Hello, 

start using web2py for a production application. Very satisfied with it!!

Just a question, I added this:

custom_auth_table.password.requires =  [IS_STRONG(min=8, special=2, 
upper=3), CRYPT()]
 
but it seems that the validator is applied not only in the change password 
form but also in the "normal" login form. 

I don't know if this is the desired way, but it can lead to unwanted side 
effects, for example:

at some point the administrator decide to improve the strength of the 
password, so the above line of code is changed for example in: (min=10, 
special=3, upper=4).
After that many users will not be able to login again and they are all 
forced to change the password immediatly. I think this may problematic.

second case (and this is my case...):
the system have 2 distinct authorization systems. The "normal auth DB" 
system and an LDAP system. 
on the LDAP system the rules of the password are different, so a password 
accepted by LDAP may not be ok with the requirements of the web2py 
validators. 
In this case an LDAP user, with a "good" LDAP password could not be 
accepted in the web2py application, and could be problematic to explain to 
users that password accepted for the LDAP system are not accepted in the 
web2py application. 

Would be better to check the strength of the password only in the "change 
password" form? so the above rule is applied to the web2py password and not 
to the LDAP ones?
or, if this not the desired default behaviour, is there a way to manually 
configure not to apply the validator on the login form?

Thanks, 
Marvi




-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to