How to set password restrictions

A place for users and developers of the Xataface to discuss and receive support.

How to set password restrictions

Postby sworden » Thu Mar 29, 2012 9:21 am

I've assigned a password to each of the users of our database, but they also have the ability to change their password to something they can remember more easily. Is there a way to set restrictions for passwords (minimum length being the big one)? Do I need to set it here the actions.ini file:
Code: Select all
[change_password]
   condition="(df_is_logged_in())"
   url="{$app->url('-action=change_password')}"
   label="Change Password"
   category=personal_tools


or do I set it in the "password" field?
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby shannah » Thu Mar 29, 2012 9:38 am

Set it in the password field. You can create a custom passwordfield__validate() method in the table's delegate class. Just remember to allow empty passwords because an empty password is just what happens when someone saves the record without changing the password.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: How to set password restrictions

Postby sworden » Thu Mar 29, 2012 10:22 am

OK, I tried this in my users.php file in the "users" table folder. "PASSWORD" is the fieldname:
Code: Select all
function PASSWORD__validate(&$record, $value, &$params){
      if (strlen($value < 10)){
         $params['message'] = 'Sorry your password must contain at least 10 characters';
         return false;}
      else if (strlen($value = NULL)){
         return true;
      }
      return true;
   }

but when I change the password I am allowed to set the password to less than 10 characters still. I tried putting the null check in first and <10 check second, but that didn't work, and I tried removing the last "return true;" in case it was causing the problem, but nothing has worked. I know I'm close, but something's not quite right. Any ideas?
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby shannah » Thu Mar 29, 2012 10:28 am

Hmm.. Are you using the change password action, or editing the password on the user record edit form. It is possible that you may need to use the beforeSave() trigger instead of validate.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: How to set password restrictions

Postby sworden » Mon Apr 02, 2012 10:38 am

I'm using the change password action. Is my code not written correctly?
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby sworden » Mon Apr 02, 2012 1:15 pm

I did a little looking around and thought I might have found the problem (a parenthesis in the wrong place) and moved the parenthesis that was after 10 to right after $value (now showing the change below), but it made no difference.
Code: Select all
   //Set minimum password length
    function PASSWORD__validate(&$record, $value, &$params){
      if (strlen($value) < 10){
         $params['message'] = 'Sorry your password must contain at least 10 characters';
         return false;
      }
      elseif (strlen($value = NULL)){
         return true;
      }
     else {
     return true;
      }
   }

I tried also to move the parenthesis after NULL to after $value (even though I should have already gotten a false value and not gotten that far in the code), but got this error message:

[02-Apr-2012 13:10:27] PHP Fatal error: Can't use function return value in write context in /home/povpc11/public_html/cpm/tables/users/users.php on line 16

What am I missing? I believe I have two errors. The first in the if statement, the second in the elseif statement.
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby sworden » Thu Apr 05, 2012 10:19 am

Any ideas? I'm stuck.
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby shannah » Thu Apr 05, 2012 12:22 pm

Try putting the password restriction in the beforeSave trigger instead of the xxx_validate() method.
This is a bug that will need to be addressed (that change password doesn't use validation), but for now a workaround is to use beforeSave()

There is an example at http://xataface.com/documentation/tutor ... d/triggers
(Handling Errors)

_Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: How to set password restrictions

Postby sworden » Thu Apr 05, 2012 1:13 pm

OK, I tried this. PASSWORD is the name of the field:
Code: Select all
   function beforeSave($record){
     if (strlen($value['PASSWORD']) < 10){
       echo 'Sorry your password must contain at least 10 characters';
                 return false;
      }
         elseif (empty($value)){
                 return true;
      }
     else {
           return true;
      }
   }

I'm getting this error "SyntaxError: missing ; before statement", but it saves anyway. Am I any closer?
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby sworden » Thu Apr 19, 2012 10:06 am

I altered my code a bit to simplify it because I discovered that if I leave the New Password fields empty on the Change Password form I'm given the message "You cannot enter a blank password.", so " elseif (empty($value)){ return true;" seemed redundant.
Code: Select all
function beforeSave($record) {
     if (strlen($value['PASSWORD']) < 10){
       echo 'Sorry your password must contain at least 10 characters';
         return FALSE;
      }
     else {
     return TRUE;
      }
   }

I looked through the Xataface folders trying to figure out where the files are that control changing the password in case there was a conflict somewhere. In the change_password.html I found:
Code: Select all
<form action="{$ENV.DATAFACE_SITE_HREF}" method="post">

but couldn't figure out where to look further.

Is there existing Xataface code that is overriding my code, or is something still wrong with my code so that it's not working?

Also, I'm still getting the "SyntaxError: missing ; before statement" message and I'm not sure where it's missing. My set-up looks like the examples here: http://www.xataface.com/wiki/beforeSave. But, either way the password is still changed in the "users" table even if I don't get the "Password Successfully changed" message.
sworden
 
Posts: 44
Joined: Thu Feb 16, 2012 9:05 am

Re: How to set password restrictions

Postby shannah » Sat Apr 28, 2012 9:46 pm

The beforeSave() trigger shouldn't output anything (i.e. no echo statements). It can return a PEAR_Error object if an error occurs.
The reason for this is that this trigger is called before any record is saved. A single HTTP request may include multiple (or even hundreds) such save operations so it doesn't make sense to echo output during each save operation.

See the "Handling Errors" section of this page:
http://xataface.com/documentation/tutor ... d/triggers
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: How to set password restrictions

Postby bkeefe » Thu Sep 13, 2012 12:05 am

Here is my complete set of password restrictions, where "password" is the name of the field where the password is kept for the users table:
Code: Select all
function beforeSave($record){
$password = $record->strval('password');
$loweralpha_pass = 'abcdefghijklmnopqrstuvwxyz';
$upperalpha_pass = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$number_pass = '1234567890';
$symbol_pass = '@%+\\/&\'!#$^?:.(){}[]~-_`';
     if (strlen($password) < 8){
       return PEAR::raiseError(
                        "Your password contains less than 8 characters.  Please enter a password that is at least 8 characters long.",
                        DATAFACE_E_NOTICE);
      }
   elseif (strpbrk($password, $loweralpha_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any lower case letters ($loweralpha_pass).  Please enter a password that uses at least one character of this type.",
                        DATAFACE_E_NOTICE);
   }
   elseif (strpbrk($password, $upperalpha_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any upper case letters (e.g. A, B, C...).  Please enter a password that uses at least one character of this type.",
                        DATAFACE_E_NOTICE);
}
elseif (strpbrk($password, $number_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any numbers (e.g. 1, 2, 3…).  Please enter a password that uses at least one number.",
                        DATAFACE_E_NOTICE);
   }
elseif (strpbrk($password, $symbol_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any of these symbols: $symbol_pass Please enter a password that uses at least one symbol.",
                        DATAFACE_E_NOTICE);
   }
   elseif (empty($password)){
                 return true;
      }
     else {
           return true;
      }


The only problem I have encountered so far, is getting 0 to count as a number. The zero does not appear to be read as a zero in the string $number_pass. Actually, on further testing it only doesn't work at the end of a password. Is this an Xataface, php or MySQL issue? Any suggestions?
Last edited by bkeefe on Thu Sep 13, 2012 7:48 pm, edited 1 time in total.
bkeefe
 
Posts: 3
Joined: Wed Sep 12, 2012 11:57 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 21 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved