so, is there a way to disable the password validator in the login form without modify web2py core files?
2016-11-22 14:36 GMT+01:00 Anthony <abasta...@gmail.com>: > def user(): > if request.args(0) == 'login': > custom_auth_table.password.requires.pop(0) > return dict(form=auth()) > > The default password validator is CRYPT(key=settings.hmac_key, > min_length=settings.password_min_length), and the auth.login() method > automatically resets the min_length parameter to 0 during login. But if you > are using your own validators, you are responsible for changing them for > login if necessary. > > Anthony > > > On Tuesday, November 22, 2016 at 7:47:42 AM UTC-5, Marvix wrote: >> >> Hello, >> >> start using web2py for a production application. Very satisfied with it!! >> >> Just a question, I added this: >> >> custom_auth_table.password.requires = [IS_STRONG(min=8, special=2, >> upper=3), CRYPT()] >> >> but it seems that the validator is applied not only in the change >> password form but also in the "normal" login form. >> >> I don't know if this is the desired way, but it can lead to unwanted side >> effects, for example: >> >> at some point the administrator decide to improve the strength of the >> password, so the above line of code is changed for example in: (min=10, >> special=3, upper=4). >> After that many users will not be able to login again and they are all >> forced to change the password immediatly. I think this may problematic. >> >> second case (and this is my case...): >> the system have 2 distinct authorization systems. The "normal auth DB" >> system and an LDAP system. >> on the LDAP system the rules of the password are different, so a password >> accepted by LDAP may not be ok with the requirements of the web2py >> validators. >> In this case an LDAP user, with a "good" LDAP password could not be >> accepted in the web2py application, and could be problematic to explain to >> users that password accepted for the LDAP system are not accepted in the >> web2py application. >> >> Would be better to check the strength of the password only in the "change >> password" form? so the above rule is applied to the web2py password and not >> to the LDAP ones? >> or, if this not the desired default behaviour, is there a way to manually >> configure not to apply the validator on the login form? >> >> Thanks, >> Marvi >> >> >> >> >> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
