From 56398ea1611b4bf1b3e27cc057ffb049e78e5173 Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Tue, 15 Jul 2014 13:25:11 +0200
Subject: Do not sent a generated password via email for admin created user.

---
 app/controllers/admin/users_controller.rb |  1 +
 app/mailers/emails/profile.rb             |  3 ++-
 app/models/user.rb                        | 11 ++++++++++-
 app/services/notification_service.rb      |  4 ++--
 app/views/notify/new_user_email.html.haml |  9 +--------
 app/views/notify/new_user_email.text.erb  |  7 +------
 6 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 44c93471df4..1432fff8821 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -45,6 +45,7 @@ class Admin::UsersController < Admin::ApplicationController
     @user = User.new(user_params.merge(opts))
     @user.created_by_id = current_user.id
     @user.generate_password
+    @user.generate_reset_token
     @user.skip_confirmation!
 
     respond_to do |format|
diff --git a/app/mailers/emails/profile.rb b/app/mailers/emails/profile.rb
index f02d95fd557..4498b30691f 100644
--- a/app/mailers/emails/profile.rb
+++ b/app/mailers/emails/profile.rb
@@ -1,9 +1,10 @@
 module Emails
   module Profile
-    def new_user_email(user_id, password)
+    def new_user_email(user_id, password, token)
       @user = User.find(user_id)
       @password = password
       @target_url = user_url(@user)
+      @token = token
       mail(to: @user.email, subject: subject("Account was created for you"))
     end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index 19104336598..512df5d6408 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -240,6 +240,15 @@ class User < ActiveRecord::Base
     end
   end
 
+  def generate_reset_token
+    @token, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+
+    self.reset_password_token   = enc
+    self.reset_password_sent_at = Time.now.utc
+
+    @token
+  end
+
   def namespace_uniq
     namespace_name = self.username
     if Namespace.find_by(path: namespace_name)
@@ -488,7 +497,7 @@ class User < ActiveRecord::Base
 
   def post_create_hook
     log_info("User \"#{self.name}\" (#{self.email}) was created")
-    notification_service.new_user(self)
+    notification_service.new_user(self, @token)
     system_hook_service.execute_hooks_for(self, :create)
   end
 
diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb
index e934c486c75..36d33e0d7ca 100644
--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -105,9 +105,9 @@ class NotificationService
   end
 
   # Notify new user with email after creation
-  def new_user(user)
+  def new_user(user, token = nil)
     # Don't email omniauth created users
-    mailer.new_user_email(user.id, user.password) unless user.extern_uid?
+    mailer.new_user_email(user.id, user.password, token) unless user.extern_uid?
   end
 
   # Notify users on new note in system
diff --git a/app/views/notify/new_user_email.html.haml b/app/views/notify/new_user_email.html.haml
index 09518cd3c7f..ebbe98dd472 100644
--- a/app/views/notify/new_user_email.html.haml
+++ b/app/views/notify/new_user_email.html.haml
@@ -11,11 +11,4 @@
 
 - if @user.created_by_id
   %p
-    password..................................
-    %code= @password
-
-  %p
-    You will be forced to change this password immediately after login.
-
-%p
-  = link_to "Click here to login", root_url
+    = link_to "Click here to set your password", edit_password_url(@user, :reset_password_token => @token)
diff --git a/app/views/notify/new_user_email.text.erb b/app/views/notify/new_user_email.text.erb
index c21c95d3047..96b26879a77 100644
--- a/app/views/notify/new_user_email.text.erb
+++ b/app/views/notify/new_user_email.text.erb
@@ -4,10 +4,5 @@ The Administrator created an account for you. Now you are a member of the compan
 
 login.................. <%= @user.email %>
 <% if @user.created_by_id %>
-  password............... <%= @password %>
-
-  You will be forced to change this password immediately after login.
+  <%= link_to "Click here to set your password", edit_password_url(@user, :reset_password_token => @token) %>
 <% end %>
-
-
-Click here to login: <%= url_for(root_url) %>
-- 
cgit v1.2.1


From 44b819833407b81fd97873bebffc939c23294595 Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Tue, 15 Jul 2014 14:30:05 +0200
Subject: Do not set password expiry.

