[PLIP-Advisories] [Plone] #10959: API for password validation policy

Change notifications for Plone PLIPs on Trac. plone-plip-advisories at lists.plone.org
Thu Aug 4 19:13:39 UTC 2011


#10959: API for password validation policy
---------------------+------------------------------------------------------
 Reporter:  djay     |        Owner:          
     Type:  PLIP     |       Status:  reopened
 Priority:  minor    |    Milestone:  4.3     
Component:  Unknown  |   Resolution:          
 Keywords:           |  
---------------------+------------------------------------------------------

Old description:

> '''Proposer''': Dylan Jay
> '''Seconder''': Ken Wasetis
>
> == Motivation ==
> Individual site policies might call for different levels of passwords
> strengths. Currently there is no api to easily integrate alternative
> password strength rules into plone.
> == Assumptions ==
> This PLIP is for api only and won't change the current rules plone uses
> for passwords. Code would need to contend with also setting an initial
> password. This may mean the initial password is stronger than it is now.
> == Proposal & Implementation ==
> PAS already has a plugins for validating passwords. This would be an
> obvious choice. The Products.PasswordStrength plugin is implemented as a
> PAS plugin. If desired an more z3 api could be created instead.
> == Deliverables ==
> Mainly changes to plone.app.users to call out to api to validate the
> password. i18n is the responsibility of the password validation plugin.
> Documentation needs to be created on creating a password validation
> plugin.
> == Risks ==
> TBD.
> == Participants ==
> Dylan Jay - djay.
> == Progress ==
> Similar changes have been done for plone3.x as part of
> Products.PasswordStrength. There would be migrated to the new plone4
> implementation.

New description:

 '''Proposer''': Dylan Jay
 '''Seconder''': Ken Wasetis

 == Motivation ==
 Individual site policies might call for different levels of passwords
 strengths. Currently there is no api to easily integrate alternative
 password strength rules into plone.
 == Assumptions ==
 This PLIP is for api only and won't change the current strength default
 plone uses for passwords.
 However because we need to support adding users without passwords and
 because setting initial password that meet all rules of all plugins is
 hard, we assume we will change the policy of sending a randomly generated
 password to new users. Instead we will set an very long random password no
 one will ever see and then modify the password reset tool to send a
 welcome email with a link to set a new password.
 We'll also assume there could be multiple plugins working at once.
 Each plugin will return a set of error messages which will be already
 translated.
 == Proposal & Implementation ==
 PAS already has a plugins for validating user properties. This would be an
 obvious choice. The Products.PasswordStrength plugin is implemented as a
 PAS plugin. If desired an more z3 api could be created instead.
 Password reset tool will be changed to send a welcome email with a link.
 Some new copy of the reset password page may be needed.
 Option to "send email with password" will become "send email to set own
 password".

 == Deliverables ==
 Changes to plone.app.users to call out to api to validate the password.
 i18n is the responsibility of the password validation plugin.
 Documentation needs to be created on creating a password validation
 plugin.
 Move the current default 5 char validation to a plugin of its own instead
 of in plone.app.users. Probably in Products.PlonePAS.
 A new workflow for adding new users without setting a password and without
 sending a clear text password.
 == Risks ==
 - That people expect to be able to send passwords in email.
 - We will have to join i18n strings togeather in an i18n way cause we are
 getting multiple errors from different plugins.

 == Participants ==
 Dylan Jay - djay.
 == Progress ==
 Similar changes have been done for plone3.x as part of
 Products.PasswordStrength. There would be migrated to the new plone4
 implementation.

--

Comment(by djay):

 added in changing policy of sending passwords in an email. Now use
 password reset if want to not choose a password.

-- 
Ticket URL: <http://dev.plone.org/plone/ticket/10959#comment:33>
Plone <http://plone.org>
Plone Enterprise Content Management System


More information about the PLIP-Advisories mailing list