def user():
    if request.args(0) == 'login':
        custom_auth_table.password.requires.pop(0)
    return dict(form=auth())

The default password validator is CRYPT(key=settings.hmac_key, 
min_length=settings.password_min_length), and the auth.login() method 
automatically resets the min_length parameter to 0 during login. But if you 
are using your own validators, you are responsible for changing them for 
login if necessary.

Anthony

On Tuesday, November 22, 2016 at 7:47:42 AM UTC-5, Marvix wrote:
>
> Hello, 
>
> start using web2py for a production application. Very satisfied with it!!
>
> Just a question, I added this:
>
> custom_auth_table.password.requires =  [IS_STRONG(min=8, special=2, 
> upper=3), CRYPT()]
>  
> but it seems that the validator is applied not only in the change password 
> form but also in the "normal" login form. 
>
> I don't know if this is the desired way, but it can lead to unwanted side 
> effects, for example:
>
> at some point the administrator decide to improve the strength of the 
> password, so the above line of code is changed for example in: (min=10, 
> special=3, upper=4).
> After that many users will not be able to login again and they are all 
> forced to change the password immediatly. I think this may problematic.
>
> second case (and this is my case...):
> the system have 2 distinct authorization systems. The "normal auth DB" 
> system and an LDAP system. 
> on the LDAP system the rules of the password are different, so a password 
> accepted by LDAP may not be ok with the requirements of the web2py 
> validators. 
> In this case an LDAP user, with a "good" LDAP password could not be 
> accepted in the web2py application, and could be problematic to explain to 
> users that password accepted for the LDAP system are not accepted in the 
> web2py application. 
>
> Would be better to check the strength of the password only in the "change 
> password" form? so the above rule is applied to the web2py password and not 
> to the LDAP ones?
> or, if this not the desired default behaviour, is there a way to manually 
> configure not to apply the validator on the login form?
>
> Thanks, 
> Marvi
>
>
>
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to