On Wednesday 15 October 2008 15:36:58 Christopher Arndt wrote: > Hi all, > > I'm working with TG1 and the standard identity framework and I want to > implement password expiration, i.e that users have to change their > password after a certain time period or it becomes invalid. > > Has anybody ever done this? > > Of course I would have to augment the identity model so the User object > has a "password_changed" date field (which could be None for infinite > password validity) and either a global setting for the expiration period > or another field on the User object for a per-user expiration time. > > Then, I guess, I would have to set up my own Identity provider, which > checks these values, and, if the password is expired, redirects to a > form, where the user can change his password. But how would I > authenticate the user for this form without giving him access to the > rest of the application?
I think you could make that page of the application not part of the authenticated parts of the app. Then after successfully changing the password, authenticate the user "by hand" in the form-handler and redirect. Another approach might be to alter the groups of a user via a property that looks up the "real" groups, or if pwd is expired returns a single group that only grants one permission to the change-your-password-page. THis would rule out using "not_anonymous" for other app-parts of course. You might instead use a custom predicate, "not_expired" that combines not_anonymous and not_expired. Diez --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
