def user(): if request.args(0) == 'login': custom_auth_table.password.requires.pop(0) return dict(form=auth())
The default password validator is CRYPT(key=settings.hmac_key, min_length=settings.password_min_length), and the auth.login() method automatically resets the min_length parameter to 0 during login. But if you are using your own validators, you are responsible for changing them for login if necessary. Anthony On Tuesday, November 22, 2016 at 7:47:42 AM UTC-5, Marvix wrote: > > Hello, > > start using web2py for a production application. Very satisfied with it!! > > Just a question, I added this: > > custom_auth_table.password.requires = [IS_STRONG(min=8, special=2, > upper=3), CRYPT()] > > but it seems that the validator is applied not only in the change password > form but also in the "normal" login form. > > I don't know if this is the desired way, but it can lead to unwanted side > effects, for example: > > at some point the administrator decide to improve the strength of the > password, so the above line of code is changed for example in: (min=10, > special=3, upper=4). > After that many users will not be able to login again and they are all > forced to change the password immediatly. I think this may problematic. > > second case (and this is my case...): > the system have 2 distinct authorization systems. The "normal auth DB" > system and an LDAP system. > on the LDAP system the rules of the password are different, so a password > accepted by LDAP may not be ok with the requirements of the web2py > validators. > In this case an LDAP user, with a "good" LDAP password could not be > accepted in the web2py application, and could be problematic to explain to > users that password accepted for the LDAP system are not accepted in the > web2py application. > > Would be better to check the strength of the password only in the "change > password" form? so the above rule is applied to the web2py password and not > to the LDAP ones? > or, if this not the desired default behaviour, is there a way to manually > configure not to apply the validator on the login form? > > Thanks, > Marvi > > > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.