Allow the initial admin to set a passwordrs-no-default-credentials

Closes #1980

2 files changed, 26 insertions, 0 deletions

diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index f74daff3bd0..a8575e037e4 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -23,6 +23,14 @@ class PasswordsController < Devise::PasswordsController
     end
   end
 
+  def update
+    super do |resource|
+      if resource.valid? && resource.require_password?
+        resource.update_attribute(:password_automatically_set, false)
+      end
+    end
+  end
+
   protected
 
   def resource_from_email
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 44eb58e418b..65677a3dd3c 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -4,8 +4,10 @@ class SessionsController < Devise::SessionsController
 
   skip_before_action :check_2fa_requirement, only: [:destroy]
 
+  prepend_before_action :check_initial_setup, only: [:new]
   prepend_before_action :authenticate_with_two_factor, only: [:create]
   prepend_before_action :store_redirect_path, only: [:new]
+
   before_action :auto_sign_in_with_provider, only: [:new]
   before_action :load_recaptcha
 
@@ -33,6 +35,22 @@ class SessionsController < Devise::SessionsController
 
   private
 
+  # Handle an "initial setup" state, where there's only one user, it's an admin,
+  # and they require a password change.
+  def check_initial_setup
+    return unless User.count == 1
+
+    user = User.admins.last
+
+    return unless user && user.require_password?
+
+    token = user.generate_reset_token
+    user.save
+
+    redirect_to edit_user_password_path(reset_password_token: token),
+      notice: "Please create a password for your new account."
+  end
+
   def user_params
     params.require(:user).permit(:login, :password, :remember_me, :otp_attempt)
   end