Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook
Devcon 2020 Goes Virtual! LEARN MORE >

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Alpha IIS, Change any User Password to specific value without knowing current password?

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    Alpha IIS, Change any User Password to specific value without knowing current password?

    Is it true there are no built-in functions to allow an administrator to set an existing user's password to a specific value?

    I see a function for setting the user's password to a random value, but then the Administrator would have to send this value to the user (unless I incorporate emailing from my app).
    Tags: None
    #2
    Re: Alpha IIS, Change any User Password to specific value without knowing current password?

    Just curious... what would be the use case for changing a User's password but not having to email info about that change? If you could change the password to a value you assign, how would the user know about the change?

    Comment

      #3
      Re: Alpha IIS, Change any User Password to specific value without knowing current password?

      Good question.
      Currently when a user forgets their password the administrator(s) for that user's site can "reset" that person's password to a specific "default" password. When new users are setup in the system they are all assigned the "default" password the administrator(s) have chosen for their site. If a user logs into the system under the default password the program prompts them to change their password. When administrators view the list of user logins, they see a special icon next to each user that has not changed their password from the default value yet. The administrators can easily disable logins for people that have not changed their password, yet.

      I think most administrators are choosing a default password for their site that has some meaning to their personnel and it is a password that can be said verbally - not some arbitrarily complex password that is difficult to pass along verbally.

      But maybe you are right, maybe they pass the default password via emails rather than verbally when a user forgets their own password. I know for initial user creation they are passing the password along in a classroom training session (white-board or verbally), so they are not emailing initial login password.

      Comment

        #4
        Re: Alpha IIS, Change any User Password to specific value without knowing current password?

        David,
        If the next question is, "If you use a common default password for the entire site that is valid for users until they change it, how do you keep people outside of that organization of getting into the system during that time."
        I cannot discuss specifics, but there are other measures in place that occur before the user ever sees the login page.

        Comment

          #5
          Re: Alpha IIS, Change any User Password to specific value without knowing current password?

          Understood.

          There does seem to be a way to do what you want. Have a look at the UX Template "SecurityFramework-EditAccountForExistingUser". This UX template allows you to change the password, among other items, to one of your choice.

          In the afterDialogValidate event you'll find the action ExecuteServerSideAction("Save Web Security Values::SaveSecurity"). Have a look at the code for this action and you'll find "a5ws_SaveUsersWithDialog()". There is limited documentation on this function... and it's marked with the ominous "Internal Use Only" (not sure I understand that).

          If you can't, or don't want to, use "a5ws_SaveUsersWithDialog()" by itself, then at least you could build your Admin UX around this template.

          Comment

            #6
            Re: Alpha IIS, Change any User Password to specific value without knowing current password?

            perhaps the default password can trigger a password change event, in other words, a complete client side show/hide of controls so that they would pretty much NOT have a choice but to change it, since you would know what the default PW might be when the user is logging in. If the default PW is set by each client that would be a simple lookup and setting of a variable to check for it.
            NWCOPRO: Nuisance Wildlife Control Software My Application: http://www.nwcopro.com "Without forgetting, we would have no memory at all...now what was I saying?"

            Comment

              #7
              Re: Alpha IIS, Change any User Password to specific value without knowing current password?

              David,
              The "a5ws_SaveUsersWithDialog()" AA xbasic procedure was an interesting find -- it does not appear in the Documentation with other a5ws procedures and as you said, it is flagged as "Internal Use Only"

              That procedure kind of worked under IIS to change the password of an existing user without knowing their old password or answer to their secret question. (I am not using secret question/answer, so if the user really had that setup I am not sure if it would have worked or not.)

              That procedure wiped out all but one of the user's roles! Or, more precisely, since the Template uses radio buttons for the Role Membership it was only able to display one role as being selected. When the UX values are saved only one membership is preserved.

              I switched the Radio button control to a Checkbox, but the template does not know how to populate the checkbox.

              Perhaps, knowing about this function will help in the conversation with Alpha about having a "context.security" method to change a user's password without knowing their old password or security question.

              Thanks for finding that.

              Charles,
              Yes, after a user logs in via the their site's default password, I could hide the menu options in the tabbedUI until they have changed their password. Currently, I do automatically open the change passwords form in a new tab if they logged in with the "default" password. I do not disable or hide the other menu options, though. I actually thought of doing that around the time you posted that suggestion. The user has two passwords (one for logging into the system and another password for signing documents and (in the future) entry into grid boxes for the "user's initials".

