In a real-life scenario, users tend to forget their passwords, and contact the admin to help reset them. It appears the policy in OpenMRS 2.3 is for the admin to NOT be able to set a user’s password, beyond the initial account creation. See the discussion the developers had about this here…
What is the proper workflow for changing a user’s password when they forget it? The user can’t change their password, unless they know the current password. So, the check-box to “Force Password Change” isn’t going to be helpful in this use-case.
The work around for this would be to retire the current user account, and create a new one? When I try to do that, I get an error in the UI, because the username already exists.
What is the proper workflow for changing a user’s password when they forget it? Should we have a way for the admin to change user passwords?
We should never allow an admin to set a user’s password, but we need to allow a user to be able to set a new password in case they have forgotten it. And as James said, you can still set it from the legacy UI
How would a user set a new password if they’ve forgetten their password and the answer to their challenge question? I agree with the intent of @sunbiz’s comment on why we shouldn’t allow an admin to set a password; however, until we have support for emailing temporary password reset links and/or two-factor authentication support, I don’t see any other option. I would expect password resets to be a common need for any admin.
Since there is a workaround (using the legacy UI), I don’t think this needs to block the release of Reference Application 2.3. But it would be an important feature request for the new Admin UI module.
this doesn’t need to block the Reference Application 2.3 release, since there is a workaround.
In real life people will forget their passwords, and admins will need to be able to reset them.
My suggestion is that:
resetting a password should generate a new random password and display it on the screen so that the administrator can communicate it to the user
later we can replace “display it on the screen…” with “email it to the user’s configured email address”
this should set the “need to change password” flag
resetting a password should be logged
In this model we can’t fully protect from a malicious admin user, but it feels like the right tradeoff. (Eventually, once we support users having email addresses, and we can notify the user via email when their account is modified, then you’ll have some protection from a malicious admin, but for now a bit of logging is the best we can do.
I would like to work on this ticket “RA-931”. Because I’m new in this project, I have questions and would like to confirm before starting development:
So far if an user forgets the password, user can click “I forgot my password” to answer private question and generate new password. But for this ticket, we would like to have another way for Administrator to generate new password for a specific user. Do I understand correctly?
@whitehsu thanks for having the desire to take this on!
In the legacy/old user interface, the administrator can just edit an existing user account to set a new password, as you can see here: http://demo.openmrs.org/openmrs/admin/users/user.form?userId=4.
This is the workaround which made this, not to become a blocker.
Clicking i forgot my password, will not work, in cases where the user forgot the answer to their challenge question.
As for the user email address, this is out of the scope for this ticket. You only need to create a ticket for it.
Take a second look at the “Acceptance Criteria”, as spelled out on the ticket, for what you exactly need to do!
I’m just starting to study but encounter a problem. I guess this should be stupid question but I need your suggestion still.
For the 1st step, I’m trying to the login page but find my updates will be always restored after starting the web server. For example, after launching web server via command “mvn jetty:run”, I modify the “I forgot my password” link with “TEST” string as below:
Because my updates will be always restored back after launching web server, I cannot keep my updates and development. I guess there may be .java servlet file to re-write the content of this .jsp file. However, after many searches, I cannot find this .java or related file. So may you kindly help guide me where and how we determine the contents of these .jsp files? Or did I study incorrectly? And is there any material I may need to refer to?
Sorry for this stupid question. Please kindly help feedback and suggest. Thank you very much.
You should not be looking at the legacy UI here (but that’s what you have included in your screenshot). Instead you want to get the reference application, i.e. the thing that looks visually like what you see on demo.openmrs.org.
You should not be editing code underneath openmrs/webapp/src/main/webapp/WEB-INF/view/module/… Files are copied here when you deploy an OpenMRS module, but that is not the location of the source code. Instead, you should read about using the OpenMRS SDK to set up and run a server that is running the Reference Application distribution.
The codebase that you need to check out is openmrs-module-adminui. That’s where you need to add the button, and add a new page.
I’ve tried for many times with different setup options, but this issue always exists. I’ve tried to use other MySQL users but still encounter the same failure. May you kindly suggest how I should do to resolve this? Any advice will be very appreciated. Thank you very much.
I’ve tried this again but encountered this issue still. I guess I need to remove the older version of OpenMRS firstly and re-setup again. However, after studying the materials of OpenMRS SDK (https://wiki.openmrs.org/display/docs/OpenMRS+SDK), I cannot find any document to mention how to “cleanly” remove all files of OpenMRS, may you kindly help guide me this? Thank you very much.
Then I guess this the root cause of the DB Connection issue? Because I just follow all steps in the SDK guide, I don’t know what’s action missed. May you help feedback and suggest? Or if I should provide any other information for troubleshooting? Thank you very much.
P.S. My machine is Windows 10. Not sure if this platform may cause problem?
This means that the user name and password you are providing for a mysql database connection are not correct. Try connecting to MySQL using command line tools or any MySQL GUI to confirm your user name and password combination.
I am guessing I have to add the new feature to the reference application not the 2nd one but they have different behaviors in case of a forgotten password the first one
"can’t login " instead of forgot password
and it gives this when clicked
or is contacting admin done separately via anther medium and do I just have to implement a way for the admin to reset a users password
The second question is should an admin only be allowed to reset a user’s password only upon users request or should he be allowed to do so when ever he wants ? and how to identify weather a user has requested a password reset if the request is done via another medium ex - mail ?