]> git.koha-community.org Git - koha.git/commit
Bug 18298: Enforce password complexity
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 14 Mar 2017 23:01:27 +0000 (20:01 -0300)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Mon, 16 Oct 2017 12:44:32 +0000 (09:44 -0300)
commit558a809144560198c7febac4998f49c56c45c844
tree71c7254277eec84e916e3a59dc337a86585256cf
parenta93fef4c71d405fb7548e7d2601320ed0512d27c
Bug 18298: Enforce password complexity

This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.

I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.

Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).

Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.

You will also need to add 'password' to PatronSelfRegistrationBorrowerMandatoryField.

Note that '****' is considered by Koha internally that the password is
not changed (existing behavior).

To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.

Signed-off-by: Marc VĂ©ron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
installer/data/mysql/atomicupdate/bug_13664.sql [new file with mode: 0644]
installer/data/mysql/sysprefs.sql
koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref