Bug #105990
openBackend editors automatically copy passwords
0%
Description
When a backend editor copies a backend user record, the users password is automatically copied as well.
This could lead to large numbers of frontend users having the same initial password.
I would suggest that the password is cleared or a random one assigned and that password fields in general are not copyable (just like unique fields will be altered on copy paste).
Updated by Torben Hansen 12 days ago
I do not agree on clearing or changing the password to a random value on copy, because this is unexpected behavior for a copy-process and there may be valid use cases, where also password hashes are expected to be copied from one site to another.
Updated by André Buchmann 10 days ago
I agree with Torben on this. A copy is a copy.
However on project level this may could be handled with some datahandler hook, which generates a new password.
I've just done something similar by setting the passwordfield to "passthrough" and generating a random password for new users:
public function processDatamap_postProcessFieldArray(string $status, string $table, $id, array &$fieldArray, DataHandler $dataHandler): void
{
if ($table !== 'fe_users') {
return;
}
if ($status === 'new') {
$random = GeneralUtility::makeInstance(Random::class);
try {
$fieldArray['password'] = $random->generateRandomPassword(['length' => 32, 'specialCharacters' => true]);
} catch (InvalidPasswordRulesException $e) {
}
}
}
Background: I don't want the editor to send the feuser password to the user. They should use the pw-recorvery to set a new password. I might add a "send welcome mail" button to the backend to trigger a notification to the user to set a new password himself.