How to set password restrictions

[sworden]

I've assigned a password to each of the users of our database, but they also have the ability to change their password to something they can remember more easily. Is there a way to set restrictions for passwords (minimum length being the big one)? Do I need to set it here the actions.ini file:

Code: Select all

[change_password]
   condition="(df_is_logged_in())"
   url="{$app->url('-action=change_password')}"
   label="Change Password"
   category=personal_tools


or do I set it in the "password" field?

[shannah]

Set it in the password field. You can create a custom passwordfield__validate() method in the table's delegate class. Just remember to allow empty passwords because an empty password is just what happens when someone saves the record without changing the password.

-Steve

[sworden]

OK, I tried this in my users.php file in the "users" table folder. "PASSWORD" is the fieldname:

Code: Select all

function PASSWORD__validate(&$record, $value, &$params){
      if (strlen($value < 10)){
         $params['message'] = 'Sorry your password must contain at least 10 characters';
         return false;}
      else if (strlen($value = NULL)){
         return true;
      }
      return true;
   }


but when I change the password I am allowed to set the password to less than 10 characters still. I tried putting the null check in first and <10 check second, but that didn't work, and I tried removing the last "return true;" in case it was causing the problem, but nothing has worked. I know I'm close, but something's not quite right. Any ideas?

[shannah]

Hmm.. Are you using the change password action, or editing the password on the user record edit form. It is possible that you may need to use the beforeSave() trigger instead of validate.

[sworden]

I'm using the change password action. Is my code not written correctly?

[sworden]

I did a little looking around and thought I might have found the problem (a parenthesis in the wrong place) and moved the parenthesis that was after 10 to right after $value (now showing the change below), but it made no difference.

Code: Select all

   //Set minimum password length
    function PASSWORD__validate(&$record, $value, &$params){
      if (strlen($value) < 10){
         $params['message'] = 'Sorry your password must contain at least 10 characters';
         return false;
      }
      elseif (strlen($value = NULL)){
         return true;
      }
     else {
     return true;
      }
   }


I tried also to move the parenthesis after NULL to after $value (even though I should have already gotten a false value and not gotten that far in the code), but got this error message:

[02-Apr-2012 13:10:27] PHP Fatal error: Can't use function return value in write context in /home/povpc11/public_html/cpm/tables/users/users.php on line 16

What am I missing? I believe I have two errors. The first in the if statement, the second in the elseif statement.

[sworden]

Any ideas? I'm stuck.

[shannah]

Try putting the password restriction in the beforeSave trigger instead of the xxx_validate() method.
This is a bug that will need to be addressed (that change password doesn't use validation), but for now a workaround is to use beforeSave()

There is an example at http://xataface.com/documentation/tutor ... d/triggers
(Handling Errors)

_Steve

[sworden]

OK, I tried this. PASSWORD is the name of the field:

Code: Select all

   function beforeSave($record){
     if (strlen($value['PASSWORD']) < 10){
       echo 'Sorry your password must contain at least 10 characters';
                 return false;
      }
         elseif (empty($value)){
                 return true;
      }
     else {
           return true;
      }
   }


I'm getting this error "SyntaxError: missing ; before statement", but it saves anyway. Am I any closer?

[sworden]

I altered my code a bit to simplify it because I discovered that if I leave the New Password fields empty on the Change Password form I'm given the message "You cannot enter a blank password.", so " elseif (empty($value)){ return true;" seemed redundant.

Code: Select all

function beforeSave($record) {
     if (strlen($value['PASSWORD']) < 10){
       echo 'Sorry your password must contain at least 10 characters';
         return FALSE;
      }
     else {
     return TRUE;
      }
   }


I looked through the Xataface folders trying to figure out where the files are that control changing the password in case there was a conflict somewhere. In the change_password.html I found:

Code: Select all

<form action="{$ENV.DATAFACE_SITE_HREF}" method="post">


but couldn't figure out where to look further.

Is there existing Xataface code that is overriding my code, or is something still wrong with my code so that it's not working?

Also, I'm still getting the "SyntaxError: missing ; before statement" message and I'm not sure where it's missing. My set-up looks like the examples here: http://www.xataface.com/wiki/beforeSave. But, either way the password is still changed in the "users" table even if I don't get the "Password Successfully changed" message.

[shannah]

The beforeSave() trigger shouldn't output anything (i.e. no echo statements). It can return a PEAR_Error object if an error occurs.
The reason for this is that this trigger is called before any record is saved. A single HTTP request may include multiple (or even hundreds) such save operations so it doesn't make sense to echo output during each save operation.

See the "Handling Errors" section of this page:
http://xataface.com/documentation/tutor ... d/triggers

[bkeefe]

Here is my complete set of password restrictions, where "password" is the name of the field where the password is kept for the users table:

Code: Select all

function beforeSave($record){
$password = $record->strval('password');
$loweralpha_pass = 'abcdefghijklmnopqrstuvwxyz';
$upperalpha_pass = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$number_pass = '1234567890';
$symbol_pass = '@%+\\/&\'!#$^?:.(){}[]~-_`';
     if (strlen($password) < 8){
       return PEAR::raiseError(
                        "Your password contains less than 8 characters.  Please enter a password that is at least 8 characters long.",
                        DATAFACE_E_NOTICE);
      }
   elseif (strpbrk($password, $loweralpha_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any lower case letters ($loweralpha_pass).  Please enter a password that uses at least one character of this type.",
                        DATAFACE_E_NOTICE);
   }
   elseif (strpbrk($password, $upperalpha_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any upper case letters (e.g. A, B, C...).  Please enter a password that uses at least one character of this type.",
                        DATAFACE_E_NOTICE);
}
elseif (strpbrk($password, $number_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any numbers (e.g. 1, 2, 3…).  Please enter a password that uses at least one number.",
                        DATAFACE_E_NOTICE);
   }
elseif (strpbrk($password, $symbol_pass) == FALSE) {
       return PEAR::raiseError(
                        "Your password does not contain any of these symbols: $symbol_pass Please enter a password that uses at least one symbol.",
                        DATAFACE_E_NOTICE);
   }
   elseif (empty($password)){
                 return true;
      }
     else {
           return true;
      }


The only problem I have encountered so far, is getting 0 to count as a number. The zero does not appear to be read as a zero in the string $number_pass. Actually, on further testing it only doesn't work at the end of a password. Is this an Xataface, php or MySQL issue? Any suggestions?