+1 on this request. For some apps this is a deal-breaker. For example, a client who wants a secure place for their employees and doesn't want any random registration requests.
FYI, other Auth requirements that I've been asked to implement to 'secure' an app are: - Lock account after x failed login attempts. - Force new password on first login - Force new password every x days. - No re-use of passwords within 8 changes. - No sequential passwords (for example, can't change your password from 'password1' to 'password2'). - Force logout after x hours. - Two-factor authentication for users with 'administrator' access. - Require passwords of various complexity. I'm not saying that py4web should have all of these functions right now, but pointing out some of the options it might need to have in the future. On Sunday, 29 March 2020 11:54:17 UTC+13, Massimo Di Pierro wrote: > > Let me give some thought to this. Only complication is a mechanism for > sever to tell auth.js that some pages should be available. > > On Saturday, 28 March 2020 13:55:06 UTC-7, Paolo Caruccio wrote: >> >> In my case I only need login and logout. >> The creation of an account will be done by other users with privileges >> established by the administrators. The modification of the profile will >> also be done partially by the user himself (change password, change email, >> add / change personal data etc) who has the account enabled and is already >> logged in. >> Obviously I can delete all links and specific functions from the >> frontend, as well as I can require to approve any registration made from >> the outside but it would be more secure to also do a server-side prevention >> by disabling actions that do not need. >> >> >> Translated with www.DeepL.com/Translator (free version) >> >> Il giorno sabato 28 marzo 2020 20:30:48 UTC+1, Massimo Di Pierro ha >> scritto: >>> >>> not possible yet. I can implement it easily but I would like to >>> understand some use cases. >>> >>> On Saturday, 28 March 2020 10:12:32 UTC-7, Paolo Caruccio wrote: >>>> >>>> In py4web is there any way to disable some auth actions? I can't find >>>> anything in the code about this. >>>> >>>> In web2py this is possible via auth.settings.action_disabled >>>> >>>> For example: >>>> >>>> auth.settings.action_disabled=['register'] >>>> >>>> prevents the "register" action from working. >>>> >>>> Tank you. >>>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/5b017426-a182-4a93-817e-35fdd4b6f07b%40googlegroups.com.
