base: check password comply with authentication policy on change own password action
"""External validator for PreferenceTool_viewChangePasswordDialog/your_password. | ||
Check that password matchs with confirmation and that it complies to the authentication policy. | ||
""" | ||
from AccessControl import getSecurityManager | ||
from Products.Formulator.Errors import ValidationError | ||
password_confirm = request.get('field_password_confirm', | ||
request.get('password_confirm')) | ||
# password does not match confirmation, returns the default external validator message. | ||
if password_confirm != editor: | ||
return 0 | ||
login = getSecurityManager().getUser().getLoginValue() | ||
if login is not None: | ||
validation_message_list = login.analyzePassword(editor) | ||
|
||
if validation_message_list: | ||
message = u' '.join([str(x) for x in validation_message_list]) | ||
raise ValidationError('external_validator_failed', context, error_text=message) | ||
return 1 |
-
Owner
@jerome this crashes when erp5_authentication_policy is not installed, because the type based script Login_analyzePassword does not exist.
I'm wondering how to fix this issue:
- patching
login_account_provider.analyzePassword
to return True (or False) when the method is not found - adding a default
Login_analyzePassword
returning True inerp5_base
- a combination of both previous proposal
- patching
-
Owner
Oh you are right, this looks like a mistake. Because
analyzePassword
is part of the login interface, it seems logical to consider that password is valid when there is no authentication policy, so the first suggestion, returning an empty list when no type-based method, looks good. Adding a defaultLogin_analyzePassword
seems a bit more complex because we'll have to take care of skin folder ordering.Do you agree ? let me know if you want me to make these changes.
-
Owner
Seems fine. Don't bother about this, I'll do the fix.