Ticket #13724 (new PLIP)

Opened 3 years ago

Last modified 21 months ago

Make default Plone password policy support regexp

Reported by: gbastien Owned by:
Priority: major Milestone: 5.0
Component: Unknown Version: 4.3
Keywords: Cc:

Description

For now, it is a bit complicated to extend password policy in Plone 4.3.1+ because we need to write a complete password policy, maybe heritating from default Plone password policy. If the default Plone password policy could support regexp, it could still work with current Plone policy (5 chars long password) and we could replace the regexp with something more accurate.

I would propose to add a field "regexp" to the Plone default password policy add form that would contain something like 're.search(r'....', password)' that would cover the current Plone password policy needs.

This would make Plone default policy something configurable that could cover several needs. We could provide examples. Plone 5 chars length password is often too low for several needs...

We were about to write a separate plugin like collective.regexppasswordpolicy, but if it could be done in the default Plone password policy plugin, I think it would be largely better. If this is ok, we can work on it, adapt Plone and PlonePAS necessary code and tests...

Thank you ;-)

Gauthier

Change History

comment:1 Changed 3 years ago by gbastien

  • Priority changed from minor to major
  • Type changed from Bug to PLIP

comment:2 Changed 3 years ago by garbas

  • Milestone changed from 4.x to 5.0

we already start to work on 5.0 and there wont be any 4.4 release of Plone, there i'm changing milestone to 5.0.

and while we're at it and since we're doing i bigger release i would make password checking a bit stronger by default. a big plus would be to have some nice UI that shows how strong your password is.

comment:3 Changed 3 years ago by gbastien

Hi garbas,

we could make a first step for Plone 4.3.3? where we could pass a regexp pattern to the password policy being by default something like r'.....' so it fits Plone use case and is already possible to customize having a "not so nice but useable UI", I mean the ZMi and acl_users password_policy plugin edit form... Then extend it and have a nice part in the Plone UI to configure it...

Plone 5 is the next release but we need this now and either we build it in Plone or in a separated package (that could be merged after obviously...)... It is just to know where we do it now ;-) This should be done before end of this year and already available in 4.3.3 or 4.3.4 if it is of any interest... We have "time" to include it properly in Plone or in a separated package.

Thank you for your response ;-)

Gauthier

comment:4 Changed 3 years ago by garbas

hi gauthier,

as much as i want this (and i really really do) i would suggest you do it in separate addon which can be used with plone 4.3 (like we did with plone.app.event/widgets/toolbar/contenttypes/multilingual/...). we dont want to introduce some new feature in bugfix release right? ppl dont expect this and not breaking expectation is important.

also lets make plone 5.0 happen this year then :) its possible if we set our mind to it!!! anyway i'll make sure this will be discussed at next FWT meeting (in 2 weeks).

comment:5 Changed 3 years ago by gbastien

Hi,

we can do it in a separate package, it will be based on existing Plone password policy plugin, the important to us is Plone to become better and better and this functionnality is not only necessary to us but is necessary to Plone I think so it become more and more a web application platform.

Thank you to take this need into account!

Good night,

Gauthier

comment:6 Changed 3 years ago by davisagli

It's already possible to customize the password policy; I don't think we should add another way to do something that is already possible. I think the default password policy could be changed, but I'm -1 on adding another setting for this.

comment:7 Changed 3 years ago by garbas

@davisagli: i've searched a bit on google and developer.plone.org and i couldn't found any docs how to change password policy. can you point us to the code part and lets see if Gauthier could use that and build on top of that.

comment:8 Changed 3 years ago by gbastien

@davisagli: Same question ;-)

comment:9 Changed 3 years ago by davisagli

See  https://github.com/collective/Products.PasswordStrength/blob/4.3/Products/PasswordStrength/plugin.py for an example. (Note the use of the 4.3 branch. This takes advantage of the changes made by https://dev.plone.org/ticket/10959 so that monkey patching the registration tool isn't necessary.)

comment:10 Changed 2 years ago by thet

I'm also agains the current proposal. While having a possibility to set password policies is a good idea, I dislike the proposal to set something complex trough the web via a form (especially something like 're.search(r'....', password)', which would needed to be evaluated via eval, which is eval). A utility or adapter would better suited, in my opinion. If this is covered by David's references given above, we'd already have such a way...

comment:11 Changed 2 years ago by garbas

@gbastien you think you could update the implementation with based on the code from P.PasswordStrength.

i think most of the framework team agrees this feature would be a nice addition when implemented correctly.

comment:12 Changed 2 years ago by gbastien

Hi @garbas,

do you mean update current Plone behaviour with code coming from P.PasswordStrength? Actually we will have to work on this before end of the year, we could use P.PasswordStrength but I think this could go to Plone with a default regexp that manage the current Plone password policy (5 chars...). We could also add relevant configuration UI in the @@security-controlpanel.

Anyway, could you please be more precise?

Thank you and have a nice week end,

Gauthier

comment:13 Changed 2 years ago by garbas

@gbastien,

i dont think we need yet another package in plone, so just extend existing password policy code.

as first step only read relevant configuration from plone.app.registry. later when you get further feedback from framework team you can finish the plip with exposing options via @@security-controlpanel.

comment:14 Changed 2 years ago by gbastien

Hi,

@garbas, @davisagli, what about relying on that kind of package :  http://pydoc.net/Python/z3c.password/0.11.1/z3c.password.password/

I think using a regexp is ok but having explicit functionnality is better... What about Plone depending on that package and the policy relying on sub methods of that package? We could have different fields in our policy corresponding to what is doable in z3c.password and let it do the verification job?

Thank you for your advice,

Gauthier

comment:15 Changed 2 years ago by davisagli

Plone core is too big and so we are strongly biased against adding new packages. For me it's enough that Plone core provides a plugin point for add-ons to check the password, which is already the case.

comment:16 Changed 2 years ago by garbas

@gbastien adding new package is definitely not what we want. we want to have slimmer plone core which is possible to extend. if its not easily possible to do this in current core then create plone addon. its ok if some plone extensions are outside plone core.

comment:17 Changed 23 months ago by djay

Products.PasswordStrength is in the collective. Is there any reason not work on that codebase? Adding some tests, adding it to travis, adding a Plone UI can all be done easily. Contributions are very much welcome.

comment:18 Changed 23 months ago by gbastien

Hi djay,

yes, we intend to work on Products.PasswordStrength so it works with Plone 4.3.3 (maybe it is already the case), is fully tested, has an easy UI, ... We wanted to work on this topic at the Plog2014 but as we did not find any other team interested by that, we prefer to work on other topics... But we need this work to be done, so we will come back to it shortly...

Thank you and have a nice day,

Gauthier

comment:19 Changed 23 months ago by djay

@gbastien. excellent. let me know if there is anything you need from me.

comment:20 Changed 21 months ago by gbastien

Hi @djay, @davisagli,

we finally had time to begin to work on this, we proposed a pull request on Products.PasswordStrength that makes it work with Plone 4.3 (tested with 4.3.2 and 4.3.3). Could you please review it and merge if it is ok so we can make a new release?  https://github.com/collective/Products.PasswordStrength/pull/2

The next step should be more unittests (we added sufficient robot tests) and to propose a nice UI.

Thank you!

Gauthier

Note: See TracTickets for help on using tickets.