colspan="2">
 		<input type="submit" class="button" value="<?php echo lang_get( 'add_user_button' ) ?>" />
manage_user_update.php

Code: Select all

--- \MantisBT.orig\manage_user_update.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\manage_user_update.php	Fri Feb 26 13:27:47 2010
@@ -14,6 +14,28 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+#----------
+# Modification: Allow Administrator to directly reset password
+#
+# Modification to allow the administrator to change the user's password
+# directly from the GUI.
+#
+#  - Gather "Password" and "Confirm Password" form field values.
+#
+#  - Change the password if:
+#
+#     - The administrator made a change to the field values
+#
+#     - The "Password" and "Confirm Password" field values match
+#
+#     - Other updates were successfully applied (i.e., don't change
+#       the password when other updates fail).
+#
+#  - Include "password changed" in notifications via e-mail and
+#    browser page.
+#
+# Greg Scheidel 2010.02.25
+
 	/**
 	 * @package MantisBT
 	 * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
@@ -32,13 +54,32 @@
 	auth_reauthenticate();
 	access_ensure_global_level( config_get( 'manage_user_threshold' ) );
 
-	$f_protected	= gpc_get_bool( 'protected' );
-	$f_enabled		= gpc_get_bool( 'enabled' );
-	$f_email		= gpc_get_string( 'email', '' );
-	$f_username		= gpc_get_string( 'username', '' );
-	$f_realname		= gpc_get_string( 'realname', '' );
-	$f_access_level	= gpc_get_int( 'access_level' );
-	$f_user_id		= gpc_get_int( 'user_id' );
+	$f_protected		= gpc_get_bool( 'protected' );
+	$f_enabled			= gpc_get_bool( 'enabled' );
+	$f_email			= gpc_get_string( 'email', '' );
+	$f_username			= gpc_get_string( 'username', '' );
+	$f_realname			= gpc_get_string( 'realname', '' );
+	$f_access_level		= gpc_get_int( 'access_level' );
+	$f_user_id			= gpc_get_int( 'user_id' );
+	$f_password			= gpc_get_string( 'password', '' );
+	$f_password_confirm	= gpc_get_string( 'password_confirm', '' );
+
+	# initial value of flags on whether a password update was
+	# requested, and whether it was successful..
+	$t_password_updated = false;
+	$t_password_update_requested = false;
+
+      # Set a string that we can use to pre-populate password fields
+      # so that asterisks/bullets/whatever are displayed, but that
+      # the user will not enter themselves so that we can check after
+      # form submission to see if the user has changed the field
+      # contents.
+      #
+      # Note that this will pre-populate the fields even if the
+      # actual password is an empty string.  The administrator should
+      # not have any clue as to the user's actual password (including
+      # whether it is currently empty) from the page rendering.
+      $s_dummy_password = auth_gen_dummy_password();
 
 	if ( config_get( 'enable_email_notification' ) == ON ) {
 		$f_send_email_notification = gpc_get_bool( 'send_email_notification' );
@@ -102,6 +143,36 @@
 		user_delete_project_specific_access_levels( $f_user_id );
 	}
 
+	# If:
+	#
+	#  - The user changed either the password or confirm_password
+	#    field values
+	#
+	#  - The password or confirm_password field values match
+	#
+	# ...then set a flag to indicate that the user requested a
+	# password change.
+	#
+	# Note:
+	#
+	#  - We're not checking for an empty string password.  If the
+	#    administrator wants to set the password to an empty string, then
+	#    we let them.
+	#
+      #  - We don't check to see if the new password matches the current
+	#    password.  This should not open a method for the administrator
+	#    to guess the current password (even as a single attempt).
+	if ( ( $f_password != $s_dummy_password ) || ( $f_password_confirm != $s_dummy_password ) ) {
+		# Error out if the password and confirm_password fields do not match
+		if ( $f_password != $f_password_confirm ) {
+			trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR );
+
+		# set the flag
+		} else {
+			$t_password_update_requested = true;
+		}
+	}
+
 	# if the user is already protected and the admin is not removing the
 	#  protected flag then don't update the access level and enabled flag.
 	#  If the user was unprotected or the protected flag is being turned off
@@ -124,6 +195,13 @@
 
 	$result = db_query_bound( $query, $query_params );
 
