Admin able to set new plaintext user password – security problem?

So I am working on this application that can be deployed and run by anyone on their server. Most often it is run as a web service. In our new version we removed the possibility for admins to set and view a user´s new password in the account management. (The old password was never visible as there was only a salted hash of it).
The new password reset process uses now a reset link via email to the user. The reasoning from our side was that the password is supposed to be a user-only known secret so his identity can be verified as part of the authentication process. So: user receives email with reset link, sets his password, hash is stored in the database, all good. The admin never would get a glimpse of the password itself. If an admin could see the new password (like before), the password is not just knowledge of the user and would lose its value as a means of verifying identity. So far to the idea.

Some complaints came in that this would undermine the admin role and that it would be admin´s choice if they want to provide a system that would have this strict authentication part or not. While I can partly relate to that argument, my argument is that the user himself cannot see how the system is configured but rather expects a real authentication in place. Many users dont see the potential risks of someone else knowing their password. Another complaint was the strong reliance on email (which probably could be mitigated by using other means like authenticator apps).

How do you see this?
– Is this not a standard procedure for password resets?
– Should this be a configurable part like “allow admin to set new password”? – What do you think about allowing the admin to set at least an initial password for users that has to be changed on next login, communicating this initial pw out of band to the user?

Regardless of your stance on this, I would love to hear your conceptual reasoning. Appreciate your comments.

Regular users logs in as ADMIN if Admin logged in recently

Just found a crazy vulnerability and have no idea how to fix it.

Here is a situation:

  1. Admin logs in to a website.
  2. Regular user logs in using their credentials within the next few minutes
  3. Instead of logging in to their profile, they get access to admin resources. Their username is reflected as admin and they have access to all the features.

Why is this happening and how to stop it?

That’s not the first time it happens and I am really concerned about it. I am using optimizepress plugin for creating custom login page. Don’t know if it may be related to the problem

How to collect all MAC addresses inside local WiFi network, if you’re admin at 192.168.0.1

I am not going to specify the model of router, because I’m looking for universal solution, presuming that I am inside Local Network.

1) Obvious way to do that would be by sending Syslog, most TP-Link routers has page where you can hourly email to external email address. And all syslogs in routers are definitely consist those Mac addresses. Problem with this method – that most ISP block port 25 for outbound connections – so you can’t use any external SMTP servers (only internal SMTP servers which are absent in most guest networks)

2) Less attractive way is bringing your laptop and asking wifi password. I call it less attractive because it requires physical presence with a laptop inside Local Network (being connected as a guest to WiFi router)

3) Another way is using Android apps which scan mac addresses which also requires physical presense

4) And of course using Dynamic DNS to connect to router. But most ISP’s are put the routers behind NAT and multiple vLANs so that you couldn’t access that even from within internal ISP network.

5) Also if you exclude your ability to use OpenWRT or other custom firmware – because it is time-consuming and too much physical presence requiring process.

6) But it could be useful to include some $ 10 devices which could collect that info by always being inside the wifi network (is there such devices accessible in Chinese electronics markets?)

Am I missing some obvious ways to spy on mac addresses on someone’s wifi network?

I ask this question, because I want to understand all ways someone might use to leak mac addresses of those devices from internal network with cheapest wifi routers.

Adding a “Delete Row” Button to Infopath form on SharePoint Online asking for Admin Approval

Been looking for a solution to add a “delete row button” for each row on a repeated table form. Migrated over to SharePoint Online but since InfoPath is being depreciated by 2026 some of the InfoPath toggles that was in Central Admin (as is Central Admin) is gone from SP Online.

I get this error Error when publishing from InfoPart when I tried to publish a form where I used the edit code button (for a button element) and added this code:

e.Source.DeleteSelf(); 

It works perfectly sand-boxed but since sand-boxed solutions have also been depreciated I suppose I am getting this error. Is there a way around this or another solution to make a ‘Delete Row” button in a Repeated Table Form? Yes I have Farm/Admin rights. SP Online, InfoPath 2013.

Django admin site add html link

admin.py

@admin.register(StudentsEnrollmentRecord) class StudentsEnrollmentRecord(admin.ModelAdmin):     list_display = ('Student_Users', 'School_Year', '<a href="#">Report</a>')     ordering = ('Education_Levels',)     list_filter = ('Student_Users',) 

enter image description here I just want that to add the html link in the adminsite then if the admin click the “report” it will filter what studentenrollmentrecord selected to html file

How do I scope out why I have two “posts” menus in an admin?

A site I’m working on has an odd problem: two sets of “posts” menus in the admin. The client brought me on board and says “it’s been there a while”. How would I go about finding out why there are two sets? The site was brought into WordPress from Drupal. I created the theme, but the client was active in bringing content over. How we got a duplicate “posts” menu I do not know, and neither does he.

Where would I start with figuring this out? I’ve been trying deactivating and reactivating plug-ins and have had no clues in that regard.