Merge branch 'new_user_password_set' into 'master'

Admin created user should get password reset link instead of mailed temporary password Fixes #1405 See merge request !973

Merge branch 'new_user_password_set' into 'master'
Admin created user should get password reset link instead of mailed temporary password Fixes #1405 See merge request !973
c29857ac · Dmitriy Zaporozhets · 945dd627 · c0a95947 · c29857ac · c29857ac
Commit c29857ac authored Jul 23, 2014 by Dmitriy Zaporozhets
8 changed files
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -39,12 +39,13 @@ class Admin::UsersController < Admin::ApplicationController
  def create
    opts = {
      force_random_password: true,
-      password_expires_at: Time.now
+      password_expires_at: nil
    }
    @user = User.new(user_params.merge(opts))
    @user.created_by_id = current_user.id
    @user.generate_password
+    @user.generate_reset_token
    @user.skip_confirmation!
    respond_to do |format|

--- a/app/mailers/emails/profile.rb
+++ b/app/mailers/emails/profile.rb
 module Emails
  module Profile
-    def new_user_email(user_id, password)
+    def new_user_email(user_id, password, token = nil)
      @user = User.find(user_id)
      @password = password
      @target_url = user_url(@user)
+      @token = token
      mail(to: @user.email, subject: subject("Account was created for you"))
    end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -240,6 +240,15 @@ class User < ActiveRecord::Base
    end
  end
+  def generate_reset_token
+    @reset_token, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+    self.reset_password_token   = enc
+    self.reset_password_sent_at = Time.now.utc
+    @reset_token
+  end
  def namespace_uniq
    namespace_name = self.username
    if Namespace.find_by(path: namespace_name)
@@ -488,7 +497,7 @@ class User < ActiveRecord::Base
  def post_create_hook
    log_info("User \"#{self.name}\" (#{self.email}) was created")
-    notification_service.new_user(self)
+    notification_service.new_user(self, @reset_token)
    system_hook_service.execute_hooks_for(self, :create)
  end

--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -105,9 +105,9 @@ class NotificationService
  end
  # Notify new user with email after creation
-  def new_user(user)
+  def new_user(user, token = nil)
    # Don't email omniauth created users
-    mailer.new_user_email(user.id, user.password) unless user.extern_uid?
+    mailer.new_user_email(user.id, user.password, token) unless user.extern_uid?
  end
  # Notify users on new note in system

--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -31,9 +31,9 @@
          = f.label :password, class: 'control-label'
          .col-sm-10
            %strong
-              A temporary password will be generated and sent to user.
+              Reset link will be generated and sent to the user.
              %br
-              User will be forced to change it after first sign in
+              User will be forced to set the password on first sign in.
    - else
      %fieldset
        %legend Password

--- a/app/views/notify/new_user_email.html.haml
+++ b/app/views/notify/new_user_email.html.haml
@@ -11,11 +11,4 @@
 - if @user.created_by_id
  %p
-    password..................................
+    = link_to "Click here to set your password", edit_password_url(@user, :reset_password_token => @token)
-    %code= @password
-  %p
-    You will be forced to change this password immediately after login.
-%p
-  = link_to "Click here to login", root_url
--- a/app/views/notify/new_user_email.text.erb
+++ b/app/views/notify/new_user_email.text.erb
@@ -4,10 +4,5 @@ The Administrator created an account for you. Now you are a member of the compan
 login.................. <%= @user.email %>
 <% if @user.created_by_id %>
-  password............... <%= @password %>
+  <%= link_to "Click here to set your password", edit_password_url(@user, :reset_password_token => @token) %>
-  You will be forced to change this password immediately after login.
 <% end %>
-Click here to login: <%= url_for(root_url) %>
--- a/spec/mailers/notify_spec.rb
+++ b/spec/mailers/notify_spec.rb
@@ -43,7 +43,7 @@ describe Notify do
    let(:example_site_path) { root_path }
    let(:new_user) { create(:user, email: 'newguy@example.com', created_by_id: 1) }
-    subject { Notify.new_user_email(new_user.id, new_user.password) }
+    subject { Notify.new_user_email(new_user.id, new_user.password, 'kETLwRaayvigPq_x3SNM') }
    it_behaves_like 'an email sent from GitLab'
@@ -59,8 +59,12 @@ describe Notify do
      should have_body_text /#{new_user.email}/
    end
-    it 'contains the new user\'s password' do
+    it 'contains the password text' do
-      should have_body_text /password/
+      should have_body_text /Click here to set your password/
+    end
+    it 'includes a link for user to set password' do
+      should have_body_text 'http://localhost/users/password/edit?reset_password_token=kETLwRaayvigPq_x3SNM'
    end
    it 'includes a link to the site' do