Jump to content
adrian

Password Force Change

Recommended Posts

Hi everyone,

Here's a little module that allows you to force users to change their password on their first login, or at any time if you manually force it.

http://modules.processwire.com/modules/password-force-change/

https://github.com/adrianbj/PasswordForceChange

Key Features

  • During install it creates a new checkbox field in the user template, "force_passwd_change".
     
  • Automatic checking of this checkbox when creating a new user is determined by the "Automatic Force Change" module config setting.
     
  • When a user logs in for the first time (or if you have manually checked that field for an existing user), they will be warned that they have to change their password and they'll be automatically redirected to their profile page.
     
  • They must change their password to something new - they are not allowed to re-enter their existing password.
     
  • Bulk "Set All Users" option to at any time, force all users (by selected roles) to change their password.

Hopefully some of you will find it useful and please let me know if you have any suggested changes/enhancements. 

PS I used the new info.json way of defining the module details, so it requires PW 2.4.3+ 

Edited by adrian
Updated module features information
  • Like 17

Share this post


Link to post
Share on other sites

Thanks Adrian! This has been on my to-do list for a while, looks like I can tick it off now. Benefits of free software -- just wait long enough and someone will solve it for you ;)

The way I've seen this implemented before was a checkbox titled "Force password change on next login", which was unchecked when a password was changed. That would slightly simplify things by removing the need to check it for existing users.. and perhaps make things a bit easier to understand if you want to use it at some point later (for some reason unchecking "password changed" sounds weird).

Just saying, doesn't matter much either way. The module looks great and I look forward to using it.. on all of our sites :)

Edit: by the way, would you mind specifying a license for this module? I'm not suspicious of your motives or anything (honestly), it's just that I try to avoid any code where licensing isn't clearly stated, and modules are no exception here :)

Edited by teppo

Share this post


Link to post
Share on other sites

Hey teppo,

Thanks for the thoughts on the checkbox issue. I agree that unchecking "password changed" does sound weird :) My reasoning for going this way was because I was wanting to avoid the need for an additional step (checking the checkbox) when creating a new user. I thought, maybe incorrectly, that anyone using this module would want to ensure that all new users are required to change their password when they first login. My approach to setting up admin users is to send them all the same initial password and ask them to change it immediately. I wonder if a better approach might be to use a dropdown select that is a required field when setting up a new user. It could be called "force password change" and have a blank default and then "yes" and "no" options. It's still an extra step when setting up a user, but at least this way I can ensure the superuser doesn't forget to do it. Any thoughts on whether this would be a more logical setup?

Thanks for the reminder on the license - I actually haven't been good with that for any of my modules - mostly because of ignorance/trust with these sorts of things. I'll take care of it shortly and also check my other modules and do the same.

PS Minor fix committed this morning - I woke up realizing that I had hardcoded the path to the profile page :)

EDIT: Do you, or anyone else, know why I can't set the collapsed state of the pass field via the API? I can do it with other system fields, but not this one. You'll see in my code two commented blocks where I try to set it to open before the redirect and then set it to collapsed after they have changed their password.

Edited by adrian
  • Like 1

Share this post


Link to post
Share on other sites

Just discovered a bit of a gotcha - if the new user does not have "profile-edit (User can update profile/password)" permission they obviously won't be able to change their password, so just committed an update that checks for this permission and warns that it needs adding.

  • Like 4

Share this post


Link to post
Share on other sites
I wonder if a better approach might be to use a dropdown select that is a required field when setting up a new user. It could be called "force password change" and have a blank default and then "yes" and "no" options. It's still an extra step when setting up a user, but at least this way I can ensure the superuser doesn't forget to do it.

teppo - I thought through this a little more and realized that any multi field would not be a good idea as it would involve associated pages and templates for the yes/no options, so I have gone back to the checkbox, but reversed it to be a "Force password change on next login" checkbox as you suggested. However I have added a module config setting called "Automatic Force Change" and if this is checked, then the "Force password change on next login" checkbox gets automatically checked when creating a new user. I think this solves all the issues of:

  • Confusion over the reverse checked and the strange "Password Changed" label.
  • With the automatic force change checked, there is no extra step required when creating a new user, but there is also the flexibility for the superuser to turn this off so it has to become an active selection to force the password change.
  • Existing users are left untouched, which is cleaner.

I am pretty convinced this new approach is better in all ways but I'd like to hear any feedback before I commit the changes to Github, in particular from you teppo if you have a minute to think about it.

I am attaching the new version here for testing/review. Please make sure you uninstall the old version first to make sure the old passwd_changed field is removed.

If I don't hear anything back by tomorrow, I'll commit this version anyway :)

EDIT: Removed attached version to avoid confusion since it is now on Github.

  • Like 2

Share this post


Link to post
Share on other sites

Much better. I was worried about the scalability of old method when user count was in thousands.

  • Like 1

Share this post


Link to post
Share on other sites

Sounds good to me! Config setting is a good idea too :)

  • Like 1

Share this post


Link to post
Share on other sites
 was worried about the scalability of old method when user count was in thousands. 

Agreed - that occurred to me yesterday too.

Thank you both for the feedback - changes have been committed to Github and the module has been submitted to the modules directory.

  • Like 5

Share this post


Link to post
Share on other sites

Now available in the modules directory:

http://modules.processwire.com/modules/password-force-change/

For anyone who might have downloaded early on, please grab the latest version. There was an important fix two days ago that now prevents users from simply navigating away from their profile page to another page in the admin. Now they can't do anything in the admin until their password has been changed.

  • Like 5

Share this post


Link to post
Share on other sites

Another bug fix and enhancement just committed.

There is now a batch "Set All Users" option which allows you to easily force existing users to change their password. Selection of users is possible via roles so you can limit the enforcement to just specific roles, or all if needed. If you mess up, there is also a simple way to clear the requirement for everyone as well.

This addition was in response to teppo's comment in his ProcessWire Weekly post: "easily forcing periodic password changes for users" - now it really is easy to force periodic changes, so thanks for the suggestion :)

The bug fix is for PW sites installed in a subdirectory - thanks also to teppo for reporting this.

  • Like 1

Share this post


Link to post
Share on other sites

Sorry for the constant updates :)

Definitely recommended to update to the latest version as it adds better handling for users without profile-edit permission.

  1. As well as the warning, it now also unchecks the force password change checkbox if the user doesn't have profile-edit permission
  2. The Set All Users role selection is now limited to only those roles with profile-edit permission

Hopefully that will be all the changes for a while, unless someone has any suggestions.

  • Like 2

Share this post


Link to post
Share on other sites

Hi everyone,

Thanks to a request from @Ralf, this module now also works on the front-end. If you have setup your own login form and profile editing forms you can enable this for the front-end and specify a URL to redirect to for the user to change their password.

post-985-0-05448400-1457382085_thumb.png

  • Like 5

Share this post


Link to post
Share on other sites

I had to uninstall this one. Is it compatible with pw 3.0.96? Once installed I set the frontend login URL for profile edit to the correct frontend page (/member-login/?profile=1 using Ryan's Login/Register/Profile module) and I get an Internal error. Won't load the page.

Additionally I set it to force all users with the "member" role to change password and as a superuser I get the message to change my password. I don't have the member role. When I set it to clear superuser, on next login I get the same message to change my password.

Share this post


Link to post
Share on other sites

@digitex - I am using it with no problems on 3.0.99

Can you make sure PW debug mode is on to see if there is any further info about the internal server error and maybe check your error logs.

I also just tested the option to force all users with a particular role to have to change their password and it worked fine - set it for that role, but no impact on my superuser account.

Maybe there is some interaction with Ryan's module that I haven't tested. I don't have time to look into it at the moment, but if you wouldn't mind investigating and letting me know more details of the issue, I'll make any required changes.

 

 

Share this post


Link to post
Share on other sites

@adrian I suspect you're right that it may be a specific issue with Ryan's module. With Login/Register/Profile the profile page is the same as the log in page and the profile UI is loaded with a GET variable. It may be the get variable in the Frontend Login URL that's causing the error. When logging in using a member's credentials it does try to redirect to the profile page but throws an error when it gets there.

As for the superuser role getting the password change notice I will have to get back to you.

When I get a minute I'll reinstall and enable debug. I would love to use it I'm importing 250 user accounts and need to ensure everybody updates their password.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Mike Rockett
      Jumplinks for ProcessWire
      Release: 1.5.56
      Composer: rockett/jumplinks
      Jumplinks is an enhanced version of the original ProcessRedirects by Antti Peisa.
      The Process module manages your permanent and temporary redirects (we'll call these "jumplinks" from now on, unless in reference to redirects from another module), useful for when you're migrating over to ProcessWire from another system/platform. Each jumplink supports wildcards, shortening the time needed to create them.
      Unlike similar modules for other platforms, wildcards in Jumplinks are much easier to work with, as Regular Expressions are not fully exposed. Instead, parameters wrapped in curly braces are used - these are described in the documentation.
      Under Development: 2.0, to be powered by FastRoute
      As of version 1.5.0, Jumplinks requires at least ProcessWire 2.6.1 to run.
      View on GitLab
      Download via the Modules Directory
      Read the docs
      Features
      The most prominent features include:
      Basic jumplinks (from one fixed route to another) Parameter-based wildcards with "Smart" equivalents Mapping Collections (for converting ID-based routes to their named-equivalents without the need to create multiple jumplinks) Destination Selectors (for finding and redirecting to pages containing legacy location information) Timed Activation (activate and/or deactivate jumplinks at specific times) 404-Monitor (for creating jumplinks based on 404 hits) Additionally, the following features may come in handy:
      Stale jumplink management Legacy domain support for slow migrations An importer (from CSV or ProcessRedirects) Feedback & Feature Requests
      I’d love to know what you think of this module. Please provide some feedback on the module as a whole, or even regarding smaller things that make it whole. Also, please feel free to submit feature requests and their use-cases.
      Note: Features requested so far have been added to the to-do list, and will be added to 2.0, and not the current dev/master branches.
      Open Source

      Jumplinks is an open-source project, and is free to use. In fact, Jumplinks will always be open-source, and will always remain free to use. Forever. If you would like to support the development of Jumplinks, please consider making a small donation via PayPal.
      Enjoy! :)
    • By BitPoet
      As threatened in Ryan's announcement for 3.0.139, I built a little module for sliding toggles as a replacement for checkboxes. Styling of the input is CSS3 only (with all the usual caveats about older browsers), no JS necessary, and may still be a bit "rough around the edges", so to speak, since I didn't have much time for testing on different devices or brushing things up enough so I'd feel comfortable pushing it to the module directory. But here's the link to the GitHub repo for now:
      InputfieldSlideToggle
      Fieldtype and Inputfield that implements smartphone-style toggles as replacement for checkbox inputs. The visualization is CSS-only, no additional JS necessary.
      Status
      Still very alpha, use with caution!
      Features / Field Settings
      Size
      You can render the toggles in four different sizes: small, medium, large and extra large.
      Off Color
      Currently, "unchecked" toggles can be displayed either in grey (default) or red.
      On Color
      "Checked" toggles can be rendered in one of these colors: blue (default), black, green, grey, orange or red.
      Screenshots

      Some examples with checkbox label


      View all Size and Color Combinations
      Small toggles Medium toggles Big toggles Extra big toggles  









    • By Orkun
      Hi Guys
      I needed to add extended functionalities for the InputfieldDatetime Module (module is from processwire version 2.7.3) because of a Request of Customer.
      So I duplicated the module and placed it under /site/modules/.
      I have added 3 new Settings to the InputfieldDatetime Module.
      1. Day Restriction - Restrict different days based on weekdays selection (e.g. saturday, sunday) - WORKING

       
      2. Time Slots - Define Time slots based on custom Integer Value (max is 60 for 1 hour) - WORKING

       
      3. Time Range Rules per Weekday - Define a minTime and MaxTime per Weekday (e.g. Opening Hours of a Restaurant) - NOT WORKING PROPERLY

       
      The Problem
      Time Slots and Day Restriction working fine so far. But the Time Range Rules per Weekday doesn't work right.
      What should happen is, that when you click on a date, it should update the minTime and maxTime of the Time Select.
      But the change on the select only happens if you select a date 2 times or when you select a date 1 time and then close the datepicker and reopen it again.
      The time select doesn't get change when you select a date 1 time and don't close the picker.
      Here is the whole extended InputfieldDatetime Module.
      The Files that I have changed:
      InputfieldDatetime.module InputfieldDatetime.js jquery-ui-timepicker-addon.js (https://trentrichardson.com/examples/timepicker/) - updated it to the newest version, because minTime and maxTime Option was only available in the new version  
      Thats the Part of the JS that is not working correctly:
      if(datetimerules && datetimerules.length){ options.onSelect = function(date, inst) { var day = $(this).datetimepicker("getDate").getDay(); day = day.toString(); var mintime = $(this).attr('data-weekday'+day+'-mintime'); var maxtime = $(this).attr('data-weekday'+day+'-maxtime'); console.log("weekday: "+day); console.log("minTime: "+mintime); console.log("maxTime: "+maxtime); var optionsAll = $(this).datetimepicker( "option", "all" ); optionsAll.minTime = mintime; optionsAll.maxTime = maxtime; $(this).datetimepicker('destroy'); $(this).datetimepicker(optionsAll); $(this).datetimepicker('refresh'); //$.datepicker._selectDate($(this).attr("id"),date); //$.datepicker._base_getDateDatepicker(); // var inst = $.datepicker._getInst($(this)); // $.datepicker._updateDatepicker(inst); /*$(this).datetimepicker('destroy'); InputfieldDatetimeDatepicker($(this), mintime, maxtime); $(this).datetimepicker('refresh'); */ // $(this).datetimepicker('option', {minTime: mintime, maxTime: maxtime}); } } Can you have a look and find out what the Problem is?
      InputfieldDatetime.zip
       
      Kind Regards
      Orkun
    • By teppo
      This module tracks changes, additions, removals etc. of public (as in "not under admin") pages of your site. Like it's name says, it doesn't attempt to be a version control system or anything like that - just a log of what's happened.
      At the moment it's still a work in progress and will most likely be a victim of many ruthless this-won't-work-let's-try-that-instead cycles, but I believe I've nailed basic functionality well enough to post it here.. so, once again, I'll be happy to hear any comments you folks can provide
      https://modules.processwire.com/modules/process-changelog/
      https://github.com/teppokoivula/ProcessChangelog
      How does it work?
      Exactly like it's (sort of) predecessor, Process Changelog actually consists of two modules: Process Changelog and Process Changelog Hooks. Hooks module exists only to serve main module by hooking into various functions within Pages class, collecting data of performed operations, refining it and keeping up a log of events in it's own custom database table (process_changelog.) Visible part is managed by Process Changelog, which provides users a (relatively) pretty view of the contents of said log table.
      How do you use it?
      When installed this module adds new page called Changelog under Admin > Setup which provides you with a table view of collected data and basic filtering tools See attached screenshots to get a general idea about what that page should look like after a while.
      For detailed installation instructions etc. see README.md.
       


    • By Gadgetto
      Status update links (inside this thread) for SnipWire development will be always posted here:
      2019-08-08
      2019-06-15
      2019-06-02
      2019-05-25
      If you are interested, you can test the current state of development:
      https://github.com/gadgetto/SnipWire
      Please note that the software is not yet intended for use in a production system (alpha version).
      If you like, you can also submit feature requests and suggestions for improvement. I also accept pull requests.
      ---- INITIAL POST FROM 2019-05-25 ----
      I wanted to let you know that I am currently working on a new ProcessWire module that fully integrates the Snipcart Shopping Cart System into ProcessWire. (this is a customer project, so I had to postpone the development of my other module GroupMailer).
      The new module SnipWire offers full integration of the Snipcart Shopping Cart System into ProcessWire.
      Here are some highlights:
      simple setup with (optional) pre-installed templates, product fields, sample products (quasi a complete shop system to get started immediately) store dashboard with all data from the snipcart system (no change to the snipcart dashboard itself required) Integrated REST API for controlling and querying snipcart data webhooks to trigger events from Snipcart (new order, new customer, etc.) multi currency support self-defined/configurable tax rates etc. Development is already well advanced and I plan to release the module in the next 2-3 months.
      I'm not sure yet if this will be a "Pro" module or if it will be made available for free.
      I would be grateful for suggestions and hints!
      (please have a look at the screenshots to get an idea what I'm talking about)
       




×
×
  • Create New...