Welcome Form: simplify onboarding new users with a New password form #16245
Description
name: Welcome Form / new Password / No initial Password
about: Letting the provisionned user choosing his new password by secure token and his personal email
labels: new form, User management, provision new user wo initial password
This feature request is targetting specific NC use case: EXTRANET for Sales/Customers
Is your feature request related to a problem? Please describe.
- "Creating a New User" is leaking a little bit the security basics. Because Nextcloud admin has to enter (and choose) an initial password, he would surely choose the same password for all the new provisionned users. This could be lead to a security breach of not used accounts. This would be the same (worst!) with the User Provisioing API
- Automatic Welcome email sending when a new User is provisionned is not adequate for some business cases. (Settings "send email to new user")
Our sales/Business in charge of new users do not want that email coming from a generic email account , were sent to their customers for the first time(because of all the spam ... they prefer to manage communication themselves with their customers/new users). Moreover, they want to prepare the new users account with sharing / uploading initial files into. - Appeal new users with some personal files , admin could upload for him , before his first login. First Login must be simpler with nothing else that email to remember, letting choosing the new users his own password, and discovering the values of Nextcloud (extranet for sale/customer)
- For ergonomy, the Welcome email could be really better, because the first time the user arrives on the Nextcloud server , he has to remember the initial password. Surely , he will click on the Forgotten password link... Welcome email should lead to an URL that show a New password form. and so user could choose himself the initial password , with tokenized URL sent in a second phase into his email inbox. In our case: Welcome email is not used.
Describe the solution you'd like
Role must be better defined in the Provisioning processes:
-
Admin is in charge of provisionning users with their personal email and other personal info (making possible double-factors auth). Admin should not care about an initial password, because a welcome email is sent to the personal (secured) email inbox of each users.
Business/Sales people (in charge of facing new users) do not want an automatic email sending when a new user is provisionned. Preparing the extranet with some initial files requires times , and welcome email is not sent automatic after the user provisionning. Sales would communicate with his customer for letting him know its extranet is ready. -
User must be able to start within a welcome form , dedicated for choosing new password
=> A new password form , routed by URL and GET parameter : email would make possible a warmer onboarding of new users that the Login form.
Describe alternatives you've considered
The existing LostController / lostpassword page could be used as entry point for a welcome page , but the wording would lead to disappointement of new users: Why the page is talking about lost password, although the user has never choosen a password, never login the nextcloud server
Additional context
This feature is available into a branch based on stable16.