Project

General

Profile

Actions

Bug #105990

open

Backend editors automatically copy passwords

Added by Lina Wolf 13 days ago. Updated 10 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2025-01-26
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When a backend editor copies a backend user record, the users password is automatically copied as well.

This could lead to large numbers of frontend users having the same initial password.

I would suggest that the password is cleared or a random one assigned and that password fields in general are not copyable (just like unique fields will be altered on copy paste).

Actions #1

Updated by Torben Hansen 12 days ago

I do not agree on clearing or changing the password to a random value on copy, because this is unexpected behavior for a copy-process and there may be valid use cases, where also password hashes are expected to be copied from one site to another.

Actions #2

Updated by André Buchmann 10 days ago

I agree with Torben on this. A copy is a copy.

However on project level this may could be handled with some datahandler hook, which generates a new password.

I've just done something similar by setting the passwordfield to "passthrough" and generating a random password for new users:

public function processDatamap_postProcessFieldArray(string $status, string $table, $id, array &$fieldArray, DataHandler $dataHandler): void
    {
        if ($table !== 'fe_users') {
            return;
        }

        if ($status === 'new') {
            $random = GeneralUtility::makeInstance(Random::class);
            try {
                $fieldArray['password'] = $random->generateRandomPassword(['length' => 32, 'specialCharacters' => true]);
            } catch (InvalidPasswordRulesException $e) {
            }
        }
    }

Background: I don't want the editor to send the feuser password to the user. They should use the pw-recorvery to set a new password. I might add a "send welcome mail" button to the backend to trigger a notification to the user to set a new password himself.

Actions

Also available in: Atom PDF