[#3769] - [#33856] 3.x: Password field should be required when creating new user in back-end
- Closed
- 14 Jun 2014
- Medium
- Build: staging
- # 3769
- Diff
- infograf768:3-requiredpass
- Foreign ID 33856
- Success The Travis CI build passed Details
User tests: Successful: Unsuccessful:
| Title |
|
||||||
Beat is right. If no password is entered, Joomla will generate a random one. I just verfified it (didn't even know that).
I'm closing this since it would remove a very nice (hidden) feature.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-06-13 12:03:52 |
Is #3770 still valid though?
Matt Thomas
203.632.9322
http://betweenbrain.com/
Sent from mobile. Please pardon any typos or brevity.
On Jun 13, 2014 8:03 AM, "Thomas Hunziker" notifications@github.com wrote:
—
Reply to this email directly or view it on GitHub
#3769 (comment).
Thanks
Matt Thomas
203.632.9322
http://betweenbrain.com/
Sent from mobile. Please pardon any typos or brevity.
On Jun 13, 2014 8:14 AM, "Thomas Hunziker" notifications@github.com wrote:
Is #3770 #3770 still valid
though?It behaves the same as 3.3, creating a random password when left empty.
Just tested as well [image:]
—
Reply to this email directly or view it on GitHub
#3769 (comment).
The issue is that if a random password is generated but one has also set the User Joomla plugin to NOT send the account credentials to the new user, then the password is unknown
| Status | Closed | ⇒ | New |
| Status | New | ⇒ | Closed |
| Closed_Date | 2014-06-13 12:03:52 | ⇒ | 2014-06-14 06:24:51 |
Closing, this is taken into account in the model...
@infograf768 wrote:
The issue is that if a random password is generated but one has also set the User Joomla plugin to NOT send the account credentials to the new user, then the password is unknown
Agreed that doesn't make sense, but then password reset feature can still be used by the new member (could be part of a mail sent to him separately). It would make sense to fix that behavior bug due to that new feature of the plugin, e.g. require password only in that case, or still send the credentials if password left blank.
And maybe to clarify the information text for the password field (e.g. "leave blank for random password emailed to the new user"), so it's not a "hidden nice feature anymore" 
Nevermind, as taken in account in model already, all ok. Can be left closed.
Am I mislead here, or isn't the password still automatically generated when the field is left empty in the backend (it was the case in earlier Joomla versions, and i'm 99% sure it still is in latest Joomla) ?
This has the double brilliant advantages that:
Thus I believe that this change is not an improvement, security-wise.
Best Regards