Today I'm looking for a recipe to force drupal to change a password on activation email page on first login.
I tried to alter my user_reset_pass form, and I know how to print password confirmation fields, but I don't have any idea how to override verification of that form to check if password is set and proper value.
Maybe You can give me some hints to do that?
Check this module out:
Force Password Change
Related
I am a naive programmer and currently using web2py to create a web app. In the website I ask the user to enter the password first. In the models section, in db.py I have written the following code for entering password:
db = DAL('sqlite://webform.sqlite')
db.define_table('register',
Field('password', requires=[IS_NOT_EMPTY(),IS_MATCH('somepassword',error_message='Invalid password')]));
Here, 'somepassword' is just a predefined password I have given for testing.
How can I make the field to display "*" or dots while the user is entering the password? like in the image given below?
The DAL has a password field type:
Field('password', 'password', requires=CRYPT(min_length=8))
Password type fields by default get the SQLFORM.widget.password.widget widget in SQLFORMs (which you can also set manually on any field via the "widget" argument). The HTML input type will be set to "password".
As shown above, it is also recommended that you do not store passwords as plain text but instead store a hash of the password, which is what the CRYPT validator does (it can also be used to enforce a minimum password length). You can specify additional password complexity requirements via the IS_STRONG validator (though make sure that validator is applied before the CRYPT validator, as the latter tranforms the password).
Despite being a Super User (Joomla 3.4), each time I try to modify a user's profile, e.g., edit their name or assign them to a different group, I get this message:
The passwords you entered do not match. Please enter your desired password in the password field and confirm your entry by entering it in the confirm password field.
I am not entering a password. It almost looks like Joomla (or my Mac) is autofilling the first password entry and wants me to fill in the confirming password entry.
Please advise.
delete the auto-filled password and save - this is a browser thing
So i want to disable the required password change for fist time users.
I am running this local, to test this out until it works, as i want it.
I have made an portal-ext file that contains the following:
company.security.auth.type=screenName
users.screen.name.allow.numeric=true
terms.of.use.required=false
users.reminder.queries.enabled=false
passwords.default.policy.changeable=true
passwords.default.policy.change.required=false
users.reminder.queries.custom.question.enabled=false
users.last.name.required=false
users.email.address.required=false
passwords.toolkit=com.liferay.portal.security.pwd.RegExpToolkit
passwords.regexptoolkit.charset=0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghilmnopqrstuv
passwords.regexptoolkit.length=8
passwords.regexptoolkit.pattern=.+
As you can see, i have already set the passwords.default.policy.change.required to false.
But when i login with a first time user, it still shows the "change password" screen, which it should not.
It NEEDS to be done from the portal-ext file, and not the control panel, since this file is going on multiply servers,
so its disabled on all. And future servers as well.
Anyone have an idea whats wrong, or what I'm needing ?
Thanks in advance
when you add the property
passwords.default.policy.changeable=true
It means allow user to change his password. On other hand when you set the property,
passwords.default.policy.change.required=false
It implies its mandatory for the user to change the password. Here, you are setting it false. So we should not get 'Change password' screen.
I would suggest try to remove changeable property from the portal-ext.property file.
passwords.default.policy.changeable=true
A further look at the liferay forum, i found a post about this, where a liferay staff posted this answer:
Unfortunately the default password policy is not something you can
configure in portal(-ext).properties so there's no way to disable it
that way.
It's therefore impossible to get the result I'm looking for.
Source
Blockquote
So i want to disable the required password change for fist time users. I am running this local, to test this out until it works, as i want it.
Blockquote
If you want to diseable change required for users password, just use this portal propertie:
passwords.default.policy.change.required=false
#Patrick R This is the portal-ext i use . See the screenshots of new user login in.Im not sure whether this will solve your issue or not.Please cross the check the properties.
