Jump to content
cluster

emergency client PW reset for admin no longer possible

Recommended Posts

It has already happened that a customer password has been hacked or the PW somehow got into the hands of an attacker ...
In that case the admin should be able set a new password if necessary to prevent the attacker from reaching the connected server,
this is no longer possible in v8.1 ... if the admin carries out a PW reset the password is not changed as long as the customer confirms the PW reset email. If a customer cannot be reached at this time, this could be a serious security issue for the provider.

In a emergency situation the administrator must be able to change a customer password without the customer having to agree!

Edited by cluster

Share this post


Link to post
Share on other sites
3 minutes ago, cluster said:

In a emergency situation the administrator must be able to change a customer password without the customer having to agree!

you now have to login as the user and change their password directly from the client area.

Share this post


Link to post
Share on other sites
55 minutes ago, brian! said:

you now have to login as the user and change their password directly from the client area

At least it's still possible, though the extra step is silly. 

Share this post


Link to post
Share on other sites

That does not work!

I can only make a PW change from client area when enter the current PW & the administrator does not know client passwords ....

that's a security problem for an emergency situation and I would call this a highly critical bug!

Share this post


Link to post
Share on other sites
4 minutes ago, cluster said:

That does not work!

it does. 🙂

5 minutes ago, cluster said:

I can only make a PW change from client area when enter the current PW & the administrator does not know client passwords ....

if you're logged in the admin area, then you can login to the client area without knowing their password - you only need to know their email address and can enter anything as the password to login.

also, there is the "Login As Owner" option from the admin area client profile summary page...

0CCznU2.png

8 minutes ago, cluster said:

that's a security problem for an emergency situation and I would call this a highly critical bug!

i'd call it a pain in the proverbial that it can't be done directly in the admin area.... to be honest, I don't know whether the admin being able to do this in the client area is going to be considered a a bug and prevented in future releases.

Share this post


Link to post
Share on other sites

yes,  I'm able to login as client, but I can not change the client password because I have to enter the current PW first and below the new one ....

Share this post


Link to post
Share on other sites
27 minutes ago, cluster said:

yes,  I'm able to login as client, but I can not change the client password because I have to enter the current PW first and below the new one ....

well that's annoying - i'm glad I stopped using this nonsense years ago. headshake.gif

then in an emergency situation, I think you could reset the user's email address (in the admin area) to one that you have access to, initiate the email password reset process, click the link in the email, reset the password and change the email address back.

if you think you're going to have the need for a simpler solution, then you might need to buy the addon in Marketplace.... if WHMCS had written an API to allow a password reset, then this would have been simple, but I don't feel inclined to waste time trying to work out how a user's password is generated internally.

Share this post


Link to post
Share on other sites

thanks brian!

after the update to 8.11 also a few modules lno longer work ... I'm done with v 8.x. I need to restore my backup to 7.10 ... lost so much time

Share this post


Link to post
Share on other sites

the module problem was caused by the new chrome browser, it works with firefox, chromium ... probably chrome in the new version blocks JS and Jquery scripts that are used for WHMCS.
This could also explain the problems with the password generator for some customers.

latest Google Chrome
Version 88.0.4324.182

The new password system and many jquery functions are not necessarily compatible with Chrome now ...

I will stay with WHMCS 7.10, also because of the lack of possibility to change the customer passwords and many things in the admin area have become very laborious in v. 8.1

Share this post


Link to post
Share on other sites

Just upgraded yesterday and already have a situation where I need to quickly reset the password for the owner of an account.  Incredibly frustrating that this basic feature was removed.  I really do wish that the folks at WHMCS also ran a small hosting company (like cPanel does) so they can see, real world, what web hosting providers need on a daily basis.

- Scott

Share this post


Link to post
Share on other sites

the PW reset (lost password) function only for customers is OK
...
however, the following things are unacceptable:
- administrator must be allowed to change any customer password directly from the admin area
- in checkout.tpl it must be possible to generate an automatic password in the background without the customer having to do this

After two attempts, customers don't want to continue also with the Generate PW button and send an order, they quit & prefer another provider where the ordering process is not that complicated.

Share this post


Link to post
Share on other sites
On 2/7/2021 at 10:11 AM, brian! said:

you now have to login as the user and change their password directly from the client area.

So much for a product called Web Hosting Manager Solution when it requires that many extra steps for such a simple administration task 😁

Share this post


Link to post
Share on other sites
21 hours ago, cluster said:

- administrator must be allowed to change any customer password directly from the admin area

totally agree... but I think it's intentional that they can't and that WHMCS provides no coding option to do this natively.

21 hours ago, cluster said:

- in checkout.tpl it must be possible to generate an automatic password in the background without the customer having to do this

possible with a hook I would suspect.

4 hours ago, yggdrasil said:

So much for a product called Web Hosting Manager Solution when it requires that many extra steps for such a simple administration task 😁

you missed out an important word - don't forget that this is a COMPLETE solution. 😁

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated