[TYPO3-dev] Password expiry and blacklists

Kay Strobach typo3 at kay-strobach.de
Wed Feb 15 10:03:48 CET 2012 

Hello Christian,

thanks for taking care - i would like to test your result.

How this could be achieved:

1. React on userpassword changes with a hook:

	$TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][]

In this hook you can change the processed values (contact me for
details, made something similar for fe_users).
Checking the new password is a bit harder, but there must be a hook for
serverside validation as well.

2. Check in the backend.php, if the password has been expired and show form:

2.1 There are several suitable hooks, which can serve what you need:

	e.g.: $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']
		['typo3/backend.php']['constructPostProcess']

	The hook must than do a http redirect to your password change
	form and stop the execution of the script.

2.2  Another approach would be to add an additional BE item and do the 	
	password change with ExtJS and AJAX (like the relogin window in
	TYPO3 4.5)

I would like to see 2.2, as this just stops the interaction for some
seconds, but lets the be load the stores needed for further work.

Thanks
Kay


Am 15.02.2012 08:02, schrieb Georg Ringer:
> Hi Christian,
> 
> first of all thanks for your input!
> 
> Am 15.02.2012 03:01, schrieb Christian Lerrahn (Cerebrum):
>> As TYPO3 is referred to as an Enterprise CMS, I really think it should
>> have a password expiry (particularly for the backend) and password
>> blacklists. This is a very common feature in corporate environments but
>> completely absent in TYPO3.
> 
> certainly true.
> 
>> I've written an extension before for a client and hacked the core for
>> that but it was all very messy so I decided against publishing it.
> 
> maybe you wanna still share it and post the diffs somewhere?
> 
>> Here is what I believe is necessary around password expiry and
>> blacklisting.
> 
> sounds all interesting and plausible.
> 
>> But, to come to my real point, I'm happy to implement all that. 
> 
> great!
> 
>> The
>> question I want to ask here is how to approach the problem. As I'm not
>> familiar with core development in general, I am worried that I might
>> approach this in a way as to never get my patches approved. 
> 
> IMO this should be started as an extension as it makes it far easier to
> test things, react better on bugs/features and at the end it can be
> still talked about having it as sysextension shipped with the core.
> 
> As a member of the security team I would like to have all those features
> and would be happy to help you developing the extension!
> 
> Feel free to contact me in private
> Georg


-- 
http://www.kay-strobach.de - Open Source Rocks

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

Answere was usefull: https://flattr.com/profile/kaystrobach

More information about the TYPO3-dev mailing list