---
** [tickets:#7432] Password expiration**
**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc
**Created:** Mon Jun 02, 2014 09:24 PM UTC by Dave Brondsema
**Last Updated:** Mon Jun 02, 2014 09:24 PM UTC
**Owner:** nobody
Site administrators should be able to control password expiration rules for
accounts. I think there are 2 ways we should support now: a number of days
since last changed (e.g. `auth.pwdexpire.days = 180`) and a force reset for
everyone before a certain time (e.g. `auth.pwdexpire.before = 1401742705`).
They should be complimentary, so both settings could potentially be used at the
same time. Default to no expirations.
This should rely on the AuthenticationProvider interface, so different
implementations can record the field for last time a password was changed in
their own way. I'm thinking perhaps each provider should be responsible for
setting it within their `set_password` and then have a new method to get that
value for a given user. Then the logic & forms of this new feature can work
with any auth provider. Implement as a mongo field for the
LocalAuthenticationProvider. I think for the LDAP provider, we should use the
same mongo field on the User model (storing in LDAP would be nice, but could
require an LDAP schema change for admins and we have a mongo user record for
everyone anyway).
Upon successful login, if a password is expired, require the user to change
their password before continuing anywhere in the site. Using the existing
`password_change_form` seems good: requiring entering old password again and
new one twice.
---
Sent from sourceforge.net because [email protected] is subscribed to
https://sourceforge.net/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a
mailing list, you can unsubscribe from the mailing list.