Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.3 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Old description:

> '''Proposer''': Dylan Jay
> '''Seconder''': Ken Wasetis
>
> == Motivation ==
> Individual site policies might call for different levels of passwords
> strengths. Currently there is no api to easily integrate alternative
> password strength rules into plone.
> == Assumptions ==
> This PLIP is for api only and won't change the current strength default
> plone uses for passwords.
> However because we need to support adding users without passwords and
> because setting initial password that meet all rules of all plugins is
> hard, we assume we will change the policy of sending a randomly generated
> password to new users. Instead we will set an very long random password
> no one will ever see and then modify the password reset tool to send a
> welcome email with a link to set a new password.
> We'll also assume there could be multiple plugins working at once.
> Each plugin will return a set of error messages which will be already
> translated.
> == Proposal & Implementation ==
> PAS already has a plugins for validating user properties. This would be
> an obvious choice. The Products.PasswordStrength plugin is implemented as
> a PAS plugin. If desired an more z3 api could be created instead.
> Password reset tool will be changed to send a welcome email with a link.
> Some new copy of the reset password page may be needed.
> Option to "send email with password" will become "send email to set own
> password".
>
> == Deliverables ==
> Changes to plone.app.users to call out to api to validate the password.
> i18n is the responsibility of the password validation plugin.
> Documentation needs to be created on creating a password validation
> plugin.
> Move the current default 5 char validation to a plugin of its own instead
> of in plone.app.users. Probably in Products.PlonePAS.
> A new workflow for adding new users without setting a password and
> without sending a clear text password.
> == Risks ==
> - That people expect to be able to send passwords in email.
> - We will have to join i18n strings togeather in an i18n way cause we are
> getting multiple errors from different plugins.
>
> == Participants ==
> Dylan Jay - djay.
> == Progress ==
> Similar changes have been done for plone3.x as part of
> Products.PasswordStrength. There would be migrated to the new plone4
> implementation.

New description:

 '''Proposer''': Dylan Jay
 '''Seconder''': Ken Wasetis

 == Motivation ==
 Individual site policies might call for different levels of passwords
 strengths. Currently there is no api to easily integrate alternative
 password strength rules into plone.
 == Assumptions ==
 This PLIP is for api only and won't change the current strength default
 plone uses for passwords.
 However because we need to support adding users without passwords and
 because setting initial password that meet all rules of all plugins is
 hard, we assume we will change the policy of generating a 5 char password.
 Instead we will set an very long random password no one will ever see
 since the password reset tool is used to send a welcome email with a link
 to set a new password.
 We'll also assume there could be multiple plugins working at once.
 Each plugin will return a set of error messages which will be already
 translated.
 == Proposal & Implementation ==
 PAS already has a plugins for validating user properties. This would be an
 obvious choice. The Products.PasswordStrength plugin is implemented as a
 PAS plugin. If desired an more z3 api could be created instead.
 A much longer stronger password will be generated that is likely to pass
 any validation. Since this is never sent it doesn't need to exactly match
 any policy.

 == Deliverables ==
 Changes to plone.app.users to call out to api to validate the password.
 i18n is the responsibility of the password validation plugin.
 Documentation needs to be created on creating a password validation
 plugin.
 Move the current default 5 char validation to a plugin of its own instead
 of in plone.app.users. Probably in Products.PlonePAS.
 A new workflow for adding new users without setting a password and without
 sending a clear text password.
 == Risks ==
 - We will have to join i18n strings togeather in an i18n way cause we are
 getting multiple errors from different plugins.

 == Participants ==
 Dylan Jay - djay.
 == Progress ==
 Similar changes have been done for plone3.x as part of
 Products.PasswordStrength. There would be migrated to the new plone4
 implementation.

--

Comment(by djay):

 changed description to reflect that passwords aren't sent so therefore no
 

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.3 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Old description:

> '''Proposer''': Dylan Jay
> '''Seconder''': Ken Wasetis
>
> == Motivation ==
> Individual site policies might call for different levels of passwords
> strengths. Currently there is no api to easily integrate alternative
> password strength rules into plone.
> == Assumptions ==
> This PLIP is for api only and won't change the current rules plone uses
> for passwords. Code would need to contend with also setting an initial
> password. This may mean the initial password is stronger than it is now.
> == Proposal & Implementation ==
> PAS already has a plugins for validating passwords. This would be an
> obvious choice. The Products.PasswordStrength plugin is implemented as a
> PAS plugin. If desired an more z3 api could be created instead.
> == Deliverables ==
> Mainly changes to plone.app.users to call out to api to validate the
> password. i18n is the responsibility of the password validation plugin.
> Documentation needs to be created on creating a password validation
> plugin.
> == Risks ==
> TBD.
> == Participants ==
> Dylan Jay - djay.
> == Progress ==
> Similar changes have been done for plone3.x as part of
> Products.PasswordStrength. There would be migrated to the new plone4
> implementation.