#jdbc.default.jndi.name=jdbc/LiferayPool
jdbc.default.driverClassName=com.mysql.jdbc.Driver
jdbc.default.url=jdbc:mysql://localhost/lportal?useUnicode=true&characterEncoding=UTF-8&useFastDateParsing=false
jdbc.default.username=root
jdbc.default.password=root
soas.database.name=soasdb
soas.database.username=root
soas.database.password=root
soas.database.hostname=localhost
soas.database.connection=jdbc:mysql://localhost/soasdb?user=root&password=root
soas.servicepartner.name=localhost
json.service.auth.token.hosts.allowed=127.0.0.1
json.service.auth.token.enabled=false
jsonws.web.service.public.methods=*
jsonws.servlet.hosts.allowed=127.0.0.1
users.screen.name.validator=com.liferay.portal.security.auth.LiberalScreenNameValidator
ldap.base.provider.url= ldap://localhost:389
ldap.base.dn= dc=soas,dc=schoox
ldap.security.principal= cn=admin
ldap.security.credentials= blahblah
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
ldap.auth.enabled=true
ldap.auth.required=false
ldap.password.policy.enabled=true
ldap.users.dn= dc=soas,dc=schoox
ldap.groups.dn= dc=soas,dc=schoox
ldap.import.enabled=true
ldap.import.interval=1
ldap.import.on.startup=true
ldap.import.method=group
ldap.import.group.search.filter.enabled=true
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=userPassword
ldap.user.mappings=screenName=uid\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
#ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=cn\nlastName=sn
#ldap.user.mappings=screenName=displayName\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings=groupName=cn\ndescription=description\nuser=member
ldap.import.user.search.filter=(objectClass=inetOrgPerson)
ldap.import.group.search.filter=(objectClass=groupOfEntries)
ldap.auth.search.filter=(uid=#screen_name#)
axis.servlet.hosts.allowed=
axis.servlet.https.required=false
company.security.auth.type=screenName
search.container.show.pagination.top=false
setup.wizard.enabled=false
When a new user login
Terms and condition
Password Reminder
Successfull login
I agree with Olaf Kock. I'm currently working on a Liferay DXP 7.2 upgrade from 6.2 and I'm facing the same issue of having Change Password screen on first-time user login through Kerberos SSO.
I went through the addUserWithWorkflow method of Liferay codebase in UserLocalServiceImpl and I've also verified the database table for handling the Password Policy which has these columns for configuring Password Changeable and Change Required settings. During addUser for the first-time, passwordReset column in the Liferay table - User_ is set as 1 (true) if the columns in Password Policy is set to 1 (true). This is the reason why we see Change Password prompt after user login.
I understood that the only way to change this configuration through portal-ext.properties is when the Liferay is setup for the first time before the server startup otherwise, a DB patch has to be applied in the Liferay table - PasswordPolicy to set 0 (false) for the below columns.
changeable and changeRequired
I am in the midst of writing a test suite for a password management page. For the scenarios, the majority should not actually change the password, but some do. I have used the tag #changePassword so that I can optionally run those scenarios or not.
The problem I run into is trying not to write duplicate steps if possible.
Simplified sample scenarios:
#changePassword
Scenario: successful change
Given the Manage Password page is loaded
And a new password is generated
When the old password is entered
And the new password is entered
And the confirm password is entered
And the OK button is clicked
Then the password has changed
Scenario: failed change (missing confirm)
Given the Manage Password page is loaded
And a new password is generated
When the old password is entered
And the new password is entered
And the OK button is clicked
Then the password change fails
The majority of the steps are identical between the two versions, the main variance that I am concerned with is the And a new password is generated step. In the first scenario, I want the new password to be saved as the user's password. In the second scenario I want the new password discarded at the end.
Something like: (psuedo-code)
And /^a new password is generated$/ do
old password = user's password
new password = generate random new password
confirm password = new password
if tag #changePassword is present
user's password is set as the new password
end
end
Is there anyway to make this possible? I can write a second step like And a new password to be saved is generated or something, but for readability and for the non-tech savvy co-workers, using the same step is the better option. (I have found in the past using different phrases to describe similar processes, that to the user accomplishes the exact same thing, has caused confusion. Trying to avoid workplace confusion if possible.)
Side note: Using Cucumber with Ruby (with Watir), if that makes any difference (does it?)
It's an ugly solution, but can you use a tagged hook to set a variable and then an if statement in the method that saves/doesn't save based on the value of that variable?
There's a strange tradition to ask user to re-enter his password when the registration form has failed the validation.
E.g. the CAPTCHA value was wrong and now the password field is empty: users have to re-enter it.
What's the reason for that? Is it really that unsafe to put the password back to the input, even through HTTPS?
Putting a value in the password input field would require it being in plain text in the html source.