I'm looking for a way to make Moodle 2.9 include user passwords in the introductory e-mails it sends upon manual upload of CSV table with new user data.
So far it is sending introductory e-mails with text that is set up in the local_welcome plugin that is configurable via
Plugins/Local Plugins/Moodle welcome
This text contains fields such as [[username]], [[fullname]] which get replaced by the actual values, but no such field as [[password]].
I have tried including both [[password]] and {$a->newpassword} in the text but neither works, Moodle does not replace these strings with the actual password; these strings are sent verbatim instead. This happens irrespective of whether the passwords are uploaded via the CSV or generated.
So far I had no luck finding a solution to this on the web. The official help page on this function is unfortunately empty:
https://docs.moodle.org/29/en/admin/setting/local_welcome
Strangely enough, when I create just one user by hand in Moodle via
Users/Add a new user,
the e-mail it sends to the user is not that from plugin local_welcome. A string defined somewhere in the moodle php files is used. This contains string {$a->newpassword} and it works as expected; the user obtains both username and password.
How do I make bulk upload behave similarly? I'm looking for any doable way to make this work. If my question is not clear, please ask in the comments.
Sending plain password over email is not secure that's why Moodle prevent it.While uploading user record you can follow these steps,
enable Generate password and notify user.
or,
set your own password and enable Force password change.
It depends on configuration of bulk upload
Password field: (...) If omitted, a password will be generated for
each user (during the next Cron job) and welcome e-mails sent out.
https://docs.moodle.org/29/en/Upload_users#Fields_that_can_be_included
Just udate all existing users with the same password using csv file. Then use Moodle welcome to send bulk email with their different user name using [[username]] and then type the default password you chose in csv. And it is better to force change password after first login
Related
We have a PHP/MySQL based User Management System and are integrating it with Keycloak version 16 where we will store users credentials.
Our application does not allow users to self register. We create user accounts on the system. When we do this we do NOT specify a password because we want users to set up their own password.
The current system sends 2 separate emails in 2 different circumstances regarding passwords:
If it's a completely new user who does NOT have an existing password, we send them a link to set up a password.
If it's an existing user who already has a password, the system allows them to reset it, e.g. if they forget their password and can't login.
Keycloak seems to cater for scenario (2) because the login forms have a forgotten password link which opens a form where the user can enter their email address and receive a link which lets them do (2).
Unfortunately it doesn't deal with scenario (1) very well and that's where our problem starts. This has been asked a while ago Send password forgotten mail but it seems that Keycloak didn't support this very well in 2020 and perhaps still doesn't now.
Our "workaround" to this was that we added custom email templates and a custom page (reference: Themes on https://www.keycloak.org/docs/latest/server_development/#emails) which includes wording that caters for both scenarios, e.g. "set your password" rather than "reset your (existing) password". The result of this is that our email and form now reads appropriately for both scenarios (1) and (2).
The problem
We want to be able to send a link to the user that allows them to set their initial password to cover scenario (1).
We know that this page exists because on the login page for Keycloak there is a link to the forgotten password form that handles scenario (2). However, the form requires the user to enter their email address and submit the form. The user then receives an email from Keycloak which contains a URL to the page where they can do this. The URL has the following format:
https://example.com/auth/realms/foo/login-actions/action-token?key=...
The key= contains a ~945 character token. Going to the URL above redirects to the form where the user can reset their password. This next URL does not contain a token but a cookie has been set in the browser - by the previous URL - which makes it functional:
https://example.com/auth/realms/foo/login-actions/required-action?execution=UPDATE_PASSWORD
We can't send either of these URLs to the user because the first one (containing key=) has no API method for us to find out what it is - it's only possible to generate this by going through the "forgotten password" step during login, in the browser.
The second URL (/login-actions/required-action...) won't work either because it relies on the previous URL (containing key=) setting the cookie in the browser. If you try and go to this second URL directly (i.e. bypassing the first URL) it will error.
So neither of these URLs will work because we can't find what the first one is programmatically, and we can't use the second one without knowing the first one.
I found https://lists.jboss.org/pipermail/keycloak-user/2018-October/015910.html and the suggestion is using the Keycloak API to trigger a password reset email. This works - sending an HTTP PUT request containing 'UPDATE_PASSWORD' along with the relevant user ID sends the user an email. The request endpoint has the format PUT /{realm}/users/{id}/execute-actions-email which is documented on the link above.
Up to here all is fine - the user gets an email. However, this email does NOT contain a link that goes directly to the "reset password" page! Instead it sends them an email containing the following text:
Your administrator has just requested that you update your account by performing the following action(s): Update Password. Click on the link below to start this process.
Link to account update
When the user clicks "Link to account update" it then shows them a web page like this:
It is only when they click on the link on this page (the one that says "click here to proceed" on the screenshot) that they arrive at the form where they can reset their password.
