Creation of new users fails when profile lock is active

hendrikvl

The users page in the Cloudron panel has that setting labeled "Allow users to edit their name and email", which is also named profile lock in the manual.

When that checkbox is disabled (users are not allowed to edit), I noticed some strange behaviour: New users can be created, but they cannot set their password after using the invite link. What happens instead is the following: User clicks invite link, gets screen where to input password. After submitting that form the next screen "Your Account is ready, open dashboard" is shown. But after clicking open dashboard, one gets to the regular login screen. From there one cannot login with the newly setup credentials.

I checked in the box-database what happens: After creating the user, the new entry in the users-table seems correct. What is strange is that even the moment the "Your account is ready"-screen is shown, the password-field has not changed and the inviteToken is still there. There is no difference whether the profileLocked-parameter is included in the invite-URL or not.

After enabling the checkbox in the users page again, the setup works allright. Even with the old invite-link.

I could reproduce that behaviour on two different cloudron instances being on v7.0.4.

jdaviescoates

I just tried to replicate this and I think I've found an additional related problem.

I unchecked the lock profile check box, saved, created a user. I didn't specify a username.

Then clicked on the Welcome email to Get Started, couldn't create a username.

girish

The password change bug was reported earlier and it got fixed but not released yet (https://git.cloudron.io/cloudron/box/-/commit/37f066f2b0e4aa50ec45b387dd1d79b539d1aaf5) . The issue which @jdaviescoates reports seems new though.

hendrikvl

@girish Ok, good to know that the fix is already there. Thanks!

girish

@jdaviescoates said in Creation of new users fails when profile lock is active:

Then clicked on the Welcome email to Get Started, couldn't create a username.

I have fixed the code to allow admins to set the username when it's empty.

I guess we could also add additional code to make username "required" when we add a new user based on profile lock but that seems more work...

jdaviescoates

@girish said in Creation of new users fails when profile lock is active:

I have fixed the code to allow admins to set the username when it's empty.

Um, great, but it's not the admin that needs to be able to create a username, it's the new user who didn't have their username set who then clicks on the Get started link in the Welcome email.

@girish said in Creation of new users fails when profile lock is active:

I guess we could also add additional code to make username "required" when we add a new user based on profile lock but that seems more work...

I'm not sure exactly what effect the change you've already made will make, but I think it might be necessary to require a username when adding a new user with profile lock on, because otherwise the new invited users cannot set-up their account (as they can't enter a username, and so they cannot click on the next/ continue button).

Either that or somehow letting newly invited members to be able to edit/ create their username when the profile lock is on.

nebulon

@jdaviescoates said in Creation of new users fails when profile lock is active:

Um, great, but it's not the admin that needs to be able to create a username, it's the new user who didn't have their username set who then clicks on the Get started link in the Welcome email.

when the user was created without a username, then the user will be able to set it, following the invite link. Of course this will only work with the next release due to the bug, when the profile lock is enabled.

jdaviescoates

@nebulon said in Creation of new users fails when profile lock is active:

when the user was created without a username, then the user will be able to set it, following the invite link.

OK great. You probably know already that it does work, but for good measure I'll try to remember to double check it works after the next update...

girish

It's fixed a bit differently. The purpose of the "profile lock" feature is that admins have control over the username/mail/display name. Letting the user choose the username would circumvent this. This more so applies because when you have multiple admins, maybe one admin forgot to set the username (but they had decided by policy that they won't allow users to set usernames themselves).

Given that the profile lock is a 'dynamic' flag i.e can be set/unset at anytime, the fix we have put in place is:

• username can now be set already created users with no username.
• When profile lock is set, username is required when creating new users. This way it's not possible for an admin to create users without a username.
• When profile lock is set, invite links of users with no username show a message to contact admin. (This message will only be seen if you had users created with no username and set the profile lock later. So, it's kinda rare)