New description:

 '''Proposer''': Dylan Jay
 '''Seconder''': Ken Wasetis

 == Motivation ==
 Individual site policies might call for different levels of passwords
 strengths. Currently there is no api to easily integrate alternative
 password strength rules into plone.
 == Assumptions ==
 This PLIP is for api only and won't change the current strength default
 plone uses for passwords.
 However because we need to support adding users without passwords and
 because setting initial password that meet all rules of all plugins is
 hard, we assume we will change the policy of sending a randomly generated
 password to new users. Instead we will set an very long random password no
 one will ever see and then modify the password reset tool to send a
 welcome email with a link to set a new password.
 We'll also assume there could be multiple plugins working at once.
 Each plugin will return a set of error messages which will be already
 translated.
 == Proposal & Implementation ==
 PAS already has a plugins for validating user properties. This would be an
 obvious choice. The Products.PasswordStrength plugin is implemented as a
 PAS plugin. If desired an more z3 api could be created instead.
 Password reset tool will be changed to send a welcome email with a link.
 Some new copy of the reset password page may be needed.
 Option to "send email with password" will become "send email to set own
 password".

 == Deliverables ==
 Changes to plone.app.users to call out to api to validate the password.
 i18n is the responsibility of the password validation plugin.
 Documentation needs to be created on creating a password validation
 plugin.
 Move the current default 5 char validation to a plugin of its own instead
 of in plone.app.users. Probably in Products.PlonePAS.
 A new workflow for adding new users without setting a password and without
 sending a clear text password.
 == Risks ==
 - That people expect to be able to send passwords in email.
 - We will have to join i18n strings togeather in an i18n way cause we are
 getting multiple errors from different plugins.

 == Participants ==
 Dylan Jay - djay.
 == Progress ==
 Similar changes have been done for plone3.x as part of
 Products.PasswordStrength. There would be migrated to the new plone4
 implementation.

--

Comment(by djay):

 added in changing policy of sending passwords in an email. Now use
 password reset if want to not choose a password.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.3 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 The FWT has wrapped up work on 4.2 and can start work on 4.3 whenever we
 have PLIPs to review.  So can you as proposers or implementers please
 check in on your PLIPs and let us know what the status is and when we can
 expect issues to be addressed and implementations complete so we can
 review them for merge in 4.3.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.3 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--
Changes (by rossp):

  * milestone:  4.2 => 4.3


Comment:

 Replying to [comment:28 ggozad]:
 > (In [50864]) Updated review for Password validation API. Refs #10959

 The FWT agrees with ggozad's review above and suggests targeting this for
 4.3 with an implementation that addresses that feedback.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 discussed with ggozad the idea of creating new PAS plugin interfaces in
 PAS itself which I'll have a look at.

 However, another solution I've been considering is not setting a password
 at all. Users would have a disabled state and we use the password reset
 tool instead. Would like feedback on that.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by ggozad):

 Hey Dylan,
 The PLIP was discussed yesterday on the FWT meeting. The following
 concerns were raised:
  * We would like to see this done at the PAS level (for password
 generation for instance). In the control panel and p.a.users we should see
 as little as possible, essentially just UI.
  * Usage of user properties looks insecure.
  * A mechanism should be implemented on the plugin level to guarantee that
 initial password generation does not fail.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by ggozad):

 (In [50864]) Updated review for Password validation API. Refs #10959

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 rossp: I misspoke. There is no need to setup a new policy.
 PasswordStrength comes with one by default. However the one thing it
 doesn't do as yet is install itself for password generation yet. To do
 that go to the plugin in acl_users and activate it for as a "Properties
 Plugin".


 ggozad: Tests now all pass. I've also added documentation which shows how
 to add your own plugins in tests/plugins.txt. Plugins will be able to do
 things like use password history. Password expiry is out of scope of this
 PLIP. Expiry is a good idea however and is possible by hooking into both
 PAS authentication and the Plone login screens. Perhaps another PLIP? or
 if you have code already for this?