This is a really poor user experience because the user gets sent a (badly worded) email with a link to... a page with another link! It should just take them to the password reset page directly. What's more frustrating is the fact that Keycloak is clearly capable of generating/sending the exact email we'd like in this scenario: the one which gets sent when a user manually does a password reset via their browser.
So the problem seems that Keycloak's API doesn't support this incredibly important and common use-case of a user being able to set an initial password, in a user-friendly manner.
I am adding the js script in the template to automatically click "click here to proceed". It's ugly but at least the user doesn't see the page
I am using a custom Parse server hosted on Heroku.
My overall goal is for a unique PFUser to be created through someone clicking a button or a activation link in an email.
I have figured out how to send emails using Send Grid, however I have no idea how to make a custom button or link in the email that will execute some unique code.
My ideal work flow is:
User inputs unique username and password then clicks sign up
An email is sent to the users email with a button or a link
Once they click the button or link, somehow unique code is executed which signs up a new PFUser using the username and password that the user originally inputed.
I know how to do the first two steps, but have no idea how to execute the unique code from an email.
How is executing unique code from an email usually done? I have read something about tokens being used?
Could someone please outline for me how this process works and where I can go to learn all about executing unique code from emails?
Thanks, I appreciate all the help!
Code is never executed from email because it is a severe security risk.
To implement something like you're describing, you would send an email to the new user with a unique link to a web page like http://yoursite.com/confirmation/?id=some_unique_id_like_a_UUID
Then on you write the web page (at http://yoursite.com/confirmation/) to read that id value and then do the action that "signs up a new PFUser using the username and password that the user originally inputed."
I am doing a web application using Eclipse EE. I have a module which is supposed to reset user passwords and sends the user (via email) a link to a page where they can reset the password. Any insights please?
The main steps would be:
Provide a "forgot password" page where the user can enter her email address
look up the entered address but don't tell the user any details. Don't output a message like "email address not found" as it would allow a malicious user to look up valid email addresses. Better give them a message like "you'll receive a link to reset your password if the entered email address is registered".
Create a strong unique random identifier to associate it to that reset-request. E.g. use a cryptographically RNG provided by the framework and combine it with something unique like e.g. a GUID.
Store that unique identifier along with that reset-request in e.g. a table in your database and put a timestamp to that record. That's important as you'd want the user to be only able to reset her password within a fixed time frame.
Send an email with that unique identifier put as a query parameter in a link to your application. E.g. https://yourapp.com/pwreset/?requestID=7392af1747ce3781
Fetech the requestID parameter at your pwreset-controller and look it up in your database. If the request comes in within a reasonable time frame based on the initial request timestamp, then let the user reset her password.
Delete successful request-records from your database, so that a sent pw reset link can only be used once. And periodically delete expired records.
Use this as a starting point. As I'm no crypto expert, you may one have a look at this approach ;)
I was having the similar problem as mentioned in the below link, Select and Display the table in oracle APEX mail body. I followed the mentioned steps and it worked!! .
Now, I just want to extend the same question and wanted to know, Is it possible to manipulate the the database through click on the button in the mail?
If I crate the html Button APPROVE, It should be able to manipulate database table.
Suppose, APPROVE performs delete operation: delete ename from emp where dno=10.
VERSION : ORACLE APEX 4.2
If you are sending an HTML email to a user and you want that user to interact with the system from the email, you could generate an HTML form that submits to a particular URL (some APEX page with some set of parameters) that actually implements the DELETE.
Assuming that the client email application would allow the user to submit a form, which would generally be a security issue and would probably not be possible from some clients, you'd probably have security issues to worry about on the server side. I'd assume, for example, that you don't want to allow any random person that works out the URL to call to be able to delete whatever row you want from your system. You probably want to require that someone is logged in before you'd allow them to delete a row. And you probably want to make sure that they have permission to delete that particular row.
It's certainly possible that you could work around both the client and the server side permission issues by doing something like creating a unique token that expires after a short period of time and gets passed in with the form to verify that the user has permission to delete that particular row. But by the time you're building that sort of infrastructure or sending users to a login page, you're probably better off just creating links in your email that point to a page in your application and letting users go there to request the actual delete. That's going to work more reliably than a form that submits a request and it will probably involve less work for you.
We have a very old client that is having problems trying to log in to a website. At the moment we think the user is not entering a correct username.
The site is in ASP does any one have any code that I could borrow that would be able to log and write down whats posted and then post that user name and password to the normal submit function.
Send the old client an email asking him what his username is. He'll probably mistype it in his reply the same way he mistypes it in the web form.
Give him a call, and tell him to spell out each letter/keystroke as he tries to log in.