[web2py] Re: change_password validator

2017-11-07 Thread Anthony 
Right, this is a bug. Reported here: 
https://github.com/web2py/web2py/issues/1800

Anthony

On Tuesday, November 7, 2017 at 2:41:12 PM UTC-5, mark.phi...@gmail.com 
wrote:
>
> I just encountered the same problem that was described above. 
> I use the "auth.settings.password_min_length" variable in db.py and have 
> set it to 8 in my case. 
>
> For the initial login everything works like expected and all shorter 
> passwords are dismissed. However, when changing the password using the 
> change_password form, one is able to set a new password with a short length 
> down to length 1. 
>
> Since I was not sure whether I changed something in my application that 
> may have caused this problem, I just tested it with the an unchanged web2py 
> version and was able to reproduce it. 
>
> Philipp
>
> Am Sonntag, 27. August 2017 18:09:25 UTC+2 schrieb Anthony:
>>
>> First, the default validator is not IS_STRONG -- it is simply CRYPT with 
>> min_length set to auth.settings.password_min_length (which defaults to 4).
>>
>> Second, on the password change form, the validator is not ignored, but 
>> the min_length of CRYPT is set to 1 for the "Old Password" field only (this 
>> is not a problem, because the only validation that matters for the old 
>> password is that it matches the password stored in the database). The "New 
>> Password" field is validated with whatever validators have been defined for 
>> the password field.
>>
>> Anthony
>>
>> On Friday, August 18, 2017 at 9:09:56 AM UTC-4, tomasz bandura wrote:
>>>
>>> Hello,
>>>
>>> For the user registration I use just default validator (IS_STRONG) which 
>>> has defined only minimum lenght (4).
>>>
>>> The problem is during password changing (form=auth() --> 
>>> default/user/change_password) - validator is ignored and I can set password 
>>> with length=1
>>>
>>>  Should I set a validator separately?
>>>
>>> There is also parameter 'auth.settings.change_password_onvalidation' but 
>>> it hasn't any impact on changing pass action.
>>>
>>>
>>> Regards,
>>> Tomasz
>>>
>>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: change_password validator

2017-08-27 Thread Anthony 
First, the default validator is not IS_STRONG -- it is simply CRYPT with 
min_length set to auth.settings.password_min_length (which defaults to 4).

Second, on the password change form, the validator is not ignored, but the 
min_length of CRYPT is set to 1 for the "Old Password" field only (this is 
not a problem, because the only validation that matters for the old 
password is that it matches the password stored in the database). The "New 
Password" field is validated with whatever validators have been defined for 
the password field.

Anthony

On Friday, August 18, 2017 at 9:09:56 AM UTC-4, tomasz bandura wrote:
>
> Hello,
>
> For the user registration I use just default validator (IS_STRONG) which 
> has defined only minimum lenght (4).
>
> The problem is during password changing (form=auth() --> 
> default/user/change_password) - validator is ignored and I can set password 
> with length=1
>
>  Should I set a validator separately?
>
> There is also parameter 'auth.settings.change_password_onvalidation' but 
> it hasn't any impact on changing pass action.
>
>
> Regards,
> Tomasz
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: change_password validator

2017-08-27 Thread Alfonso Serra 
I was able to setup IS_STRONG like this:

db.auth_user.password.requires.insert(0, IS_STRONG())

Be careful, after doing this users wont be able to log in if their password 
is not strong, validated.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.