require users update old passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Evergreen 3.7.2
NC Cardinal is developing patches to increase the security of our staff accounts by enforcing new password policies. One of these new policies is for users to update their password every 90 days. Our current implementation doesn’t prohibit users from accessing their accounts, but it will bug them with alerts on their splash screen, alerts on the myopac main page, a message on the patron edit screen below the password field, and an email notice.
This reminder is configurable by a new org unit setting: 'global.
For display in the OPAC we’ve created a new config setting: ctx.password_
For the email notices, we’ve created a new hook, validator, and example event definition. The new hook, au.passwd_changed, fires off whenever a user’s password is updated. This can come from the staff client, myopac, or password reset form. The validator, PatronOldPassword, checks to see whether the user has updated their password in the interval between when the event is processed and the time it was created. Events will be marked as “invalid” if the user has already updated their password.
Under the hood, a user’s password create and edit dates are available through a new field mapped class: actor::
I'll post a link to our patch below.
Changed in evergreen: | |
status: | New → Confirmed |
Changed in evergreen: | |
importance: | Undecided → Wishlist |
tags: |
added: patron removed: wishlist |
tags: | added: authentication |
link to patch on working repository: /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ lew/lp- 1979570- detect- password- age
https:/