How can an Admin Change a User's Password?

Tags: #<Tag:0x00007f302b825b38>

In a real-life scenario, users tend to forget their passwords, and contact the admin to help reset them. It appears the policy in OpenMRS 2.3 is for the admin to NOT be able to set a user’s password, beyond the initial account creation. See the discussion the developers had about this here…

What is the proper workflow for changing a user’s password when they forget it? The user can’t change their password, unless they know the current password. So, the check-box to “Force Password Change” isn’t going to be helpful in this use-case.

The work around for this would be to retire the current user account, and create a new one? When I try to do that, I get an error in the UI, because the username already exists.

What is the proper workflow for changing a user’s password when they forget it? Should we have a way for the admin to change user passwords?

We certainly should allow an admin to set a user’s password until we have a solution in place for the issue James describes above, which would be a blocker for me if I was using the reference app.

We should never allow an admin to set a user’s password, but we need to allow a user to be able to set a new password in case they have forgotten it. And as James said, you can still set it from the legacy UI

3 Likes

How would a user set a new password if they’ve forgetten their password and the answer to their challenge question? I agree with the intent of @sunbiz’s comment on why we shouldn’t allow an admin to set a password; however, until we have support for emailing temporary password reset links and/or two-factor authentication support, I don’t see any other option. I would expect password resets to be a common need for any admin.

Since there is a workaround (using the legacy UI), I don’t think this needs to block the release of Reference Application 2.3. But it would be an important feature request for the new Admin UI module.

3 Likes

+1 to both of @burke’s points:

  1. this doesn’t need to block the Reference Application 2.3 release, since there is a workaround.
  2. In real life people will forget their passwords, and admins will need to be able to reset them.

My suggestion is that:

  • resetting a password should generate a new random password and display it on the screen so that the administrator can communicate it to the user
  • later we can replace “display it on the screen…” with “email it to the user’s configured email address”
  • this should set the “need to change password” flag
  • resetting a password should be logged

In this model we can’t fully protect from a malicious admin user, but it feels like the right tradeoff. (Eventually, once we support users having email addresses, and we can notify the user via email when their account is modified, then you’ll have some protection from a malicious admin, but for now a bit of logging is the best we can do.

@arbaughj had already created a ticket here:

I had closed it, but I will reopen it with a fixVersion of the next release rather than this one. (@wyclif, if you ever create a JIRA project for the Admin UI module, this should be moved there.)

3 Likes

I would like to work on this ticket “RA-931”. Because I’m new in this project, I have questions and would like to confirm before starting development:

  • So far if an user forgets the password, user can click “I forgot my password” to answer private question and generate new password. But for this ticket, we would like to have another way for Administrator to generate new password for a specific user. Do I understand correctly?

  • In addition, so far user can register without Email address. After password re-generation, how can Administrator notify the user?

Please kindly help suggest and feedback. Thank you very much.

@whitehsu thanks for having the desire to take this on! :smile:

In the legacy/old user interface, the administrator can just edit an existing user account to set a new password, as you can see here: http://demo.openmrs.org/openmrs/admin/users/user.form?userId=4. This is the workaround which made this, not to become a blocker. Clicking i forgot my password, will not work, in cases where the user forgot the answer to their challenge question.

This ticket is about the administrator clicking a reset button for the new reference application user interface at http://demo.openmrs.org/openmrs/adminui/systemadmin/accounts/account.page?personId=4 to have a random password generated and displayed on the screen for the user to use for login, and after which they will be forced to change it to a password of their choice.

As for the user email address, this is out of the scope for this ticket. You only need to create a ticket for it. Take a second look at the “Acceptance Criteria”, as spelled out on the ticket, for what you exactly need to do!

@dkayiwa

Thanks for your kind reply!!

I’m just starting to study but encounter a problem. I guess this should be stupid question but I need your suggestion still.

For the 1st step, I’m trying to the login page but find my updates will be always restored after starting the web server. For example, after launching web server via command “mvn jetty:run”, I modify the “I forgot my password” link with “TEST” string as below:

Then refreshing page we can find the updated URL:

Next, I use “Ctrl + C” to terminate web server and launch it again with command “mvn jetty:run”. After a while, the content of [login.jsp] will be restored back to the origin automatically:

Because my updates will be always restored back after launching web server, I cannot keep my updates and development. I guess there may be .java servlet file to re-write the content of this .jsp file. However, after many searches, I cannot find this .java or related file. So may you kindly help guide me where and how we determine the contents of these .jsp files? Or did I study incorrectly? And is there any material I may need to refer to?

Sorry for this stupid question. Please kindly help feedback and suggest. Thank you very much.