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 Replying to [comment:25 djay]:
 > A new implementation has been completed including tests.
 >
 > You can test it by installing Products.PasswordStrength (included in
 buildout). Once activated it will enforce a much stricter password policy.
 You'll need to go to acl_users/password_strength_plugin to adjust the
 policy. Also I've added support for password generation plugin.

 Can you please provide more details of how to set up a simple validation
 criterion using Products.PasswordStrength?  It's very slim on the docs so
 it's hard to figure out how to test this PLIP.  Thanks!

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 A new implementation has been completed including tests.

 You can test it by installing Products.PasswordStrength (included in
 buildout). Once activated it will enforce a much stricter password policy.
 You'll need to go to acl_users/password_strength_plugin to adjust the
 policy. Also I've added support for password generation plugin.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 Replying to [comment:23 djay]:
 > Sorry, missed that. new to the process.
 >
 > Yes you are right. I've realised I'm missing part of the implementation.
 I should have that checked in tomorrow with working tests and will include
 a version of Products.PasswordStrength in the buildout for testing
 purposes.
 > If this change is implementation is too late I understand.

 I'm fine with a delay till tomorrow and I'm guessing the rest of the FWT
 will be too.

 Thanks for including Products.PasswordStrength.  Can you also include
 (maybe in a brief comment here) how to use it for testing?

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 Sorry, missed that. new to the process.

 Yes you are right. I've realised I'm missing part of the implementation. I
 should have that checked in tomorrow with working tests and will include a
 version of Products.PasswordStrength in the buildout for testing purposes.
 If this change is implementation is too late I understand.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 Replying to [comment:21 djay]:
 > Any more detail on exactly what is missing? (other than working out why
 the tests don't work which has already been mentioned?)

 Details are in the review added in that commit.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 Any more detail on exactly what is missing? (other than working out why
 the tests don't work which has already been mentioned?)

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 (In [50580]) Review PAS password validation API PLIP.  Refs #10959.

 Not ready yet.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 Ok, FWT is gonna treat this implementation complete and ready for review.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 The implementation is done and works.
 The tests are done and should work but don't. Something is going funny
 whereby I add a PAS plugin in the test code but it disappears when
 accessed later. I'm trying to work out how but no luck so far.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 Since we need to have a feature freeze by June 30th, we need
 implementations finished by next week's framework team meeting on Tuesday,
 June 14th.  IOW, implementation will need to be finished on Monday, June
 13th.

 Will you be able to have the implementation done by then?

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by djay):

 Replying to [comment:15 rossp]:
 > Replying to [comment:14 eleddy]:
 >
 > Thanks for following up. The deadline for feature freeze is June 30th,
 so we need to start doing implementation reviews as soon as possible. Have
 tests been added?  Has an the security team reviewed this?  IOW, is this
 ready for implementation review?


 Yes there are tests and the implementation is there but I haven't had a
 chance to run it against the 4.2 branch as yet.
 There is one issue with the current implementation. If you use additional
 password validation rules then automatically generated passwords can fail
 to be valid. I need to investigate if there is a PAS hook for generating
 passwords so plugins can do this as well.

 >
 > Also, I am not the FWT contact for this.  :-)

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by rossp):

 Replying to [comment:14 eleddy]:

 Thanks for following up. The deadline for feature freeze is June 30th, so
 we need to start doing implementation reviews as soon as possible. Have
 tests been added?  Has an the security team reviewed this?  IOW, is this
 ready for implementation review?

 Also, I am not the FWT contact for this.  :-)

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plone-plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--

Comment(by eleddy):

 FWT approved for 4.2 with a couple notes:
  - Tests must be included
  - 1 external review must be from the security team
  - matthewwilkes will be your framework team contact for this

 Please note the new process needs two external reviews. When you are ready
 for the FWT to do an integration review please update status to "please
 review"

 Thanks!

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner:  
 Type:  PLIP |   Status:  reopened
 Priority:  minor|Milestone:  4.2 
Component:  Unknown  |   Resolution:  
 Keywords:   |  
-+--
Changes (by djay):

  * status:  closed => reopened
  * resolution:  wontfix =>
  * milestone:  Future => 4.2


Comment:

 Implementation is done, just finishing tests remain.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner: 
 Type:  PLIP |   Status:  closed 
 Priority:  minor|Milestone:  Future 
Component:  Unknown  |   Resolution:  wontfix
 Keywords:   |  
-+--
Changes (by rossp):

  * status:  new => closed
  * resolution:  => wontfix


Comment:

 PLEASE READ THIS AND RE-OPEN VALID PLIPS!

