Added the ability for admins to send a reset password email for users (#737)

2019-08-14 10:21:58 -04:00 · 2019-08-14 10:21:58 -04:00 · 7e3c44575e
parent 1256554ce6
commit 7e3c44575e
10 changed files with 34 additions and 18 deletions
--- a/app/controllers/admins_controller.rb
+++ b/app/controllers/admins_controller.rb
@ -22,7 +22,7 @@ class AdminsController < ApplicationController
  include Emailer
  include Recorder

-  manage_users = [:edit_user, :promote, :demote, :ban_user, :unban_user, :approve]
+  manage_users = [:edit_user, :promote, :demote, :ban_user, :unban_user, :approve, :reset]
  site_settings = [:branding, :coloring, :coloring_lighten, :coloring_darken,
                   :registration_method, :room_authentication, :room_limit, :default_recording_visibility]

@ -106,6 +106,14 @@ class AdminsController < ApplicationController
    redirect_to admins_path
  end

+  # GET /admins/reset
+  def reset
+    @user.create_reset_digest
+
+    send_password_reset_email(@user)
+
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.reset_password") }
+  end
  # SITE SETTINGS

  # POST /admins/branding
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@ -53,7 +53,7 @@ class PasswordResetsController < ApplicationController
    elsif params[:user][:password] != params[:user][:password_confirmation]
      flash.now[:alert] = I18n.t("password_different_notice")
      render 'edit'
-    elsif current_user.update_attributes(user_params)
+    elsif @user.update_attributes(user_params)
      flash[:success] = I18n.t("password_reset_success")
      redirect_to root_path
    else
@ -67,23 +67,19 @@ class PasswordResetsController < ApplicationController
    @user = User.find_by(email: params[:email])
  end

-  def current_user
-    @user
-  end
-
  def user_params
    params.require(:user).permit(:password, :password_confirmation)
  end

  # Checks expiration of reset token.
  def check_expiration
-    redirect_to new_password_reset_url, alert: I18n.t("expired_reset_token") if current_user.password_reset_expired?
+    redirect_to new_password_reset_url, alert: I18n.t("expired_reset_token") if @user.password_reset_expired?
  end

  # Confirms a valid user.
  def valid_user
-    unless current_user.authenticated?(:reset, params[:id])
-      current_user&.activate unless current_user&.activated?
+    unless @user.authenticated?(:reset, params[:id])
+      @user&.activate unless @user&.activated?
      redirect_to root_url
    end
  end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -128,4 +128,9 @@ module ApplicationHelper
      role.name
    end
  end
+
+  def can_reset_password
+    # Check if admin is editting user
+    Rails.application.routes.recognize_path(request.env['PATH_INFO'])[:action] == "edit_user"
+  end
 end
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -37,7 +37,7 @@ class Ability

      if highest_role.can_manage_users
        can [:index, :roles, :edit_user, :promote, :demote, :ban_user, :unban_user,
-             :approve, :invite], :admin
+             :approve, :invite, :reset], :admin
      end

      if !highest_role.can_edit_site_settings && !highest_role.can_edit_roles && !highest_role.can_manage_users
--- a/app/views/shared/settings/_account.html.erb
+++ b/app/views/shared/settings/_account.html.erb
@ -75,6 +75,10 @@
    </div>
  </div>
  <div class="card-footer">
-    <%= f.submit t("update"), class: "btn btn-primary float-right" %>
+    <%= f.submit t("update"), class: "btn btn-primary float-right ml-4" %>
+
+    <% if can_reset_password %>
+      <%= link_to "Reset user password", admin_reset_path(user_uid: @user.uid), class: "btn btn-primary float-right" %>
+    <% end %>
  </div>
 <% end %>
--- a/app/views/user_mailer/password_reset.html.erb
+++ b/app/views/user_mailer/password_reset.html.erb
@ -24,7 +24,7 @@
      </h1>

      <p>
-        <%= t('mailer.user.password_reset.welcome', bigbluebutton: t('bigbluebutton')) %>
+        <%= t('mailer.user.password_reset.welcome', email: @user.email).html_safe %>
      </p>

      <p style="margin-bottom:45px;">
@ -38,11 +38,11 @@
      </a>

      <p style="margin-top:45px;">
-        <%= t('mailer.user.password_reset.expire') %>
+        <%= t('mailer.user.password_reset.ignore') %>
      </p>

      <p>
-        <%= t('mailer.user.password_reset.ignore') %>
+        <%= t('mailer.user.password_reset.expire') %>
      </p>
    </div>
  </div>
--- a/app/views/user_mailer/password_reset.text.erb
+++ b/app/views/user_mailer/password_reset.text.erb
@ -18,7 +18,7 @@

 <%= t('mailer.user.password_reset.title') %>

-<%= t('mailer.user.password_reset.welcome', bigbluebutton: t('bigbluebutton')) %>
+<%= t('mailer.user.password_reset.welcome', email: @user.email) %>
 <%= t('mailer.user.password_reset.message') %>

 <%= @url %>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -75,6 +75,7 @@ en:
      invite_email_verification: Emails must be enabled in order to use this method. Please contact your system administrator.
      promoted: User has been successfully promoted
      registration_method_updated: Registration method successfully updated
+      reset_password: The user has been sent an email to reset their password. (Please ask them to check their spam folder if they haven't received it)
      settings: Site Settings successfully changed
      unauthorized: You are not authorized to perform actions on this user
    recordings:
@ -262,11 +263,11 @@ en:
        username: Your username is %{email}.
      password_reset:
        title: 'Password reset'
-        welcome: It seems like you forgot your password for %{bigbluebutton}
-        message: 'If this is true, please click the link below to reset your password:'
+        welcome: A password reset has been requested for the email <b>%{email}</b>
+        message: 'If you requested this reset, then please click the link below to reset your password:'
        reset_link: Reset Password
        expire: This link will expire in two hours.
-        ignore: You can safely ignore this email if you did not request a password reset.
+        ignore: You can safely ignore this email if you did not make this request.
      promoted:
        admins_link: Visit the Organization Page
        info: You are now an %{role} on %{url}.
--- a/config/routes.rb
+++ b/config/routes.rb
@ -51,6 +51,7 @@ Rails.application.routes.draw do
    post '/invite', to: 'admins#invite', as: :invite_user
    post '/registration_method/:method', to: 'admins#registration_method', as: :admin_change_registration
    post '/approve/:user_uid', to: 'admins#approve', as: :admin_approve
+    get '/reset', to: 'admins#reset', as: :admin_reset
    post '/room_limit', to: 'admins#room_limit', as: :admin_room_limit
    post '/default_recording_visibility', to: 'admins#default_recording_visibility', as: :admin_recording_visibility
    get '/roles', to: 'admins#roles', as: :admin_roles
--- a/spec/controllers/password_resets_controller_spec.rb
+++ b/spec/controllers/password_resets_controller_spec.rb
@ -124,6 +124,7 @@ describe PasswordResetsController, type: :controller do

        params = {
          id: token,
+          email: user.email,
          user: {
            password: :password,
            password_confirmation: :password,