              Comment

                #8
                Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                Sorry Rich... I haven't checked that template in a while... I thought it would have been fixed by now. When I first tried it years ago and found that it used static data and was essentially useless for security groups I created my own version that runs off a DropdownBox Control tied to the webSecurityRegisteredUsers table. The Actions in onDialogInitialize I turned into XBasic, put into an XBasic function and fixed. The XBasic function is called from onChange of the DropdownBox Control and the Security Groups radio button changed to a Checkbox.

                You should report this to Alpha and see if they'll update that Template to something that works correctly and doesn't use static data. If they do that you'll have exactly what you need.

                Comment

                  #9
                  Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                  David,

                  I don't think I will submit anything to Selwyn on this template.

                  I'd rather just have a simple function that takes a UserID and a New Password as parameters, I don't want/need to mess with roles at the time I am changing a password.

                  I have quite a different idea on how I want to mange Role assignments for Users than what Alpha has assumed. I need to dynamically change a person's Role based on what "application instance" or "dataset" they choose to log in to. After the login ID and password has been validated, the user is presented with a list of different "Application Instances" or "Datasets" that they have been granted access to. They will likely have different Roles for each data set. Any ideas on how to accomplish that?

                  Comment

                    #10
                    Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                    Looking at also changing the User Name (ID), I don't see context.security methods for that either.

                    So, I guess it will be just a matter of using the following context.security methods to handle all the changes (unless I find a5ws methods that are functional under IIS):
                    DeleteUser
                    CreateUser
                    AddUserToRoles
                    TestPassword
                    TestUserName
                    UserExists

                    Comment

                      #11
                      Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                      Nearly all of the A5ws_*functions work on IIS. The exceptions are ones referencing values that don't exist in IIS or are methods not directly supported in IIS. Examples include a5ws_* functions referencing "ulink" as "ulink" is not supported in IIS. This allows using legacy code that references a5ws_* in most cases.

                      If writing new code, the Context.Security methods should be used where possible. They are supported natively in IIS and will also function in the standard server. For example, if you want to set a new password without knowing the original, you can use

                      newRandomPassword = Context.Security.AdministrativeResetPassword(Userid)

                      If you want to set the password to a specific value (such as a standard default), you can use 2 methods

                      newRandomPassword = Context.Security.AdministrativeResetPassword(Userid)
                      Context.Security.ChangePassword(Userid, newRandomPassword ,newDesiredPassword)

                      If you want to force the user to immediately change the password just set, use

                      Context.Security.SetExpirePasswordImmediate(Userid)

                      IIS Does not natively support changing the username / userid as that is the security key value in the IIS membership providers.

                      However, the UX Security template "EditAccountForExistingUser" calls internal methods that do allow changing the user name. Because of the limitations in IIS, the original password must be entered or a new password entered at the same time.

                      The template calls some internal methods that are not documented as they should not be used outside of the defined Action Scripting. These include "a5ws_ValidateUsersWithDialog" and "a5ws_SaveUsersWithDialog". They are considered internal use functions only

                      Comment

                        #12
                        Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                        newRandomPassword = Context.Security.AdministrativeResetPassword(Userid)
                        Context.Security.ChangePassword(Userid, newRandomPassword ,newDesiredPassword)
                        So simple... so brilliant. Cheers Jerry.

                        Comment

                          #13
                          Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                          Thanks Jerry, that will work for me just fine to make two calls to change the password: change to random pwd, then change that random password to the one I want. I will remove the option I have that currently allows changing the login ID (email address) and just have them delete and recreate the user with the desired ID. I'm sure it is quite rare they ever use that function anyway.

                          Comment

                            #14
                            Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                            The code behind the Action scripting in the UX template "EditAccountForExistingUser" essentially creates a new user, transfers the user credentials, and then deletes the original account transparently. There is quite a bit of code required to validate the new values and insure the new account is properly configured, and then remove the original account and all of the related permissions.

                            You could write your own code, but the work has already been done for you.

                            Comment

                              #15
                              Re: Alpha IIS, Change any User Password to specific value without knowing current password?

                              Hi Jerry your comments are very welcome

                              These methods are really great and I use them all but is there a method within the standard login component that can call Context.Security.SetExpirePasswordImmediate(userid)? The security framework allows a new password to be self-generated and emailed to the user and I think that's OK. However it says it is a temporary password that has been issued - we need to make it so that on login using the temp password it immediately asks for a password change.Is that doable

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X