In Reference Application 2.3, in the Admin UI module, we intentionally do not allow an admin to set another user's password (principle of "non-repudiation"), even though this was previously allowed in the Legacy UI.
However, per complaint by James Arbaugh, we are being too strict: in real life there needs to be some way to unlock a user account if the user has forgotten their password and secret question/answer.
- On the Edit Account page (e.g. http://demo.openmrs.org/openmrs/adminui/systemadmin/accounts/account.page?personId=4) for someone that has a user account, there should be a Reset Password button
- Clicking the Reset Password button should pop up a confirmation dialog
- If you say Yes to the confirmation dialog, then
- the user's password should be set to a new random password
- the "need to change password" flag should be set to true for the user
- the auto-generated password should be displayed on the screen with instructions telling the admin to communicate this to the user for a one-time login, then they can set their own password.
- a line must be written (at INFO level) to the log file saying which user changed the password of which other user
- Create another ticket (with a barebones description), for a future release, about capturing email addresses for users, so they may safely reset passwords themselves.