Resolved <<<Admin's user edit page>>>

viddz · 06-15-2012, 10:50 PM

i need good idea to how to show password edit field for admins.
This is a part of my edit user page's

PHP Code:


			
<table width="436" id="table">

    <tr>

      <td width="214">Username</td>

      <td width="254"><input name="login" maxlength="10" id="login" value="<?php echo $login;?>"/></td>

      </tr>

    <tr>

      <td>Password</td>

      <td><input type="password" id="password" name="password" maxlength="10" value="*******"/></td>

      </tr>

      <tr>

      <td>email</td>

      <td><input type="text" id="email" name="email" maxlength="50" value="<?php echo $email;?>"/></td>

      </tr>

    <tr>

      <td>Select user type </td>

      <td><select  name="type" id="type" >

        <option value="admin" <?php if($type==admin){ echo 'selected="selected"';} ?>> Admin </option>

        <option value="labassistant" <?php if($type==labassistant){ echo 'selected="selected"';} ?>> Lab Assistant </option>

        <option value="storekeeper" <?php if($type==storekeeper){ echo 'selected="selected"';} ?>> Store Keeper </option>

        </select></td>

      </tr>

     

    

    <tr>

      <td></td>

      <td><input type="submit" name="button" id="button" value="Edit user"/></td>

      </tr>

    </table>

I need good idea to show password edit text area. This method isnt good because every time admin press edit button he must change the user password(validation do not allow to save stars). Hope you guys will come up with good idea.

dan-dan · 06-15-2012, 11:05 PM

Have I got this right. You want to allow admins to edit regular users passwords? Passwords should never be revealed to or changed by anyone other than the account holder.

felgall · 06-15-2012, 11:06 PM

Change the PHP so that when the ****** are passed in the password field that all of the other fields except the password get updated. Of course that field should be hidden if the login doesn't belong to the current user.

viddz · 06-15-2012, 11:18 PM

@dan-dan thanku
yeah u got it right. What about small inventory contrl system with admin rights ??? You still think admins shouldnt change user passwords ?? Then admins dont have full control over user. I dont reveal password here thats why i have put stars.

@felgall
yeah ican do it easily but it means iam revealing user passwords. I dont wanna do that.

dan-dan · 06-15-2012, 11:34 PM

Passwords should never be available to anyone as that completely comprimises the security of your site/software! Imagine one admins account got hacked, that would mean they'd have the ability to change everyones password on your entire site.
They should be stored and hashed in a database!

Edit: What do you think you'll gain by having the ability to change their passwords?
You can still take away priviledges or ban them, and if they loose their password you can send them a new one (after properly validating the user).

felgall · 06-15-2012, 11:45 PM

You shouldn't have the ability to see existing passwords because all the passwords should be salted and hashed before they are saved and therefore there should be no way to obtain the password unless you already know it.

viddz · 06-16-2012, 12:09 AM

@dan-dan
Thanku. If admin got hacked they can delete users too. Any how thanku for ur ideas

Decided not to put any edit password option