def user():
if request.args(0) == 'login':
custom_auth_table.password.requires.pop(0)
return dict(form=auth())
The default password validator is CRYPT(key=settings.hmac_key,
min_length=settings.password_min_length), and the auth.login() method
automatically resets the min_length parameter to 0 during login. But if you
are using your own validators, you are responsible for changing them for
login if necessary.
Anthony
On Tuesday, November 22, 2016 at 7:47:42 AM UTC-5, Marvix wrote:
>
> Hello,
>
> start using web2py for a production application. Very satisfied with it!!
>
> Just a question, I added this:
>
> custom_auth_table.password.requires = [IS_STRONG(min=8, special=2,
> upper=3), CRYPT()]
>
> but it seems that the validator is applied not only in the change password
> form but also in the "normal" login form.
>
> I don't know if this is the desired way, but it can lead to unwanted side
> effects, for example:
>
> at some point the administrator decide to improve the strength of the
> password, so the above line of code is changed for example in: (min=10,
> special=3, upper=4).
> After that many users will not be able to login again and they are all
> forced to change the password immediatly. I think this may problematic.
>
> second case (and this is my case...):
> the system have 2 distinct authorization systems. The "normal auth DB"
> system and an LDAP system.
> on the LDAP system the rules of the password are different, so a password
> accepted by LDAP may not be ok with the requirements of the web2py
> validators.
> In this case an LDAP user, with a "good" LDAP password could not be
> accepted in the web2py application, and could be problematic to explain to
> users that password accepted for the LDAP system are not accepted in the
> web2py application.
>
> Would be better to check the strength of the password only in the "change
> password" form? so the above rule is applied to the web2py password and not
> to the LDAP ones?
> or, if this not the desired default behaviour, is there a way to manually
> configure not to apply the validator on the login form?
>
> Thanks,
> Marvi
>
>
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