That one is automatically overwritten whenever openmrs runs. The source of modules is a folder named “modules” in the application data folder. You may want to look at some of this: https://ssmusoke.com/2015/09/24/openmrs-module-development-learnings-102/

@dkayiwa Sorry I dont understand… So how should I “turn-off” the automatically overwritten feature? Or what should I do next? I’m currently blocked and do not know how to develop further… :disappointed_relieved:

@whitehsu, a few points:

  1. You should not be looking at the legacy UI here (but that’s what you have included in your screenshot). Instead you want to get the reference application, i.e. the thing that looks visually like what you see on demo.openmrs.org.
  2. You should not be editing code underneath openmrs/webapp/src/main/webapp/WEB-INF/view/module/… Files are copied here when you deploy an OpenMRS module, but that is not the location of the source code. Instead, you should read about using the OpenMRS SDK to set up and run a server that is running the Reference Application distribution.
  3. The codebase that you need to check out is openmrs-module-adminui. That’s where you need to add the button, and add a new page.

Good luck!

@darius @dkayiwa

Thanks for your kind reply. I’ve tried to set up new environment as your guidance. Therefore, I’ve followed the instruction among the following webpage to set up OpenMRS SDK: https://wiki.openmrs.org/display/docs/OpenMRS+SDK

However, I’ve always encountered the database connection issue, even though I’m very sure my input user/password of the database should be correct:

May you kindly help me check what’s wrong with my setup? Here’re my steps to build SDK:

  1. Firstly, after running the mvn setup command, I ran the command “mvn openmrs-sdk:setup” to create server:

    And here’s my input user/password for this server4:

  2. The server seems created successfully:

  3. Launch my local MySQL server, we can find the new created “server4”, which should also mean the user/password of database is workable, or this “server4” table wont be created:

  4. Next, to run the command “mvn openmrs-sdk:create-project” to create project and select option 1: Platform Module:

  5. Then going into the project directory and run the command “mvn clean install openmrs-sdk:run”:

  6. Select server4 and wait until seeing the message “INFO: Starting ProtocolHandler [“http-bio-8080”]”:

  7. And I launch browser to visit the URL http://localhost:8080/openmrs/ but get the error message as below:

  8. Here’s the error logs exported from console: Error Logs.txt (17.9 KB)

I’ve tried for many times with different setup options, but this issue always exists. I’ve tried to use other MySQL users but still encounter the same failure. May you kindly suggest how I should do to resolve this? Any advice will be very appreciated. Thank you very much.

1 Like

@whitehsu this was reported and is now fixed. It happened on MySQL versions from 5.7 and above. So can you try again using the latest SDK and platform release?

@dkayiwa Oh, I got it!! Thanks for information. I’ll try this again on these days. :slight_smile:

@dkayiwa I’ve tried this again but encountered this issue still. I guess I need to remove the older version of OpenMRS firstly and re-setup again. However, after studying the materials of OpenMRS SDK (https://wiki.openmrs.org/display/docs/OpenMRS+SDK), I cannot find any document to mention how to “cleanly” remove all files of OpenMRS, may you kindly help guide me this? Thank you very much.

Deleting the runtime properties file and dropping the database should be all. https://wiki.openmrs.org/display/docs/Overriding+OpenMRS+Default+Runtime+Properties

1 Like

Thanks for reply. But after referring this guide, I find there’s not “runtime.properties” file on my machine. So I can only remove the “openmrs” folder and re-setup SDK again.

However, after following the guide on https://wiki.openmrs.org/display/docs/OpenMRS+SDK#OpenMRSSDK-Setup, I still encounter DB Connection issue:

And on the console, I can find the error message “Unable to find properties file: C:\Users\I312780\openmrs\MyServer01\openmrs-runtime.properties”:

The server log output also mentions this issue:

I go to the directory mentioned and find there’s not this runtime file really:

Then I guess this the root cause of the DB Connection issue? Because I just follow all steps in the SDK guide, I don’t know what’s action missed. May you help feedback and suggest? Or if I should provide any other information for troubleshooting? Thank you very much.

P.S. My machine is Windows 10. Not sure if this platform may cause problem?

This means that the user name and password you are providing for a mysql database connection are not correct. Try connecting to MySQL using command line tools or any MySQL GUI to confirm your user name and password combination.

Hi I am currently working on this project and I’m still trying to understand what exact requirements are

so in the reference application I get a login screen like this

in the application I got when I build from the source code I get a login screen like this

I am guessing I have to add the new feature to the reference application not the 2nd one but they have different behaviors in case of a forgotten password the first one has "can’t login " instead of forgot password and it gives this when clicked

and in the second one clicking the “I forgot my password” leads here

So can anyone please help me, and name the exact feautures you require

Do I have to merge the 2 implementations or do I just have to implement a way to contact the admin from here

or is contacting admin done separately via anther medium and do I just have to implement a way for the admin to reset a users password

The second question is should an admin only be allowed to reset a user’s password only upon users request or should he be allowed to do so when ever he wants ? and how to identify weather a user has requested a password reset if the request is done via another medium ex - mail ?

This is the same problem i encountered last week… with mysql Ver 14.14 Distrib 5.7.18, for Linux (x86_64) using EditLine wrapper