Rebased to branch from [#7436] and force-pushed. See details in my comment on [#7436]
--- ** [tickets:#7432] Password expiration** **Status:** code-review **Milestone:** limbo **Labels:** 42cc **Created:** Mon Jun 02, 2014 09:24 PM UTC by Dave Brondsema **Last Updated:** Thu Jun 05, 2014 07:16 AM UTC **Owner:** nobody Site administrators should be able to control password expiration rules for accounts. I think there are 2 ways we should support now: a number of days since last changed (e.g. `auth.pwdexpire.days = 180`) and a force reset for everyone before a certain time (e.g. `auth.pwdexpire.before = 1401742705`). They should be complimentary, so both settings could potentially be used at the same time. Default to no expirations. This should rely on the AuthenticationProvider interface, so different implementations can record the field for last time a password was changed in their own way. I'm thinking perhaps each provider should be responsible for setting it within their `set_password` and then have a new method to get that value for a given user. Then the logic & forms of this new feature can work with any auth provider. Implement as a mongo field for the LocalAuthenticationProvider. I think for the LDAP provider, we should use the same mongo field on the User model (storing in LDAP would be nice, but could require an LDAP schema change for admins and we have a mongo user record for everyone anyway). Upon successful login, if a password is expired, require the user to change their password before continuing anywhere in the site. Using the existing `password_change_form` seems good: requiring entering old password again and new one twice. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
