Page MenuHomePhabricator
Create Task
Maniphest T8272

Allow at least some class of admins to edit other user's settings
Closed, WontfixPublic
Actions

Description

We have a *private* and *closed* phabricator installation with single sign on using libphremoteuser.

On our installation only admins can create new user accounts.

The problem is after the admin creates a new user account, the user then has to know to link the external authentication named "Web Server" while logged in initially, or the user won't be able to log back in after the initial session is ended. Then the user has to contact an administrator to get another invite email to enable them to login again.

I thought I would fix this by going to each user and editing their settings for them - but no, that is surprisingly (shockingly?) not allowed!!!

So far after a lot of searching I cannot find any simple (or documented) way to allow *somebody* to edit other users settings, either through the browser interface or the command line.

This is a needless source of frustration and irritation - both for our new users and the administrators.

Now yes, because I have root privileges on our server I can solve this problem eventually by spending enough days studying phabricator code to hack the php that is keeping me from being able to edit other user's settings - but why?

Event Timeline

ArtMillComp created this task.May 20 2015, 6:52 AM
ArtMillComp raised the priority of this task from to Needs Triage.
ArtMillComp updated the task description. (Show Details)
ArtMillComp added a subscriber: ArtMillComp.
epriestley closed this task as Wontfix.May 20 2015, 1:37 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

Placing severe limits on the power of administrators is an intentional design decision. See here for discussion:

https://secure.phabricator.com/book/phabricator/article/users/

We do not plan to ever allow administrators to edit other users' credentials or authentication.

ArtMillComp added a comment.May 20 2015, 2:26 PM

Yes, I had seen that web page *before* giving my comment!!

I *strongly disagree*. In our usage this places a needless burden on both users and administrators of phabricator.

While I understand your motivation for your usage, it makes *no sense* for mine.

Anyone who has root access to the server running phabricator and enough time *can ultimately edit* other users eventually - that is the whole point of root access. If that person or those persons are not trustworthy then all is lost anyway.

If your decision is firm, then mine will firmly be to come up with modifications to allow it - no matter how tedious that turns out to be.

ArtMillComp added a comment.May 20 2015, 3:58 PM

For the particular problem I ran into, if there were a way to pre link a user's account with the external authentication method to be used that would solve our immediate problem.

A number of our people are hardware gurus and have little patience with having to follow a set of easily misinterpreted instructions upon their first login - instructions that they will never have to refer to again.

sshannin added a subscriber: sshannin.May 20 2015, 4:09 PM

You could make their account for them (with a password you know), set thing up, and then hand it over.

ArtMillComp added a comment.May 20 2015, 5:14 PM

Thanks, I will do that for the accounts I make in the future. In the meantime I am still dealing with the accounts I have already created and that have already been used on their first login session lasting weeks in some cases.

Part of my frustration was due to the particular term "admin" and what that implies to me is something very different than the definition Phabricator uses. I also run our public forum, and what Phabricator terms an "admin" I am used to thinking of as a forum "moderator". What Phabricator is missing - in my opinion - is a true administrator level of user. Even if it is restricted to the command line, having true administrative capability would have solved this problem with much less irritation. Especially irritating was to learn that it is "by design". I (and I suspect many other administrators) have more than enough work to do without it being added to by "design decisions".

ArtMillComp added a comment.May 20 2015, 5:44 PM

Perhaps a less confusing name for what Phabricator has as "admin" should really be "Phacilitator" - because in the mind of those used to administering forums and other websites the current Phabricator "admin" is not at all what a real forum administrator is capable of.

Phabricator · Built by Phacility