---
 app/controllers/admin/users_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 1432fff8821..b22a1c033ce 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -39,7 +39,7 @@ class Admin::UsersController < Admin::ApplicationController
   def create
     opts = {
       force_random_password: true,
-      password_expires_at: Time.now
+      password_expires_at: nil
     }
 
     @user = User.new(user_params.merge(opts))
-- 
cgit v1.2.1


From 8968f6d874171edc4a95027ac25d2cf83e8b7858 Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Wed, 16 Jul 2014 09:51:20 +0200
Subject: Update specs.

---
 app/mailers/emails/profile.rb |  2 +-
 spec/mailers/notify_spec.rb   | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/mailers/emails/profile.rb b/app/mailers/emails/profile.rb
index 4498b30691f..f8a7d133d1d 100644
--- a/app/mailers/emails/profile.rb
+++ b/app/mailers/emails/profile.rb
@@ -1,6 +1,6 @@
 module Emails
   module Profile
-    def new_user_email(user_id, password, token)
+    def new_user_email(user_id, password, token = nil)
       @user = User.find(user_id)
       @password = password
       @target_url = user_url(@user)
diff --git a/spec/mailers/notify_spec.rb b/spec/mailers/notify_spec.rb
index d7230ec4341..314b2691c40 100644
--- a/spec/mailers/notify_spec.rb
+++ b/spec/mailers/notify_spec.rb
@@ -43,7 +43,7 @@ describe Notify do
     let(:example_site_path) { root_path }
     let(:new_user) { create(:user, email: 'newguy@example.com', created_by_id: 1) }
 
-    subject { Notify.new_user_email(new_user.id, new_user.password) }
+    subject { Notify.new_user_email(new_user.id, new_user.password, 'kETLwRaayvigPq_x3SNM') }
 
     it_behaves_like 'an email sent from GitLab'
 
@@ -59,8 +59,12 @@ describe Notify do
       should have_body_text /#{new_user.email}/
     end
 
-    it 'contains the new user\'s password' do
-      should have_body_text /password/
+    it 'contains the password text' do
+      should have_body_text /Click here to set your password/
+    end
+
+    it 'includes a link for user to set password' do
+      should have_body_text 'http://localhost/users/password/edit?reset_password_token=kETLwRaayvigPq_x3SNM'
     end
 
     it 'includes a link to the site' do
-- 
cgit v1.2.1


From 188b6f48d4a29a254f4d8c5b0c810729888df47c Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Wed, 16 Jul 2014 10:01:13 +0200
Subject: Use a better name for token.

---
 app/models/user.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 512df5d6408..15d6c028f06 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -241,12 +241,12 @@ class User < ActiveRecord::Base
   end
 
   def generate_reset_token
-    @token, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+    @reset_token, enc = Devise.token_generator.generate(self.class, :reset_password_token)
 
     self.reset_password_token   = enc
     self.reset_password_sent_at = Time.now.utc
 
-    @token
+    @reset_token
   end
 
   def namespace_uniq
@@ -497,7 +497,7 @@ class User < ActiveRecord::Base
 
   def post_create_hook
     log_info("User \"#{self.name}\" (#{self.email}) was created")
-    notification_service.new_user(self, @token)
+    notification_service.new_user(self, @reset_token)
     system_hook_service.execute_hooks_for(self, :create)
   end
 
-- 
cgit v1.2.1


From c0a95947bcc3b2321f28ecfe72519c69e5c81e74 Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Thu, 17 Jul 2014 14:03:17 +0200
Subject: Update the note for admin user.

---
 app/views/admin/users/_form.html.haml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/admin/users/_form.html.haml b/app/views/admin/users/_form.html.haml
index d00772d4dfe..e18dd9bc905 100644
--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -31,9 +31,9 @@
           = f.label :password, class: 'control-label'
           .col-sm-10
             %strong
-              A temporary password will be generated and sent to user.
+              Reset link will be generated and sent to the user.
               %br
-              User will be forced to change it after first sign in
+              User will be forced to set the password on first sign in.
     - else
       %fieldset
         %legend Password
-- 
cgit v1.2.1