Evergreen

  1. Bug #1979570
  2. Comment #7

Comment 7 for bug 1979570

Revision history for this message
Jason Boyer (jboyer) wrote (last edit ):

Edit: It took me so long to write this up that I didn't see Llewellyn's reply above, so that's why it looks like I didn't read it. :)

I have more thoughts after giving this more time than a quick comment before I leave for the day. Still not a fan of the idea but as others have pointed out that's no help if you're perhaps forced to implement it by external entity.

There are some changes that would likely be needed for this:

There should probably be a flag added to permission.grp_tree entries that controls whether or not this feature applies to a particular user profile even if an org has enabled it. One instance that springs to mind where this should not be enabled is service accounts for things like SIP, NCIP, etc. For instance, when using NCIP service accounts for inter-library loaning it's possible that these notices would be sent to remote staff users who aren't able to act on them, causing only a nuisance.
While this currently has no "teeth" a feature like this can only really be effective when users with "expired" passwords are no longer able to login and there needs to be a way to prevent that for some types of accounts.

Since you've added the IDL entry for the view on actor.passwd I believe the a/t event generation can be handled with a passive event rather than active (similar to how checkout.due works for notices) which would make the hook changes in Actor.pm and the Validator.pm addition unnecessary.

I'm not sure if adding the open-ils.actor.get_password_age api call is the most direct way to go about this. There may be a way for the open-ils.auth.complete or .login methods to somehow include the time remaining before a password expires. In that case the ui need only check for this indicator and show a notice based on that rather than having to check the password age and compare against the OUS, etc. (Others more familiar with the inner workings of auth may also say that's not possible in which case, bummer.)

Some minor things:

Most of the changes in opac templates should probably be moved into EGCatLoader.pm, a function called from it, misc_util.tt2, or an OUS, especially the config.tt2 changes.

For the sample notice it would be best to replace the password age in the message body with either the actual value pulled via helper or simply be a more generic message.

The coust entry should probably be in the 'sec' group and be named 'auth.password_expire_age or something like that.

Thank you for including a live test.