Password change is impossible for staff due to old email addresses


#1

hello

I am encountering something that is really a show stopper for our very young forum.

first, as mentioned sometimes here, it is obviously not possible for an admin to change some user’s password.
okay, so then trying to change the user’s email to another, so that he may update the password. what happens is that confirm_old_email is being sent to the old email, which is unavailable in my current case.

even when impersonating that user, the behavior is the same. it sends confirm_old_email and - even as admin - the email stays unchanged.

use case is for example what I just encountered that some email address is old/unavailable at the present time. the server still sends to that old one the confirm_old_email message, which can not be delivered.

I really wonder why one needs to confirm the old email as an admin, also why one can not change the password of users directly. at least confirm_old_email should be something that can be turned off.

We’ve got over 10k users from some old forum and I decided not to import the old passwords here, so that case will occur for sure more than once.

PS: the phpbb3 import script with the password-import simply did not work, so I skipped this anyway. Sorry, can’t remember the error, but it was something with the import script from phpbb 3.0 to recent discourse.


(Jeff Atwood) #2

Note that only staff needs to verify the old email address when changing password. Normal users need to validate the new email address, but due to the security implications of a staff member being compromised, staff must validate both old and new email addresses.

If this is a problem due to old, incorrect migrated account emails then either demote these users from staff to regular users, or edit the “old” email in the database directly as part of the migration, or after the fact.


(cpradio) #3

I don’t think this is intended but I’ve gotten around this scenario doing the following

  1. Edit the User’s email address on their public profile preferences page
  2. Go to the Admin > Users page, search for the user to open their Admin User Page
  3. Click Deactivate Account
  4. Click Activate Account
  5. Their email address is now updated. They can use the reset password now and it will send an email to the updated email address.

(Jay Pfaffman) #4

My idea was to remove the staff privileges, change the address, and restore the privilege.

You really don’t want it to be easy for someone to hijack a staff account. It’s not that hard to ge around this. In a perfect world,we wouldn’t need locks. They just make things that should be simple a bother.


#5

hm okay, I thought this applies to all users, not just to staff.

Thanks for the hint - works fine so far!