Ticket #10959 (closed PLIP: fixed)
API for password validation policy
|Reported by:||djay||Owned by:|
|Keywords:||Cc:||ggozad, plip-advisories@…, djay, mitchell|
Description (last modified by djay) (diff)
Proposer: Dylan Jay Seconder: Ken Wasetis
Individual site policies might call for different levels of passwords strengths. Currently there is no api to easily integrate alternative password strength rules into plone.
This PLIP is for api only and won't change the current strength default plone uses for passwords. However because we need to support adding users without passwords and because setting initial password that meet all rules of all plugins is hard, we assume we will change the policy of generating a 5 char password. Instead we will set an very long random password no one will ever see since the password reset tool is used to send a welcome email with a link to set a new password. We'll also assume there could be multiple plugins working at once. Each plugin will return a set of error messages which will be already translated.
Proposal & Implementation
PAS already has a plugins for validating user properties. This would be an obvious choice. The Products.PasswordStrength plugin is implemented as a PAS plugin. If desired an more z3 api could be created instead. A much longer stronger password will be generated that is likely to pass any validation. Since this is never sent it doesn't need to exactly match any policy.
Changes to plone.app.users to call out to api to validate the password. i18n is the responsibility of the password validation plugin. Documentation needs to be created on creating a password validation plugin. Move the current default 5 char validation to a plugin of its own instead of in plone.app.users. Probably in Products.PlonePAS. A new workflow for adding new users without setting a password and without sending a clear text password.
- We will have to join i18n strings togeather in an i18n way cause we are getting multiple errors from different plugins.
Dylan Jay - djay.
Similar changes have been done for plone3.x as part of Products.PasswordStrength. There would be migrated to the new plone4 implementation.
- Summary changed from PLIP: API for password validation policy to API for password validation policy
comment:13 Changed 5 years ago by djay
- Status changed from closed to reopened
- Resolution wontfix deleted
- Milestone changed from Future to 4.2
comment:47 Changed 4 years ago by eleddy
- Status changed from reopened to confirmed
- Cc mitchell added
- Version set to 4.1
- Component changed from Unknown to Backend (Python)