password validator
110 views
Skip to first unread message
Marvix
Nov 22, 2016, 7:47:42 AM11/22/16
to web2py-users
Hello,
start using web2py for a production application. Very satisfied with it!!
Just a question, I added this:
custom_auth_table.password.requires = [IS_STRONG(min=8, special=2, upper=3), CRYPT()]
but it seems that the validator is applied not only in the change password form but also in the "normal" login form.
I don't know if this is the desired way, but it can lead to unwanted side effects, for example:
at some point the administrator decide to improve the strength of the password, so the above line of code is changed for example in: (min=10, special=3, upper=4).
After that many users will not be able to login again and they are all forced to change the password immediatly. I think this may problematic.
second case (and this is my case...):
the system have 2 distinct authorization systems. The "normal auth DB" system and an LDAP system.
on the LDAP system the rules of the password are different, so a password accepted by LDAP may not be ok with the requirements of the web2py validators.
In this case an LDAP user, with a "good" LDAP password could not be accepted in the web2py application, and could be problematic to explain to users that password accepted for the LDAP system are not accepted in the web2py application.
Would be better to check the strength of the password only in the "change password" form? so the above rule is applied to the web2py password and not to the LDAP ones?
or, if this not the desired default behaviour, is there a way to manually configure not to apply the validator on the login form?
Thanks,
Marvi
start using web2py for a production application. Very satisfied with it!!
Just a question, I added this:
custom_auth_table.password.requires = [IS_STRONG(min=8, special=2, upper=3), CRYPT()]
but it seems that the validator is applied not only in the change password form but also in the "normal" login form.
I don't know if this is the desired way, but it can lead to unwanted side effects, for example:
at some point the administrator decide to improve the strength of the password, so the above line of code is changed for example in: (min=10, special=3, upper=4).
After that many users will not be able to login again and they are all forced to change the password immediatly. I think this may problematic.
second case (and this is my case...):
the system have 2 distinct authorization systems. The "normal auth DB" system and an LDAP system.
on the LDAP system the rules of the password are different, so a password accepted by LDAP may not be ok with the requirements of the web2py validators.
In this case an LDAP user, with a "good" LDAP password could not be accepted in the web2py application, and could be problematic to explain to users that password accepted for the LDAP system are not accepted in the web2py application.
Would be better to check the strength of the password only in the "change password" form? so the above rule is applied to the web2py password and not to the LDAP ones?
or, if this not the desired default behaviour, is there a way to manually configure not to apply the validator on the login form?
Thanks,
Marvi
Anthony
Nov 22, 2016, 8:36:17 AM11/22/16
to web2py-users
def user():
if request.args(0) == 'login':
custom_auth_table.password.requires.pop(0)
return dict(form=auth())The default password validator is CRYPT(key=settings.hmac_key, min_length=settings.password_min_length), and the auth.login() method automatically resets the min_length parameter to 0 during login. But if you are using your own validators, you are responsible for changing them for login if necessary.
Anthony
Marvi Benedet
Nov 23, 2016, 8:20:48 AM11/23/16
to web...@googlegroups.com
so, is there a way to disable the password validator in the login form without modify web2py core files?
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Anthony
Nov 23, 2016, 8:35:44 PM11/23/16
to web2py-users
On Wednesday, November 23, 2016 at 8:20:48 AM UTC-5, Marvix wrote:
so, is there a way to disable the password validator in the login form without modify web2py core files?
Yes, that is exactly my solution. The user() function in the default.py controller of the scaffolding app is not part of the web2py "core files". The scaffolding app is just a starting point for your app code -- it is meant to be modified.
Anthony
Marvi Benedet
Dec 2, 2016, 8:39:45 AM12/2/16
to web...@googlegroups.com
Sorry for the delay, I was busy on other tasks.
I tried and works like a charm!Many thanks!
--
Reply all
Reply to author
Forward
0 new messages