emergency client PW reset for admin no longer possible

[cluster]

It has already happened that a customer password has been hacked or the PW somehow got into the hands of an attacker ...
In that case the admin should be able set a new password if necessary to prevent the attacker from reaching the connected server,
this is no longer possible in v8.1 ... if the admin carries out a PW reset the password is not changed as long as the customer confirms the PW reset email. If a customer cannot be reached at this time, this could be a serious security issue for the provider.

In a emergency situation the administrator must be able to change a customer password without the customer having to agree!

Edited February 7, 2021 by cluster

[brian!]

3 minutes ago, cluster said:

In a emergency situation the administrator must be able to change a customer password without the customer having to agree!

you now have to login as the user and change their password directly from the client area.

[bear]

55 minutes ago, brian! said:

you now have to login as the user and change their password directly from the client area

At least it's still possible, though the extra step is silly. 

[cluster]

That does not work!

I can only make a PW change from client area when enter the current PW & the administrator does not know client passwords ....

that's a security problem for an emergency situation and I would call this a highly critical bug!

[brian!]

4 minutes ago, cluster said:

That does not work!

it does. 🙂

5 minutes ago, cluster said:

I can only make a PW change from client area when enter the current PW & the administrator does not know client passwords ....

if you're logged in the admin area, then you can login to the client area without knowing their password - you only need to know their email address and can enter anything as the password to login.

also, there is the "Login As Owner" option from the admin area client profile summary page...

8 minutes ago, cluster said:

that's a security problem for an emergency situation and I would call this a highly critical bug!

i'd call it a pain in the proverbial that it can't be done directly in the admin area.... to be honest, I don't know whether the admin being able to do this in the client area is going to be considered a a bug and prevented in future releases.

[cluster]

yes,  I'm able to login as client, but I can not change the client password because I have to enter the current PW first and below the new one ....

[brian!]

27 minutes ago, cluster said:

yes,  I'm able to login as client, but I can not change the client password because I have to enter the current PW first and below the new one ....

well that's annoying - i'm glad I stopped using this nonsense years ago.

then in an emergency situation, I think you could reset the user's email address (in the admin area) to one that you have access to, initiate the email password reset process, click the link in the email, reset the password and change the email address back.

if you think you're going to have the need for a simpler solution, then you might need to buy the addon in Marketplace.... if WHMCS had written an API to allow a password reset, then this would have been simple, but I don't feel inclined to waste time trying to work out how a user's password is generated internally.

[cluster]

thanks brian!

after the update to 8.11 also a few modules lno longer work ... I'm done with v 8.x. I need to restore my backup to 7.10 ... lost so much time

[cluster]

the module problem was caused by the new chrome browser, it works with firefox, chromium ... probably chrome in the new version blocks JS and Jquery scripts that are used for WHMCS.
This could also explain the problems with the password generator for some customers.

latest Google Chrome
Version 88.0.4324.182

The new password system and many jquery functions are not necessarily compatible with Chrome now ...

I will stay with WHMCS 7.10, also because of the lack of possibility to change the customer passwords and many things in the admin area have become very laborious in v. 8.1

[ScottN]

Just upgraded yesterday and already have a situation where I need to quickly reset the password for the owner of an account.  Incredibly frustrating that this basic feature was removed.  I really do wish that the folks at WHMCS also ran a small hosting company (like cPanel does) so they can see, real world, what web hosting providers need on a daily basis.

- Scott

[cluster]

the PW reset (lost password) function only for customers is OK
...
however, the following things are unacceptable:
- administrator must be allowed to change any customer password directly from the admin area
- in checkout.tpl it must be possible to generate an automatic password in the background without the customer having to do this

After two attempts, customers don't want to continue also with the Generate PW button and send an order, they quit & prefer another provider where the ordering process is not that complicated.

[yggdrasil]

On 2/7/2021 at 10:11 AM, brian! said:

you now have to login as the user and change their password directly from the client area.

So much for a product called Web Hosting Manager Solution when it requires that many extra steps for such a simple administration task 😁

[brian!]

21 hours ago, cluster said:

- administrator must be allowed to change any customer password directly from the admin area

totally agree... but I think it's intentional that they can't and that WHMCS provides no coding option to do this natively.

21 hours ago, cluster said:

- in checkout.tpl it must be possible to generate an automatic password in the background without the customer having to do this

possible with a hook I would suspect.

4 hours ago, yggdrasil said:

So much for a product called Web Hosting Manager Solution when it requires that many extra steps for such a simple administration task 😁

you missed out an important word - don't forget that this is a COMPLETE solution. 😁

[brian!]

just a heads up that yesterday evening I figured out a viable method to reset any user's password... it works! 🎉

over the weekend, i'm going to try to turn it into a workable solution for others to use from the admin area.

[cluster]

that would be awesome!

maybe everything will be ok after all 😀

[bear]

43 minutes ago, brian! said:

I figured out a viable method to reset any user's password... it works!

Switch billing systems? oh... 😛

[bear]

On 2/25/2021 at 12:44 PM, brian! said:

just a heads up that yesterday evening I figured out a viable method to reset any user's password... it works! 🎉

over the weekend, i'm going to try to turn it into a workable solution for others to use from the admin area.

Any luck with this effort, Brian?

[brian!]

On 21/03/2021 at 10:56, bear said:

Any luck with this effort, Brian?

I got stuck in a sticky situation - the best way to do it would have been exactly the same way the commercial module was doing it... but I wasn't prepared to duplicate an existing module and release it for free, or then be in the ridiculous situation of reinventing the wheel and releasing it commercially - what's the point ?

so the alternative would have been to do something naff (simple, quick, ugly etc) - the obvious option being a widget - basically just a basic form to select a user from a dropdown,  password input field, submit button etc... to be honest, I couldn't be bothered - it's the sort of feature that eventually WHMCS will have to do themselves, so I didn't fancy wasting a lot of time on this.

but for completion, I suspect the method used by the commercial module will by the same as outlined in the model class docs...

https://classdocs.whmcs.com/8.0/WHMCS/User/User.html#method_updatePassword

if it helps, the initial very rough script that I originally wrote to test it is posted below...

<?php

use WHMCS\User\User;

$userId = 69;
$new_password = "qwerty";
try {
    $johnDoe = User::findOrFail($userId);
    $johnDoe->updatePassword($new_password);
    $johnDoe->save();
} catch (Exception $e) {
    echo "Uh oh. I couldn't update the password. {$e->getMessage()}";
}

for it to work, you can't already be logged in as an user (and it's easier not be logged in as an admin either I think).... whilst not a workable script for a novice, hopefully those interested in writing user password solutions might find it useful.