+	# Update the password if an update was requested and the rest of the
+	# account updates were successful.
+	if ( $result  && $t_password_update_requested ) {
+		user_set_password( $f_user_id, $f_password );
+		$t_password_updated = true;
+	}
+
 	if ( $f_send_email_notification ) {
 		lang_push( user_pref_get_language( $f_user_id ) );
 		$t_changes = "";
@@ -136,6 +214,9 @@
 		if ( strcmp( $f_email, $t_old_email ) ) {
 			$t_changes .= lang_get( 'email' ) . ': ' . $t_old_email . ' => ' . $f_email . "\n";
 		}
+		if ( $t_password_updated ) {
+			$t_changes .= lang_get( 'password_updated' ) . "\n";
+		}
 		if ( strcmp( $f_access_level, $t_old_access_level ) ) {
 			$t_old_access_string = get_enum_element( 'access_levels', $t_old_access_level );
 			$t_new_access_string = get_enum_element( 'access_levels', $f_access_level );
@@ -164,6 +245,18 @@
 <br />
 <div align="center">
 <?php
+	# display message identifying whether a password update was requested,
+	# and if so was it successful.
+	if ( $t_password_update_requested ) {
+		if ( $t_password_updated ) {
+			echo lang_get( 'password_updated' ) . '<br />';
+		} else {
+			echo lang_get( 'password_not_updated' ) . '<br />';
+		}
+	} else {
+		echo lang_get( 'password_update_not_requested' ) . '<br />';
+	}
+
 	if ( $f_protected && $t_old_protected ) {				# PROTECTED
 		echo lang_get( 'manage_user_protected_msg' ) . '<br />';
 	} else if ( $result ) {					# SUCCESS
manage_user_reset.php

Code: Select all

--- \MantisBT.orig\manage_user_reset.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\manage_user_reset.php	Fri Feb 26 14:04:45 2010
@@ -14,6 +14,14 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+# Modification: Allow Administrator to directly reset password
+#
+# - No longer using alternate "reset password to blank" functionality when
+#   notifications are disabled, since the administrator can just directly
+#   set the password to an empty string if they so desire.
+#
+# Greg Scheidel 2010.02.25
+
 	/**
 	 * @package MantisBT
 	 * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
@@ -50,12 +58,12 @@
 	} else {
 		# SUCCESS
 		if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
-			# send the new random password via email
+			# sent the new random password via email
 			echo lang_get( 'account_reset_msg' ) . '<br />';
-		} else {
-			# email notification disabled, then set the password to blank
-			echo lang_get( 'account_reset_msg2' ) . '<br />';
-		}
+		} #else {
+		#	# email notification disabled, then set the password to blank
+		#	echo lang_get( 'account_reset_msg2' ) . '<br />';
+		#}
 	}
 
 	print_bracket_link( $t_redirect_url, lang_get( 'proceed' ) );
account_page.php

Code: Select all

--- \MantisBT.orig\account_page.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\account_page.php	Fri Feb 26 12:27:07 2010
@@ -14,6 +14,18 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+#----------
+# Modification: Allow Administrator to directly reset password
+#
+# Modification to allow the administrator to change the user's password
+# directly from the GUI.
+#
+#  - For consistency and UI enhancement, populate "Password" and
+#    "Confirm Password" fields with a dummy string so that
+#    bullets/asterisks/whatever are displayed on screen.
+#
+# Greg Scheidel 2010.02.25
+
 	/**
 	 * CALLERS
 	 * This page is called from:
@@ -57,6 +69,16 @@
 
 	current_user_ensure_unprotected();
 
+      # Set a string that we can use to pre-populate password fields
+      # so that asterisks/bullets/whatever are displayed, but that
+      # the user will not enter themselves so that we can check after
+      # form submission to see if the user has changed the field
+      # contents.
+      #
+      # Note that this will pre-populate the fields even if the
+      # actual password is an empty string.
+      $s_dummy_password = auth_gen_dummy_password();
+
 	# extracts the user information for the currently logged in user
 	# and prefixes it with u_
 	$row = user_get_row( auth_get_current_user_id() );
@@ -154,7 +176,7 @@
 			<?php } ?>
 		</td>
 		<td>
-			<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password" />
+			<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password" value="<?php echo $s_dummy_password ?>" />
 		</td>
 	</tr>
 
