[PLIP-Advisories] [Plone] #10959: API for password validation policy
Change notifications for Plone PLIPs on Trac.
plone-plip-advisories at lists.plone.org
Thu Aug 4 19:13:39 UTC 2011
#10959: API for password validation policy
---------------------+------------------------------------------------------
Reporter: djay | Owner:
Type: PLIP | Status: reopened
Priority: minor | Milestone: 4.3
Component: Unknown | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Old description:
> '''Proposer''': Dylan Jay
> '''Seconder''': Ken Wasetis
>
> == Motivation ==
> Individual site policies might call for different levels of passwords
> strengths. Currently there is no api to easily integrate alternative
> password strength rules into plone.
> == Assumptions ==
> This PLIP is for api only and won't change the current rules plone uses
> for passwords. Code would need to contend with also setting an initial
> password. This may mean the initial password is stronger than it is now.
> == Proposal & Implementation ==
> PAS already has a plugins for validating passwords. This would be an
> obvious choice. The Products.PasswordStrength plugin is implemented as a
> PAS plugin. If desired an more z3 api could be created instead.
> == Deliverables ==
> Mainly changes to plone.app.users to call out to api to validate the
> password. i18n is the responsibility of the password validation plugin.
> Documentation needs to be created on creating a password validation
> plugin.
> == Risks ==
> TBD.
> == Participants ==
> Dylan Jay - djay.
> == Progress ==
> Similar changes have been done for plone3.x as part of
> Products.PasswordStrength. There would be migrated to the new plone4
> implementation.
New description:
'''Proposer''': Dylan Jay
'''Seconder''': Ken Wasetis
== Motivation ==
Individual site policies might call for different levels of passwords
strengths. Currently there is no api to easily integrate alternative
password strength rules into plone.
== Assumptions ==
This PLIP is for api only and won't change the current strength default
plone uses for passwords.
However because we need to support adding users without passwords and
because setting initial password that meet all rules of all plugins is
hard, we assume we will change the policy of sending a randomly generated
password to new users. Instead we will set an very long random password no
one will ever see and then modify the password reset tool to send a
welcome email with a link to set a new password.
We'll also assume there could be multiple plugins working at once.
Each plugin will return a set of error messages which will be already
translated.
== Proposal & Implementation ==
PAS already has a plugins for validating user properties. This would be an
obvious choice. The Products.PasswordStrength plugin is implemented as a
PAS plugin. If desired an more z3 api could be created instead.
Password reset tool will be changed to send a welcome email with a link.
Some new copy of the reset password page may be needed.
Option to "send email with password" will become "send email to set own
password".
== Deliverables ==
Changes to plone.app.users to call out to api to validate the password.
i18n is the responsibility of the password validation plugin.
Documentation needs to be created on creating a password validation
plugin.
Move the current default 5 char validation to a plugin of its own instead
of in plone.app.users. Probably in Products.PlonePAS.
A new workflow for adding new users without setting a password and without
sending a clear text password.
== Risks ==
- That people expect to be able to send passwords in email.
- We will have to join i18n strings togeather in an i18n way cause we are
getting multiple errors from different plugins.
== Participants ==
Dylan Jay - djay.
== Progress ==
Similar changes have been done for plone3.x as part of
Products.PasswordStrength. There would be migrated to the new plone4
implementation.
--
Comment(by djay):
added in changing policy of sending passwords in an email. Now use
password reset if want to not choose a password.
--
Ticket URL: <http://dev.plone.org/plone/ticket/10959#comment:33>
Plone <http://plone.org>
Plone Enterprise Content Management System
More information about the PLIP-Advisories
mailing list