Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invite new users in Matomo, rather than creating them directly #13321

Closed
mattab opened this issue Aug 20, 2018 · 10 comments · Fixed by #18868
Closed

Invite new users in Matomo, rather than creating them directly #13321

mattab opened this issue Aug 20, 2018 · 10 comments · Fixed by #18868
Assignees
Labels
c: Onboarding For issues that make the experience of getting Matomo up and running better. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Aug 20, 2018

The goal is to change the way Matomo creates new users (ie. team members), by introducing an Invitation system. Instead of directly creating accounts for people, a Super User (or a user with Admin access) would invite a new person to join the Matomo platform, and they have to then accept the invitation (click a button in the invitation email, within a period of up to 4 weeks or so.). When accepting the invitation they can set their secure password.

The invitation solution is used in products like Github and Slack. Let us look at how they do it and get inspired?

Notes:

  • For flexibility reasons, the API should allow bypassing the invitation process, and directly force-create a new valid user.
  • For API BC reasons, should we keep the default behavior as "no invite" or do we switch to invite by default?
  • Initially we thought of having a Wordpress-like email notification system in Send an email to a new user when the account is created #12797 but then realised it's better to always invite people so they can agree to Terms & conditions, for example.
  • more feedback?
@mattab mattab added Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. labels Aug 20, 2018
@mattab mattab added this to the 3.7.0 milestone Aug 20, 2018
@fdellwing
Copy link
Contributor

Take a look at https://github.com/opf/openproject, is has such a system (a good one in my opinion) and is completely open source.

@mattab mattab modified the milestones: 3.7.0, 3.8.0 Oct 8, 2018
@diosmosis diosmosis assigned diosmosis and unassigned diosmosis Mar 4, 2019
@tsteur tsteur modified the milestones: 3.9.0, 3.11.0 Mar 4, 2019
@mattab mattab removed this from the 3.12.0 milestone Mar 20, 2019
@mattab mattab added the c: Onboarding For issues that make the experience of getting Matomo up and running better. label Oct 8, 2019
@tsteur tsteur added this to the 4.6.0 milestone Nov 10, 2021
@tsteur
Copy link
Member

tsteur commented Nov 10, 2021

Here already a few notes:

  • In UI "Add new user" button becomes "Invite a new user".
    • Password field removed.
    • Username field stays. Why? Because it won't be easy to configure that user without username in Matomo as it's the ID.
  • New API for "invite user". Old "addUser" we still keep for BC and possibly also beyond that
  • Activity log should recognise "invite user" and "invite user accepted".
  • Need a UI to "manage invitations"
    • remove a pending invite.
    • resend a pending invite
    • see when it expires
    • see a list of all invited people
    • We show this as part of the "Manage users" screen above the list of regular users below the "invite a new user" button.
  • Have eg a new column in user table "invite_token" and "invite_expire". The token be hashed in the DB and not in plain text. Could use eg password_hash for example. By default, the invite is valid for 7 days. This needs to be configurable using the API parameter and as a configuration option.
  • While user is being invited, a super user or admin can already configure access to sites for that invited user
  • The invited user receives an email with a button to accept the invite.
    • Then the screen shows up to sign up where a user enters password etc see below
    • A user can also decline the invite in which case the person that created the invite is being notified by email and we remove the user entry to have no personal data in there. (we might need to store in the user table who invited the user, if that user login no longer exists then we don't notify anyone)
    • If the invite is expired, then we also remove the user from the DB and send an email to the person that created that user
  • When a user clicks on accept invite, they enter their password. If privacy policy or terms is configured, then we show these links. We say eg if privacy policy is configured: By signing up, I accept the Privacy Policy. If terms is configured we say it similarly for terms. If both are configured then we mention both.
    • FYI Later we will post some event to hook into the invite screen so we can ask more questions like their role etc.
  • How do we signal in "Manage users" screen that we're waiting for invite to be accepted? Maybe we don't list them there and permissions need to be edited in the "manage invitations" screen?
  • Invited users can be seen by super users, and the person that invited that user.
  • An invited user that hasn't accepted the invite yet, the invite can be removed by these super users or the person that invited the user.

@tsteur tsteur modified the milestones: 4.6.0, 4.7.0 Nov 10, 2021
@peterhashair peterhashair self-assigned this Nov 17, 2021
@peterhashair
Copy link
Contributor

peterhashair commented Nov 18, 2021

@tsteur @mattab I got it working on my local, just doing a final tidy up. Also checking the interface before I push my PR. I add a status filter and status into the user table column, which shows the active or pending users. Maybe we need another action button that they can resend the invite again. Currently, I set the token to expire in 3 days. Let me know if we want to make a different tab just for invite users.

image

@tsteur
Copy link
Member

tsteur commented Nov 18, 2021

@peterhashair Be good to add a new action for resending the invite 👍

Currently, I set the token to expire in 3 days.

See above. By default, the invite is valid for 7 days. This needs to be configurable using the API parameter (when inviting a specific user) and as a configuration option for overall default time.

Let me know if we want to make a different tab just for invite users.

Looks pretty good like above so far on the screenshot but haven't checked it out yet in the actual UI. I think we might not need a different tab for it.

@justinvelluppillai justinvelluppillai modified the milestones: 4.7.0, 4.8.0 Jan 18, 2022
@peterhashair peterhashair modified the milestones: 4.8.0, 4.9.0 Feb 23, 2022
@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/automatischer-passwortversand-bei-anlegen-von-neuen-benutzer/44963/3

@justinvelluppillai justinvelluppillai removed this from the 4.9.0 milestone Apr 12, 2022
@justinvelluppillai justinvelluppillai added this to the 4.10.0 milestone Apr 12, 2022
@sgiehl sgiehl modified the milestones: 4.10.0, 4.11.0 May 5, 2022
@bluikko
Copy link

bluikko commented Aug 8, 2022

Is this feature correctly disabled, or can it be disabled, if LoginLdap is enabled?

@sgiehl
Copy link
Member

sgiehl commented Aug 8, 2022

Hi @bluikko. I don't have set up Ldap locally, so can't answer that question easily. Maybe @AltamashShaikh can say something on that.
Was adding a user disabled for LoginLdap plugin? If changes are required for LoginLdap, might be good to create a follow up issue there.

@Quentinix
Copy link

Hello,
I would like a solution to still create an account without the new invitation system, because I don't have a solution to send emails immediately.

@sgiehl
Copy link
Member

sgiehl commented Aug 29, 2022

Hi @Quentinix
We are already working on a solution for this in #19625

@basos9
Copy link

basos9 commented Sep 21, 2022

Hello,
This is a nice feature.
Nevertheless I could suggest to enable the user creation via the cli (./console) as well.

In a stage installation that we also use the setting emails_enabled = 0, there is no way to create a user from UI or CLI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Onboarding For issues that make the experience of getting Matomo up and running better. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Development

Successfully merging a pull request may close this issue.