@@ -169,7 +191,7 @@
 			<?php } ?>
 		</td>
 		<td>
-			<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password_confirm" />
+			<input type="password" size="32" maxlength="<?php echo PASSLEN;?>" name="password_confirm" value="<?php echo $s_dummy_password ?>" />
 		</td>
 	</tr>

account_update.php

Code: Select all

--- \MantisBT.orig\account_update.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\account_update.php	Fri Feb 26 12:32:50 2010
@@ -14,6 +14,18 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+#----------
+# Modification: Allow Administrator to directly reset password
+#
+# Modification to allow the administrator to change the user's password
+# directly from the GUI.
+#
+#  - For consistency and UI enhancement, populate "Password" and
+#    "Confirm Password" fields with a dummy string so that
+#    bullets/asterisks/whatever are displayed on screen.
+#
+# Greg Scheidel 2010.02.25
+
 	/**
 	 * This page updates a user's information
 	 * If an account is protected then changes are forbidden
@@ -37,6 +49,16 @@
 
 	current_user_ensure_unprotected();
 
+      # Set a string that we can use to pre-populate password fields
+      # so that asterisks/bullets/whatever are displayed, but that
+      # the user will not enter themselves so that we can check after
+      # form submission to see if the user has changed the field
+      # contents.
+      #
+      # Note that this will pre-populate the fields even if the
+      # actual password is an empty string.
+      $s_dummy_password = auth_gen_dummy_password();
+
 	$f_email           	= gpc_get_string( 'email', '' );
 	$f_realname        	= gpc_get_string( 'realname', '' );
 	$f_password        	= gpc_get_string( 'password', '' );
@@ -76,8 +98,9 @@
 		$t_realname_updated = true;
 	}
 
-	# Update password if the two match and are not empty
-	if ( !is_blank( $f_password ) ) {
+	# Update password if the two match, are not the dummy password, and
+	# new password is not the same as the current password.
+	if ( ( $f_password != $s_dummy_password ) || ( $f_password_confirm != $s_dummy_password ) ) {
 		if ( $f_password != $f_password_confirm ) {
 			trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR );
 		} else {
core/authentication_api.php

Code: Select all

--- \MantisBT.orig\core\authentication_api.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\core\authentication_api.php	Fri Feb 26 10:14:51 2010
@@ -14,6 +14,12 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+# Modification: Allow Administrator to directly reset password
+#
+# Added auth_gen_dummy_password() function.
+#
+# Greg Scheidel 2010.02.25
+
 /**
  * Authentication API
  * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
@@ -853,4 +859,22 @@
 	$t_cookie = gpc_get_cookie( $t_cookie_name, '' );
 
 	return( $t_cookie > '' );
+}
+
+/**
+ * Generate a string to use in pre-populating password fields so
+ * that asterisks/bullets/whatever are displayed, but that the user
+ * will not enter themselves so that we can check after form
+ * submission to see if the user has changed the field contents.
+ *
+ * Use this to pre-populate the fields even if the actual password
+ * is an empty string.  The administrator should not have any clue
+ * as to the user's actual password (including whether it is
+ * currently empty) from the page rendering.
+ *
+ * @return bool
+ * @access public
+ */
+function auth_gen_dummy_password() {
+	return (str_repeat( chr(127), 10 ));
 }
core/user_api.php

Code: Select all

--- \MantisBT.orig\core\user_api.php	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\core\user_api.php	Fri Feb 26 14:08:48 2010
@@ -14,6 +14,13 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+# Modification: Allow Administrator to directly reset password
+#
+# - In user_reset_password(), don't reset the password to blank when
+#   notifications are disabled; just return false.
+#
+# Greg Scheidel 2010.02.25
+
 /**
  * User API
  * @package CoreAPI
@@ -1320,7 +1327,7 @@
 #  Take into account the 'send_reset_password' setting
 #   - if it is ON, generate a random password and send an email
 #      (unless the second parameter is false)
-#   - if it is OFF, set the password to blank
+#   - if it is OFF, return false
 #  Return false if the user is protected, true if the password was
 #   successfully reset
 function user_reset_password( $p_user_id, $p_send_email = true ) {
@@ -1351,13 +1358,7 @@
 			email_send_confirm_hash_url( $p_user_id, $t_confirm_hash );
 		}
 	} else {
-
-		# use blank password, no emailing
-		$t_password = auth_process_plain_password( '' );
-		user_set_field( $p_user_id, 'password', $t_password );
-
-		# reset the failed login count because in this mode there is no emailing
-		user_reset_failed_login_count_to_zero( $p_user_id );
+		return false;
 	}
 
