Jump to content

Password Force Change


adrian
 Share

Recommended Posts

Hi everyone,

Here's a little module that allows you to force users to change their password on their first login, or at any time if you manually force it.

http://modules.processwire.com/modules/password-force-change/

https://github.com/adrianbj/PasswordForceChange

Key Features

  • During install it creates a new checkbox field in the user template, "force_passwd_change".
     
  • Automatic checking of this checkbox when creating a new user is determined by the "Automatic Force Change" module config setting.
     
  • When a user logs in for the first time (or if you have manually checked that field for an existing user), they will be warned that they have to change their password and they'll be automatically redirected to their profile page.
     
  • They must change their password to something new - they are not allowed to re-enter their existing password.
     
  • Bulk "Set All Users" option to at any time, force all users (by selected roles) to change their password.

Hopefully some of you will find it useful and please let me know if you have any suggested changes/enhancements. 

PS I used the new info.json way of defining the module details, so it requires PW 2.4.3+ 

Edited by adrian
Updated module features information
  • Like 18
Link to comment
Share on other sites

Thanks Adrian! This has been on my to-do list for a while, looks like I can tick it off now. Benefits of free software -- just wait long enough and someone will solve it for you ;)

The way I've seen this implemented before was a checkbox titled "Force password change on next login", which was unchecked when a password was changed. That would slightly simplify things by removing the need to check it for existing users.. and perhaps make things a bit easier to understand if you want to use it at some point later (for some reason unchecking "password changed" sounds weird).

Just saying, doesn't matter much either way. The module looks great and I look forward to using it.. on all of our sites :)

Edit: by the way, would you mind specifying a license for this module? I'm not suspicious of your motives or anything (honestly), it's just that I try to avoid any code where licensing isn't clearly stated, and modules are no exception here :)

Edited by teppo
Link to comment
Share on other sites

Hey teppo,

Thanks for the thoughts on the checkbox issue. I agree that unchecking "password changed" does sound weird :) My reasoning for going this way was because I was wanting to avoid the need for an additional step (checking the checkbox) when creating a new user. I thought, maybe incorrectly, that anyone using this module would want to ensure that all new users are required to change their password when they first login. My approach to setting up admin users is to send them all the same initial password and ask them to change it immediately. I wonder if a better approach might be to use a dropdown select that is a required field when setting up a new user. It could be called "force password change" and have a blank default and then "yes" and "no" options. It's still an extra step when setting up a user, but at least this way I can ensure the superuser doesn't forget to do it. Any thoughts on whether this would be a more logical setup?

Thanks for the reminder on the license - I actually haven't been good with that for any of my modules - mostly because of ignorance/trust with these sorts of things. I'll take care of it shortly and also check my other modules and do the same.

PS Minor fix committed this morning - I woke up realizing that I had hardcoded the path to the profile page :)

EDIT: Do you, or anyone else, know why I can't set the collapsed state of the pass field via the API? I can do it with other system fields, but not this one. You'll see in my code two commented blocks where I try to set it to open before the redirect and then set it to collapsed after they have changed their password.

Edited by adrian
  • Like 1
Link to comment
Share on other sites

Just discovered a bit of a gotcha - if the new user does not have "profile-edit (User can update profile/password)" permission they obviously won't be able to change their password, so just committed an update that checks for this permission and warns that it needs adding.

  • Like 4
Link to comment
Share on other sites

I wonder if a better approach might be to use a dropdown select that is a required field when setting up a new user. It could be called "force password change" and have a blank default and then "yes" and "no" options. It's still an extra step when setting up a user, but at least this way I can ensure the superuser doesn't forget to do it.

teppo - I thought through this a little more and realized that any multi field would not be a good idea as it would involve associated pages and templates for the yes/no options, so I have gone back to the checkbox, but reversed it to be a "Force password change on next login" checkbox as you suggested. However I have added a module config setting called "Automatic Force Change" and if this is checked, then the "Force password change on next login" checkbox gets automatically checked when creating a new user. I think this solves all the issues of:

  • Confusion over the reverse checked and the strange "Password Changed" label.
  • With the automatic force change checked, there is no extra step required when creating a new user, but there is also the flexibility for the superuser to turn this off so it has to become an active selection to force the password change.
  • Existing users are left untouched, which is cleaner.

I am pretty convinced this new approach is better in all ways but I'd like to hear any feedback before I commit the changes to Github, in particular from you teppo if you have a minute to think about it.

I am attaching the new version here for testing/review. Please make sure you uninstall the old version first to make sure the old passwd_changed field is removed.

If I don't hear anything back by tomorrow, I'll commit this version anyway :)

EDIT: Removed attached version to avoid confusion since it is now on Github.

  • Like 2
Link to comment
Share on other sites

 was worried about the scalability of old method when user count was in thousands. 

Agreed - that occurred to me yesterday too.

Thank you both for the feedback - changes have been committed to Github and the module has been submitted to the modules directory.

  • Like 5
Link to comment
Share on other sites

Now available in the modules directory:

http://modules.processwire.com/modules/password-force-change/

For anyone who might have downloaded early on, please grab the latest version. There was an important fix two days ago that now prevents users from simply navigating away from their profile page to another page in the admin. Now they can't do anything in the admin until their password has been changed.

  • Like 5
Link to comment
Share on other sites

Another bug fix and enhancement just committed.

There is now a batch "Set All Users" option which allows you to easily force existing users to change their password. Selection of users is possible via roles so you can limit the enforcement to just specific roles, or all if needed. If you mess up, there is also a simple way to clear the requirement for everyone as well.

This addition was in response to teppo's comment in his ProcessWire Weekly post: "easily forcing periodic password changes for users" - now it really is easy to force periodic changes, so thanks for the suggestion :)

The bug fix is for PW sites installed in a subdirectory - thanks also to teppo for reporting this.

  • Like 1
Link to comment
Share on other sites

Sorry for the constant updates :)

Definitely recommended to update to the latest version as it adds better handling for users without profile-edit permission.

  1. As well as the warning, it now also unchecks the force password change checkbox if the user doesn't have profile-edit permission
  2. The Set All Users role selection is now limited to only those roles with profile-edit permission

Hopefully that will be all the changes for a while, unless someone has any suggestions.

  • Like 2
Link to comment
Share on other sites

  • 1 year later...

Hi everyone,

Thanks to a request from @Ralf, this module now also works on the front-end. If you have setup your own login form and profile editing forms you can enable this for the front-end and specify a URL to redirect to for the user to change their password.

post-985-0-05448400-1457382085_thumb.png

  • Like 5
Link to comment
Share on other sites

  • 2 years later...

I had to uninstall this one. Is it compatible with pw 3.0.96? Once installed I set the frontend login URL for profile edit to the correct frontend page (/member-login/?profile=1 using Ryan's Login/Register/Profile module) and I get an Internal error. Won't load the page.

Additionally I set it to force all users with the "member" role to change password and as a superuser I get the message to change my password. I don't have the member role. When I set it to clear superuser, on next login I get the same message to change my password.

Link to comment
Share on other sites

@digitex - I am using it with no problems on 3.0.99

Can you make sure PW debug mode is on to see if there is any further info about the internal server error and maybe check your error logs.

I also just tested the option to force all users with a particular role to have to change their password and it worked fine - set it for that role, but no impact on my superuser account.

Maybe there is some interaction with Ryan's module that I haven't tested. I don't have time to look into it at the moment, but if you wouldn't mind investigating and letting me know more details of the issue, I'll make any required changes.

 

 

Link to comment
Share on other sites

@adrian I suspect you're right that it may be a specific issue with Ryan's module. With Login/Register/Profile the profile page is the same as the log in page and the profile UI is loaded with a GET variable. It may be the get variable in the Frontend Login URL that's causing the error. When logging in using a member's credentials it does try to redirect to the profile page but throws an error when it gets there.

As for the superuser role getting the password change notice I will have to get back to you.

When I get a minute I'll reinstall and enable debug. I would love to use it I'm importing 250 user accounts and need to ensure everybody updates their password.

Link to comment
Share on other sites

  • 2 years later...
1 hour ago, kater said:

Using it with Login Register Pro and frontpage redirect (https://www.../login-register/?profile=1) it redirects infinitly.

Hi @kater - what do you have set for the Frontend Login URL setting - is it set to login-register/?profile=1 ?

Is it set to a full URL, or root relative?

Does adjusting that help?

Link to comment
Share on other sites

happens with either setting.

relative shows in the url.

https://www.../login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/login-register/?profile=1

 

thanks

Link to comment
Share on other sites

@kater - I just tested with: /?profile=1 (where the LRP module was instantiated for all pages) and also another option with /login-register/?profile=1 (where it was instantiated for just the page with the name "login-register") and both work as expected. 

I am not very familiar with the LoginRegisterPro module, but at the moment I am not sure where the infinite redirects might be coming from, but I don't think it's from the Password Force Change module.

Link to comment
Share on other sites

  • 2 weeks later...

Hello @adrian,

Would it be possible to make the fields which are displayed in the user profile "translatable"?

I am talking about lines 109 and 261-264 in your code?
https://github.com/adrianbj/PasswordForceChange/blob/master/PasswordForceChange.module.php#L261

 

Furthermore I am currently building the code into an LRP module from ryan and I would like to display the message in the front-end that the user has to change his password now.
How do I display this again? Sorry I am standing a little bit on the hose right now... 🙈

Thanks cu Ralf

Link to comment
Share on other sites

Hi @Ralf - that checkbox field label, description, and notes should be translatable already. You can see here on a site I have with English and Portuguese:

image.thumb.png.1a51f584ae5dc68143017c2bbdcaa514.png

The "load on frontend" option should make it work with LRP. I did just commit one change that allows translating of the note that says: "You must change your password now".

Hope that gets you going.

Link to comment
Share on other sites

Hello @adrian,

... yes, if you look under "Admin -> Setup -> Fields -> force_passwd_change" this is also possible *am I stupid* 🙈
I looked it up under Language and didn't have the idea to look under Fields... sorry. Of course you can find everything there and enter everything you want.

Secondly, thanks yes, I have now found the translation in the language files and translated it immediately ("You must change your password now").

But as far as my actual topic with the "output" is concerned, it still doesn't work.

My question here is, do I have to add any code to the PHP template file of LRP (login-register.php) in the frontend to output exactly this message "You must change your password now"? Because this message is currently not displayed in the frontend? (but in the backend I see this message)

Link to comment
Share on other sites

@Ralf - I am glad you got the translation stuff sorted out.

The "You must change your password now" text is added as a note to the "pass" field when it is rendered. So if this module is successfully redirecting to the profile editing screen of LRP, then it should display that note - if not, then it might be a question for Ryan to see if he can support this module within LRP by displaying the note, or suggesting some other way for this module to inject that note.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By MarkE
      This fieldtype and inputfield bundle was built for storing measurement values within a field, rendering them in a variety of formats and converting them to other units or otherwise modifying them via the API.
      The API consists of a number of predefined functions, some of which include...
      render() for rendering the measurement object, valueAs() for converting the value to another unit value, convertTo() for converting the whole measurement object to different units, and add() and subtract() for for modifying the stored value by the value (converted as required) in another measurement. In the admin the inputfield includes a checkbox (which can be optionally disabled) for converting values on page save. For an example if a value was typed in as centimeters, the unit was changed to metres, and the page saved with this checkbox selected, said value would be automatically converted so that e.g. 170 cm becomes 1.7 m.

      A simple length field using Fieldtype Measurement and Inputfield Measurement.
      Combination units (e.g. feet and inches) are also supported.
      Please note that this module is 'proof of concept' at the moment - there are limited units available and quite a lot of code tidying to do. More units will be added shortly.
      See the GitHub at https://github.com/MetaTunes/FieldtypeMeasurement for full details and updates.
    • By tcnet
      File Manager for ProcessWire is a module to manager files and folders from the CMS backend. It supports creating, deleting, renaming, packing, unpacking, uploading, downloading and editing of files and folders. The integrated code editor ACE supports highlighting of all common programming languages.
      https://github.com/techcnet/ProcessFileManager

      Warning
      This module is probably the most powerful module. You might destroy your processwire installation if you don't exactly know what you doing. Be careful and use it at your own risk!
      ACE code editor
      This module uses ACE code editor available from: https://github.com/ajaxorg/ace

      Dragscroll
      This module uses the JavaScript dragscroll available from: http://github.com/asvd/dragscroll. Dragscroll adds the ability to drag the table horizontally with the mouse pointer.
      PHP File Manager
      This module uses a modified version of PHP File Manager available from: https://github.com/alexantr/filemanager
       
    • By tcnet
      This module implements the website live chat service from tawk.to. Actually the module doesn't have to do much. It just need to inserted a few lines of JavaScript just before the closing body tag </body> on each side. However, the module offers additional options to display the widget only on certain pages.
      Create an account
      Visit https://www.tawk.to and create an account. It's free! At some point you will reach a page where you can copy the required JavaScript-code.

      Open the module settings and paste the JavaScript-code into the field as shown below. Click "Submit" and that's all.

      Open the module settings
      The settings for this module are located int the menu Modules=>Configure=>LiveChatTawkTo.

       
    • By tcnet
      Session Viewer is a module for ProcessWire to list session files and display session data. This module is helpful to display the session data of a specific session or to kick out a logged in user by simply delete his session file. After installation the module is available in the Setup menu.

      The following conditions must be met for the module to work properly:
      Session files
      Session data must be stored in session files, which is the default way in ProcessWire. Sessions stored in the database are not supported by this module. The path to the directory where the session files are stored must be declared in the ProcessWire configuration which is by default: site/assets/sessions.
      Serialize handler
      In order to transform session data easier back to a PHP array, the session data is stored serialized. PHP offers a way to declare a custom serialize handler. This module supports only the default serialize handlers: php, php_binary and php_serialize. WDDX was dropped in PHP 7.4.0 and is therefore not supported by this module as well as any other custom serialize handler. Which serialize handler is actually used you can find out in the module configuration which is available under Modules=>Configure=>SessionViewer.

      Session data
      The session data can be displayed in two different ways. PHP's default output for arrays print_r() or by default for this module nice_r() offered on github: https://github.com/uuf6429/nice_r. There is a setting in the module configuration if someone prefers print_r(). Apart from the better handling and overview of the folded session data the output of nice_r() looks indeed nicer.

      Links
      ProcessWire module directory
      github.com
    • By Robin S
      Repeater Easy Sort
      Adds a compact "easy-sort" mode to Repeater and Repeater Matrix, making those fields easier to sort when there are a large number of items.
      The module also enhances Repeater Matrix by allowing a colour to be set for each matrix type. This colour is used in the item headers and in the "add new" links, to help visually distinguish different matrix types in the inputfield.
      Screencasts
      A Repeater field

      A Repeater Matrix field with custom header colours

      Easy-sort mode
      Each Repeater/Matrix item gets an double-arrow icon in the item header. Click this icon to enter easy-sort mode.
      While in easy-sort mode:
      The items will reduce in width so that more items can be shown on the screen at once. The minimum width is configurable in the field settings. Any items that were in an open state are collapsed, but when you exit easy-sort mode the previously open items will be reopened. You can drag an item left/right/up/down to sort it within the items. The item that you clicked the icon for is shown with a black background. This makes it easier to find the item you want to move in easy-sort mode. You can click an item header to open the item. An "Exit easy-sort mode" button appears at the bottom of the inputfield. Configuration
      In the field settings for Repeater and Repeater Matrix fields you can define a minimum width in pixels for items in easy-sort mode. While in easy-sort mode the items will be sized to neatly fill the available width on any screen size but will never be narrower than the width you set here.
      In the field settings for Repeater Matrix you can define a custom header colour for each matrix type using an HTML "color" type input. The default colour for this type of input is black, so when black is selected in the input it means that no custom colour will be applied to the header.
      Exclusions
      The easy-sort mode is only possible on Repeater/Matrix fields that do not use the "item depth" option.
       
      https://github.com/Toutouwai/RepeaterEasySort
      https://processwire.com/modules/repeater-easy-sort/
×
×
  • Create New...