Task #2679
closed
Change minimum number of days for password validity check
100%
Description
Requirements: https://wiki.czechidm.com/priv/navrh/selektivni_minimalni_platnost_hesla
In the current version of CzechIdM when the "minimum number of days for password validity" (condition) in password policy is set, password of the user can be changed only once in given number of days. No exceptions.
I'd like to change this behavior to:- if the user changes his/her own password, the condition is mandatory
- if the user changes password to some other user (e. g. as an admin, help desk operator, manager...), the condition is never checked. Also during the next password change of this user the condition is not checked too
- if the password change comes from the password filter it always equals to the #1 case - the condition is mandatory
- if the password has set "must change" flag to true, the condition is never checked
This new behavior should be implicit - admin will not be able to enable the original behavior.
The condition is often used to prevent users from multiple password changes in a row to end up with the same password again. However when the user needs new password to be set by admin and change of the password is requred the condition prevents the user from doing it.
Related issues
Updated by Radek Tomiška almost 4 years ago
- Status changed from New to In Progress
Updated by Radek Tomiška almost 4 years ago
- Related to Feature #2325: REST endpoint and behavior for password filter added
Updated by Radek Tomiška almost 4 years ago
- Related to Task #2714: Password policy: Implement BE bulk action for delete password policy added
Updated by Radek Tomiška almost 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondrej Husník
- % Done changed from 0 to 90
Feature is implemented.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/b347b30bd537e29117188f08ca02b634b0d2287f
+ DefaultIdmPasswordPolicyService refactored in related #2714
https://github.com/bcvsolutions/CzechIdMng/commit/31ece63a5b221b80b3e13c16ab6a7e4740cc0a5b#diff-ce452102e50e0f5c21a52571395302af13a006dda4cd9a76ee77e632c68261abR356
Could you provide me a feedback, please?
Note: Sorry for bigger refactoring, but I hope password policy agenda is in better shape now :)
Updated by Ondrej Husník over 3 years ago
- Related to Task #2738: Prove that password filter reacts properly to PASSWORD_CANNOT_CHANGE result code added
Updated by Ondrej Husník over 3 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondrej Husník to Radek Tomiška
- % Done changed from 90 to 100
I tested this feature and tried described scenarios. All of them seem to be working properly. I simulated password changes, invoked normally by pressing CTRL+ALT+DEL in Win, by querying password filter endpoints from SoapUI. This route also worked.
I dared to improve the localization little bit.
https://github.com/bcvsolutions/CzechIdMng/commit/2f4579ca117b7ce3b725972393ba3cd2b4353097
Splitting new feature and code refactoring into two separate commits would be appreciated next time. Except this it looks good. Good job.
Updated by Radek Tomiška over 3 years ago
- Status changed from Resolved to Closed
Updated by Vladimír Kotýnek over 3 years ago
- Related to Task #2858: Check Minimum number of days when changing password via password filter using superAdmin added