Backend user management: remove plain-text password from invite, add reset password button

modules/backend/controllers/Users.php

@@ -149,6 +149,22 @@ public function update_onImpersonateUser($recordId)
         return Backend::redirect('backend/users/myaccount');
     }
 
+    /**
+     * Send a password restore email to this user
+     * @param int $recordId
+     * @return Response|void
+     */
+    public function update_onSendPasswordRestore($recordId)
+    {
+        if (!$this->user->hasAccess('backend.manage_users')) {
+            return Response::make(Lang::get('backend::lang.page.access_denied.label'), 403);
+        }
+
+        $this->formFindModelObject($recordId)->sendPasswordRestore();
+
+        Flash::success(Lang::get('backend::lang.account.send_password_restore_success'));
+    }
+
     /**
      * Unsuspend this user
      */

modules/backend/controllers/users/_btn_password_restore.htm

@@ -0,0 +1,14 @@
+<?php if ($this->user->hasAccess('backend.manage_users')): ?>
+    <div class="loading-indicator-container">
+        <button
+            type="button"
+            data-request="onSendPasswordRestore"
+            data-load-indicator="<?= e(trans('backend::lang.account.send_password_restore_working')) ?>"
+            data-request-confirm="<?= e(trans('backend::lang.account.send_password_restore_confirm')) ?>"
+            class="btn btn-default wn-icon-unlock-alt"
+            style="width: 100%; text-align: center"
+        >
+            <?= e(trans('backend::lang.account.send_password_restore')) ?>
+        </button>
+    </div>
+<?php endif ?>

modules/backend/lang/en/lang.php

@@ -71,6 +71,10 @@
         'reset_success' => 'Password has been reset. You may now sign in.',
         'reset_error' => 'Invalid password reset data supplied. Please try again!',
         'reset_fail' => 'Unable to reset your password!',
+        'send_password_restore' => 'Send Password Restore',
+        'send_password_restore_confirm' => 'Are you sure you want to send this user a passowrd restore email?',
+        'send_password_restore_success' => 'Password restore email sent',
+        'send_password_restore_working' => 'Sending...',
         'apply' => 'Apply',
         'cancel' => 'Cancel',
         'delete' => 'Delete',
@@ -148,7 +152,7 @@
         'superuser' => 'Super User',
         'superuser_comment' => 'Grants this account unlimited access to all areas of the system. Super users can add and manage other users. ',
         'send_invite' => 'Send invitation by email',
-        'send_invite_comment' => 'Sends a welcome message containing login and password information.',
+        'send_invite_comment' => 'Sends a welcome message containing login and password information. If a password is not set, the message will include a password reset link.',
         'delete_confirm' => 'Delete this administrator?',
         'return' => 'Return to admin list',
         'allow' => 'Allow',

modules/backend/models/User.php

@@ -27,8 +27,8 @@ class User extends UserBase
     public $rules = [
         'email' => 'required|between:6,255|email|unique:backend_users',
         'login' => 'required|between:2,255|unique:backend_users',
-        'password' => 'required:create|min:4|confirmed',
-        'password_confirmation' => 'required_with:password|min:4'
+        'password' => 'sometimes|min:4|confirmed',
+        'password_confirmation' => 'sometimes|required_with:password|min:4'
     ];
 
     /**
@@ -152,6 +152,21 @@ public function afterLogin()
         Event::fire('backend.user.login', [$this]);
     }
 
+    /**
+     * Generates a link to the backend, or a password reset link if no password was set on creation.
+     * @return string
+     */
+    public function getInvitationLink()
+    {
+        if (!$this->password) {
+            $code = $this->getResetPasswordCode();
+
+            return Backend::url('backend/auth/reset/' . $this->id . '/' . $code);
+        }
+
+        return Backend::url('backend');
+    }
+
     /**
      * Sends an invitation to the user using template "backend::mail.invite".
      * @return void
@@ -161,15 +176,35 @@ public function sendInvitation()
         $data = [
             'name' => $this->full_name,
             'login' => $this->login,
-            'password' => $this->getOriginalHashValue('password'),
-            'link' => Backend::url('backend'),
+            'link' => $this->getInvitationLink(),
         ];
 
         Mail::send('backend::mail.invite', $data, function ($message) {
             $message->to($this->email, $this->full_name);
         });
     }
 
+
+    /**
+     * Sends a password restore link to the user using template "backend::mail.restore".
+     * @return void
+     */
+    public function sendPasswordRestore()
+    {
+        $code = $this->getResetPasswordCode();
+
+        $link = Backend::url('backend/auth/reset/' . $this->id . '/' . $code);
+
+        $data = [
+            'name' => $this->full_name,
+            'link' => $link,
+        ];
+
+        Mail::send('backend::mail.restore', $data, function ($message) {
+            $message->to($this->email, $this->full_name)->subject(trans('backend::lang.account.password_reset'));
+        });
+    }
+
     public function getGroupsOptions()
     {
         $result = [];

modules/backend/models/user/fields.yaml

@@ -75,6 +75,10 @@ secondaryTabs:
             label: ''
             context: [update]
             type: partial
+        btn_password_restore:
+            label: ''
+            context: [update]
+            type: partial
         avatar:
             label: backend::lang.user.avatar
             type: fileupload

modules/backend/views/mail/invite.htm

@@ -8,7 +8,6 @@
 
 {% partial 'panel' body %}
 - Login: `{{ login ?: 'sample' }}`
-- Password: `{{ (password ?: '********') | raw }}`
 {% endpartial %}
 
 You can use the following link to sign in:
@@ -17,4 +16,4 @@
     Sign in to admin area
 {% endpartial %}
 
-After signing in you should change your password by clicking your name on the top right corner of the administration area.
+After signing in, you may be asked to set a new password if one was not created for you.