 	return true;
lang/strings_english.txt

Code: Select all

--- \MantisBT.orig\lang\strings_english.txt	Wed Feb 24 11:44:00 2010
+++ \MantisBT.Updates\lang\strings_english.txt	Fri Feb 26 14:00:51 2010
@@ -18,6 +18,41 @@
  * along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+# Modification: Allow Administrator to directly reset password
+#
+# - Removed $s_reset_password_button
+#
+#   No longer need "Reset Password" button text.
+#
+# - Removed $s_reset_password_msg and $s_reset_password_msg2
+#
+#   No longer using alternate text messages displayed on the page
+#   for whether the previous "Reset Password"  button (a) sends
+#   confirmation URL via e-mail or (b) resets the password to be
+#   blank.
+#
+# - Added $s_email_rest_password_button
+#
+#   Need additional text string to change the text of the previous
+#  "Reset Password" button to "Trigger Password Reset via E-mail".
+#
+# - Added $s_password_update_not_requested and $s_password_not_updated
+#
+#   Needed additional notifications to administrator in manage_users.php
+#   regarding whether a password change was requested, and if so whether
+#   it was successful.
+#
+# - Removed $s_account_reset_msg2
+#
+#   No longer using alternate "reset password to blank" functionality
+#   when notifications are disabled, since the administrator can just
+#   directly set the password to an empty string if they so desire.
+#
+# NOTE: I made these changes only to strings_english.txt, and no
+# other language files.
+#
+# Greg Scheidel 2010.02.25
+
 /** English (English)
  *
  * See the qqq 'language' for message documentation incl. usage of parameters
@@ -409,6 +444,14 @@
 $s_delete_account_button = 'Delete Account';
 
 # account_page.php
+#
+# Also used by manage_user_edit_page.php:
+#
+#  - s_password
+#  - s_no_password_change
+#  - s_confirm_password
+#
+# Greg Scheidel 2010.02.25
 $s_manage_profiles_link = 'Profiles';
 $s_change_preferences_link = 'Preferences';
 $s_edit_account_title = 'Edit Account';
@@ -503,6 +546,10 @@
 $s_payment_updated = 'Payment information updated.';
 
 # account_update.php
+#
+# Also used by manage_user_update.php: s_password_updated
+#
+# Greg Scheidel 2010.02.25
 $s_account_updated_msg = 'Your account has been successfully updated...';
 $s_email_updated = 'E-mail address successfully updated';
 $s_realname_duplicated = 'Real name is used by another user';
@@ -971,10 +1018,11 @@
 
 # manage_user_page.php
 $s_edit_user_title = 'Edit User';
-$s_reset_password_button = 'Reset Password';
+#$s_reset_password_button = 'Reset Password';
+$s_email_reset_password_button = 'Trigger Password Reset via E-mail';
 $s_delete_user_button = 'Delete User';
-$s_reset_password_msg = 'Reset Password sends the confirmation URL via e-mail.';
-$s_reset_password_msg2 = 'Reset Password resets the password to be blank.';
+#$s_reset_password_msg = 'Reset Password sends the confirmation URL via e-mail.';
+#$s_reset_password_msg2 = 'Reset Password resets the password to be blank.';
 $s_show_all_users = 'All';
 $s_users_unused = 'Unused';
 $s_users_new = 'New';
@@ -982,13 +1030,15 @@
 # manage_user_reset.php
 $s_account_reset_protected_msg = 'Account protected. Cannot reset the password.';
 $s_account_reset_msg = 'A confirmation request has been sent to the selected user\'s e-mail address. Using this, the user will be able to change their password.';
-$s_account_reset_msg2 = 'Account password has been set to blank...';
+#$s_account_reset_msg2 = 'Account password has been set to blank...';
 
 # manage_user_update.php
 $s_manage_user_protected_msg = 'Account protected. Access level and enabled protected. Otherwise, account has been updated...';
 $s_manage_user_updated_msg = 'Account successfully updated...';
 $s_email_user_updated_subject = 'Account updated';
 $s_email_user_updated_msg = 'Your account has been updated by an administrator. A list of these changes is provided below. You can update your account details and preferences at any time by visiting the following URL:';
+$s_password_update_not_requested = 'Password update was not requested';
+$s_password_not_updated = 'Password was NOT updated';
 
 # menu_inc.php
 $s_main_link = 'Main';
speedyrazor
Posts: 8
Joined: 20 Mar 2010, 13:49

Re: How can Administrator change user password from Mantis?

Post by speedyrazor »

Hi scheidelg, should we be replacing all the code in the files with your code here, or just adding to the end? How do I apply your code here to the files?

kind regards,
K.
Post Reply