New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix password reset and set functionality #1017
Comments
Related discussion on forum: https://forum.thirtybees.com/topic/3340-customer-password-when-admin-created/ |
This has been something I have put a bit of thought in over the years. I like your solution, but I would feel like I was not honest if I did not say how I feel. The plain password is easy. Its output before its hashed into the database. I get that people do not like it, but I think their dislike is unfounded. The truth is once you lose control of your email address it does not matter how a password is reset, someone can reset it. I had an argument with someone on a forum one time about the whole thing. Their idea was that the password is transferred to the user in the email and it could be intercepted. While that is possible, I don't think it is any more likely than someone intercepting the post from your computer to the website when you change your password. That all being said, I like your solution in fixing it, that is pretty much the standard these days for password resets. I would complicate the matter more though..... 99% of themes are not going to have this template and it will just break for people. This might be a good time to consider child themes. It would give us more flexibility if the theme was loaded as child->parent->default. That way the default template would always have these views and at least something would load. Since most themes are off of the default theme the classing and structure would likely work out of the box. |
This is a fair point, we need some mechanism to display this new template |
Can't we just use the old password recovery tpl and simply name it password recovery 2 with the reset form added? So the email should redirect to password-reset2 and it should be fairly easy to implement this if there's simply a changed form. We can upload this template in the forum for themes that don't get updated for TB. Sending passwords via email is lame and even computer lamers these days know that's very bad. |
Handling customer passwords by thirtybees platform is not very good. At the moment, there are 3 flows (I know about), and all of them needs to be fixed
Reseting customer password in front office
Current flow
My Account > My personal information
and change the password againThere are several issues with this flow. The main problem is the plain password -- this is very unprofessional and naive solution. Another minor issue is the need to check email twice.
Proposed solution
Creating customer from back office
Current flow
When new customer is created from back office, employee must enter some password. There is no automated mechanism to let customer know about this new password. Employee must manually send it via email, in plain text.
Again, this is very unprofessional. Passwords are send in clear text via email, and employee knows the password. Employees also very often generate weak passwords, for example by using customer fist or last name, email address, etc...
Proposed solution
When new customer is created from back office, employee shouldn't be asked to provide password. Instead, new email with link to set password should be automatically sent to customer. This would re-use front-end resetting password functionality (see above)
Converting guest to customer
Current flow
ok... I think we can all agree this is just unbelievable. I mean, really?
Proposed solution
The text was updated successfully, but these errors were encountered: