User Registration Email - Sends Password when set to NO

[K2Joom]

Steps to reproduce the issue

Joomla Users Parameters
Allow Registration = No
New User Registration Group = Registered
Send Password = No
New User Account Activation = Self

Expected result

Admin creates User Account via backend.
Email sent to User with Activation Link and NO password

Actual result

Email sent to User with NO Activation link and a password

System information (as much as possible)

Joomla 3.5.1

Additional comments

More tests to follow

[K2Joom]

Setup a clean install via CloudAccess.

Update install to 3.5.1
Configure User Parameters
Allow Registration = No
New User Registration Group = Registered
Send Password = No
New User Account Activation = Self

Create new user via backend and save.

User email received:

Hello TestUser,

You have been added as a User to Your Joomla! Site hosted with CloudAccess.net by an Administrator.

This email contains your username and password to log in to http://# (address removed)

Username: TestUser
Password: REMOVED

Please do not respond to this message as it is automatically generated and is for information purposes only.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[infograf768]

The parameters like "Send Password" set to "No" are NOT used when a user is created in back-end.
Expected behavior.

[K2Joom]

For user accounts created via the frontend, when Allow User Registration = Yes and New User Account Registration = Self, then the user will get an email with no password and an activation link. This is correct

The issue sending of passwords via email, only comes about when an account is created via an admin in the backend.

If Send Password = No, then this should also apply for backend created user accounts?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[infograf768]

Nope. How would the user created in back-end know the username and password which has been created by the admin?

[K2Joom]

The problem is that PLG_USER_JOOMLA_NEW_USER_EMAIL_BODY is used to produce the email sent to the user when admin creates an account.
There is no check for the Send Password parameter.

Suggest edit to the plugin and language value.
Plugin code should check the Send Password parameter in User settings, instead of relying on just the language file?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[infograf768]

Again NO.
I have replied already: the user created in back-end would have NO WAY to know how to login if the password is NOT sent.

[infograf768]

@brianteeman
This should be closed imho

[K2Joom]

The email sent to the user, defined by PLG_USER_JOOMLA_NEW_USER_EMAIL_BODY, contains $s for the username and web address for the site.
Instead of sending the password via email as plain text, then it should be configured to use the web address and advise them to user their email address to reset the password via the activation link.

Hello %s,\n\nYou have been added as a User to ??.\n\nThis email contains your username and details on how to log in.\nTo reset your password, click here: %s\nEnter your email address.\n\nA verification code link will be emailed to you and once you have clicked the verification code link, you will be able to choose a new password for your account.\n\nPlease do not respond to this message as it is automatically generated and is for information purposes only.\n\n

This bypasses sending passwords via email.
This ensures the user resets the password, so admins no longer know what it is.
URL could be could defined as http://www.DOMAINNAME/index.php?option=com_users&view=reset
The user knows their email address, or is can be defined in the email.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[K2Joom]

Users do not need to know their username when resetting passwords, only the email address which was used to create the account.

It is just the issue of sending passwords in emails as plain text, which has been addressed for frontend but not for the backend and could be solved with that kind of solution.?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[brianteeman]

We already have the ability to force a password reset on first login

[K2Joom]

True, but just addressing that backend created users, sends an email with the password as plain text.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[zero-24]

The reset password feature also send the password in plain text. ;)

You can get that on your custom site with an language override.

[K2Joom]

OK, no problem.
If sending passwords by email in plain text is acceptable then this is not an issue.

Just wondered why if we have ability to disable sending passwords for accounts setup on front end, it isn't adopted for users created by admins, especially if we can force them to reset the password.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10376.}

[sovainfo]

See #10462

[brianteeman]

Closed as we have a PR for testing

[himangi]

I am using Joomla 3.6.2 and the password setting, to decide whether password should be sent to the user created by admin or not doesnt seem to be working. Please tell me the conclusion on this. Have checked the other issues marked in this but didnt find anything that helps me.
Only setting available is in user options (User joomla plugin doesnt have separate option). Since I am using social login, I just want to create users and not send password to them.

[sovainfo]

In j362 there is no such thing as a setting to decide whether password should be sent to the user created by admin. Tried to introduce that twice, but gave up.

You can use https://github.com/joomla/joomla-cms/pull/10990/files to implement it yourself.