Created users cannot perform admin tasks

[jaspertandy]

Describe the bug

I have an issue where users created via this plugin, and promoted to have admin, are not able to perform some admin tasks (such as adding admin to other users). This is because users created by this plugin do not have a password, and so can't enter anything into the popup that comes with certain admin tasks.

I can't find anything in the documentation on how to circumvent this without using the root account (which isn't controlled by this plugin) to either manually set a password to users, or add that admin privilege.

What is the preferred way to go about this?

I have noticed that the login expiry popup has a password field and an "or log in with social options" under it. Could it be that this is just missing from the admin popup? My thoughts were that creating a user via the social plugin should/could trigger the password reset email so that new users are encouraged to set a password, but it feels a little strange to force new users to create a password that they don't need.

Steps to reproduce

1. Enable Force Activation general setting
2. Enable user registration checked
3. Create a working provider
4. Log out of root account and log in with the new provider
5. User account is created and you can log in straight away
6. Log out of the account
7. Log into the root user account and add Admin to the newly-created user
8. Log out of the root account
9. Log into the social-login account that you just added admin to
10. Go to users > root admin account, and try to copy the password reset URL
11. Observe password popup which is impossible to complete

Craft CMS version

4.5.5

Plugin version

1.0.9

Multi-site?

no

Additional context

No response

[engram-design]

That’s a great point, and something I’d not considered. I’ll need to look at what our options are here on this front.

You’re right that when the session expires, that pop up shows the login buttons for Social Login again, and we might need to see if that can be done for the elevated session pop up. There’s also complications on that as well, as we don’t want any user to elevate their session through simply logging into social media.

And having a password reset would be against the goals for the plugin to use another service as your login provider.

I’ll have to investigate, but for now that’s not going to work sorry.

[jaspertandy]

Thanks for coming back so quickly. Glad you agree, and I understand it's not a super easy one to solve. I can kinda circumvent it now by managing expectations that users created with this plugin can't be admins, but would be nice if they could be. Will wait to hear back from you but if I can provide anything further to help with this issue, please tag me.

[engram-design]

Yeah not an amazing situation. Or at the very least if they want to be an admin, they have to create a password with Craft (which is just for the elevated session).

[jaspertandy]

Yeah but the problem is, if you're already logged in you need a password to change your password, as changing your own password prompts you for your current password. You would have to have the root admin/an existing passworded admin copy your password reset URL so that you could do it without elevated access. But then I think you'd also need to log out before visiting that link but I haven't tried that.

Also I just upgraded to Craft 4.7.1 and the problem persists there. I know we already knew it would but just because my current version is no longer 4.5.5