Set "send password" in user options to "no", create a new user in the backend.
User notification email should not contain the password
The password is sent to the user
Joomla 3.8.7
I think the admin should be able to control when a password is sent in clear text, as it might be a security breach to send it with email. The switch in the options suggests that you can control that, but it is only applied to the frontend user registration not to the backend. Talked to @SniperSister about this...
Labels |
Added:
?
|
I would like to control how I send the user the pw. Maybe I choose to create an encrypted document with the credentials and and store it in a secured folder where only he has access? Or he is sitting beside me and I tell him personally? If it is sent automatically and I cannot prevent this, it might be seen by somebody I don't want to.
You may just set this parameter to NO and do what you like after as you do know the user email you just created.
Also, you can modify with an override the string concerned:
PLG_USER_JOOMLA_NEW_USER_EMAIL_BODY="Hello %s,\n\n\nYou have been added as a User to %s by an Administrator.\n\nThis email has your username and password to log in to %s\n\nUsername: %s\nPassword: %s\n\n\nPlease do not respond to this message as it is automatically generated and is for information purposes only."
Last variable is the password in clear.
Oh, that's great! I didn't think about the language override! So at least I AM able to control it. Still, I think it is a bit misleading to offer this switch in the user options and not make clear it only affects users created in the frontend
Status | New | ⇒ | Information Required |
Category | ⇒ | Authentication com_users |
Dont forget that when you create the user you can set that they must reset the password. That means that it doesnt matter that this password is sent in plain text as it will not be the user password.
Closed as expected behaviour
Status | Information Required | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-05-11 08:14:22 |
Closed_By | ⇒ | brianteeman |
Last but not least: If you create the user in backend and take security seriously, you don't enter the password but leave it empty. This way it is randomely generated and only the user gets to know it. You will not know the password at all and can't send it through other channels.
The parameter to send a mail when user created in backend is available in the plugin and it indeed does not offer the possibility of adding or not the password in the mail.
Honestly, when a user is created in backend, someone HAS to send that person a password, even if temporary...