- **status**: code-review --> in-progress
- **QA**: Dave Brondsema
- **Comment**:

* `TestLocalAuthenticationProvider` and `TestAuthenticationProvider` probably 
would be better in `test_plugin.py`
* The expired password page should have text to explain to the user what is 
happening.  E.g. "Your {{site_name}} password has expired - You must now choose 
a new password before logging into the site"
* redirecting to / isn't that great.  The login form keeps a `return_to` hidden 
field.  Could that technique be used through the pwd_expired form too?
* Also it would be good to have commented-out examples of these new config 
options in development.ini so that admins can find out that it is available to 
them.

Thanks!



---

** [tickets:#7432] Password expiration**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Mon Jun 02, 2014 09:24 PM UTC by Dave Brondsema
**Last Updated:** Fri Jun 06, 2014 08:48 AM UTC
**Owner:** nobody

Site administrators should be able to control password expiration rules for 
accounts.  I think there are 2 ways we should support now: a number of days 
since last changed (e.g. `auth.pwdexpire.days = 180`) and a force reset for 
everyone before a certain time (e.g. `auth.pwdexpire.before = 1401742705`).  
They should be complimentary, so both settings could potentially be used at the 
same time.  Default to no expirations.

This should rely on the AuthenticationProvider interface, so different 
implementations can record the field for last time a password was changed in 
their own way.  I'm thinking perhaps each provider should be responsible for 
setting it within their `set_password` and then have a new method to get that 
value for a given user.  Then the logic & forms of this new feature can work 
with any auth provider.  Implement as a mongo field for the 
LocalAuthenticationProvider.  I think for the LDAP provider, we should use the 
same mongo field on the User model (storing in LDAP would be nice, but could 
require an LDAP schema change for admins and we have a mongo user record for 
everyone anyway).

Upon successful login, if a password is expired, require the user to change 
their password before continuing anywhere in the site.  Using the existing 
`password_change_form` seems good: requiring entering old password again and 
new one twice.


---

Sent from sourceforge.net because [email protected] is subscribed to 
https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a 
mailing list, you can unsubscribe from the mailing list.

Reply via email to