 As we launch the new PLIP process we'd like to see which PLIPs:

 - are still appropriate/needed
 - still have owners/proposers/champions
 - still have available implementers

 If this PLIP should still be considered for future releases of Plone
 please do re-open this ticket and assign an appropriate milestone.  If it
 should be considered for the next release of Plone, use the 4.2 milestone.
 Also be sure to update the PLIP description, requester, owner, etc. and
 include a comment detailing recent progress and new plans.  We will use
 all these details in the new continuous PLIP process.

-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |   Owner:
 Type:  PLIP |  Status:  new   
 Priority:  minor|   Milestone:  Future
Component:  Unknown  |Keywords:
-+--
Changes (by esteele):

  * milestone:  4.1 => Future


-- 
Ticket URL: 
Plone 
Plone Enterprise Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
https://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner: 
 Type:  PLIP |   Status:  new
 Priority:  minor|Milestone:  4.1
Component:  Unknown  |   Resolution: 
 Keywords:   |  
-+--
Changes (by djay):

 * cc: djay (added)


-- 
Ticket URL: 
Plone 
Plone Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
http://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner: 
 Type:  PLIP |   Status:  new
 Priority:  minor|Milestone:  4.1
Component:  Unknown  |   Resolution: 
 Keywords:   |  
-+--

Comment(by djay):

 Replying to [comment:5 ggozad]:
 > I had done some work for ENISA on a generic password policy product that
 would do password complexity, aging and expiration as well as keep a
 password history so that the same password is not reused. Let me know if
 you need help I would be happy to adapt it and contribute.

 I'd love to discuss this. Please contact me. The scope of this PLIP is
 just to put in place hooks to make it easy to put in 3rd party plugins
 with validation rules. That would cover password complexity and history
 but wouldn't handle expiration and aging. Did it involve patching core
 code to enable aging and expiration?

-- 
Ticket URL: 
Plone 
Plone Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
http://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner: 
 Type:  PLIP |   Status:  new
 Priority:  minor|Milestone:  4.1
Component:  Unknown  |   Resolution: 
 Keywords:   |  
-+--

Comment(by djay):

 Replying to [comment:2 ldr]:
 > Can you confirm that all that is required here is changing
 plone.app.users to use an existing PAS api to check password validity?

 Yes. It's simply a few changes to where the password validity is checked
 which will then look up an existing PAS api. If no such PAS plugin exists
 then the existing 5 char password rules will be enforced.

-- 
Ticket URL: 
Plone 
Plone Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
http://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner: 
 Type:  PLIP |   Status:  new
 Priority:  minor|Milestone:  4.1
Component:  Unknown  |   Resolution: 
 Keywords:   |  
-+--

Comment(by djay):

 Replying to [comment:3 esteele]:
 > Your PLIP has been accepted for consideration for Plone 4.1.
 >
 > Framework Team voting on this PLIP was:
 > Alec  +1
 > Craig +1
 > Elizabeth +0
 > Laurence  +1
 > Martijn   +1
 > Matthew   +1
 > Rob   +1
 > Ross--
 >
 > The initial implementation deadline for your PLIP is October 1st, 2010.
 The Framework Team would certainly appreciate you finishing beforehand so
 that they may begin evaluating it as soon as possible. Announce its
 readiness here once your implementation is ready for review.

 I'm really sorry but it appears that I've got no email notifications that
 this PLIP was accepted. I will endeavor to work on this weekend. I hope
 this will still enable it's inclusion.

-- 
Ticket URL: 
Plone 
Plone Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
http://lists.plone.org/mailman/listinfo/plip-advisories

Re: [PLIP-Advisories] [Plone] #10959: API for password validation policy

[Change notifications for Plone PLIPs on Trac.]

#10959: API for password validation policy
-+--
 Reporter:  djay |Owner: 
 Type:  PLIP |   Status:  new
 Priority:  minor|Milestone:  4.1
Component:  Unknown  |   Resolution: 
 Keywords:   |  
-+--
Changes (by cah190):

 * cc: plip-advisor...@lists.plone.org (added)


-- 
Ticket URL: 
Plone 
Plone Content Management System
___
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
http://lists.plone.org/mailman/listinfo/plip-advisories