View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 264
IDProjectCategoryView StatusDate SubmittedLast Update
14636Feature requestsSecuritypublic2019-03-12 15:222024-11-19 18:15
ReporterDenisChenu Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status closedResolutionfixed 
Summary14636: Admin password restriction
Description

It can be great to have an admin password restriction (or a plugin event for this (if it's already here : OK, i do the core plugin))

Additional Information

Default take from config.php
Restricted super admin have a screen to update

Taken from nextcloud :

  • Minimum size
  • Prohibit current passwords
  • Imposing uppercase and lowercase characters
  • Imposing numbers
  • Imposing special characters
  • Check the password against the list of violated passwords on haveibeenpwnd. com (maybe not this one).

config-default.php can be min size to 8 for starting

TagsNo tags attached.
Attached Files
Bug heat264
Story point estimate
Users affected %

Relationships

Relationship GraphDependency Graph
has duplicate 14736 closedDenisChenu Bug reports Missing password policy 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2019-04-04 07:58

developer   ~51334

OK in 4.0 ? Or did you already have a plugin for this ?
Mazi

Mazi

2019-04-05 08:54

updater   ~51359

DenisChenu, are you thinking of e.g. a new global setting at which superadmins can define the minimum password requirements by using the list you added above? That would be pretty useful.
I guess there are proper regex for checking the password requirements outlined above?
DenisChenu

DenisChenu

2019-04-05 08:57

developer   ~51362

Last edited: 2019-04-05 08:58

Yes, in admin GUI.
Maybe on a core plugin activated by default ;)

I can do it for 4.0, i just wait …
blocka

blocka

2019-04-12 22:06

reporter   ~51462

I have code to enforce minimum password strength for Version 3.17.0+190402 see: https://bugs.limesurvey.org/view.php?id=9599
I will share the code update the above issue report by Monday next week.
blocka

blocka

2019-04-13 05:11

reporter   ~51463

I have made modifications to the LS 3.x core to enforce password strength when an admin is editing a user account, or when a user edits their own password settings.

My solution doesn't use the gettranslation feature as I only required my solution to be in English. If this ends up in core, of course, texts should be translated.

The changes were made against build Version 3.17.0+190402, and involved the files:

\application\controllers\admin\useraction.php
\application\models\User.php
\application\views\admin\user\modifyuser.php
\application\views\admin\user\personalsettings.php

Password criteria can be specified via the config.php, using this format (min and mix refer to required length of the password, upper refers to uppercase, numeric is obvious, as is symbol.

// Update default LimeSurvey config here
),

    'params' => array(
    'passwordValidator' => array(
    'min' => 10,
    'max' => 22,
    'upper' => 3,
    'numeric' => 1,
    'symbol' => 2,
    ),
),

);
/ End of file config.php /

application.zip (20,280 bytes)
ollehar

ollehar

2019-04-15 18:02

administrator   ~51472

Can you make a PR on github, please?
blocka

blocka

2019-04-15 20:05

reporter   ~51473

PR created:
https://github.com/LimeSurvey/LimeSurvey/pull/1264
Mazi

Mazi

2020-08-24 13:09

updater   ~59588

@DenisChenu, @cdorin, the feature for defining the PW strength was added to LS4, see https://github.com/LimeSurvey/LimeSurvey/blob/master/application/config/config-defaults.php#L795 and https://github.com/LimeSurvey/LimeSurvey/commit/b8d7499e05977abffe8811b88588c56f8c74b46c but documentation is missing.

Please make sure that this gets documented at the Limesurvey manual. Otherwise most users will not be aware that this actually exists. A feature not documented is a feature not used.
If needed I can take care of the German translation afterwards. Just post the link here.
DenisChenu

DenisChenu

2020-08-26 15:38

developer   ~59638

I'm not the dev … then i don't update manual …
Mazi

Mazi

2020-08-26 15:50

updater   ~59639

So who actually implemented this?
ollehar

ollehar

2023-02-03 17:26

administrator   ~73658

This is implemented, I believe.

Issue History

Date Modified Username Field Change
2019-03-12 15:22 DenisChenu New Issue
2019-04-04 07:57 DenisChenu Relationship added has duplicate 14736
2019-04-04 07:58 DenisChenu Assigned To => c_schmitz
2019-04-04 07:58 DenisChenu Status new => feedback
2019-04-04 07:58 DenisChenu Note Added: 51334
2019-04-05 08:54 Mazi Note Added: 51359
2019-04-05 08:57 DenisChenu Note Added: 51362
2019-04-05 08:57 DenisChenu Status feedback => assigned
2019-04-05 08:58 DenisChenu Note Edited: 51362
2019-04-12 22:06 blocka Note Added: 51462
2019-04-13 05:11 blocka File Added: application.zip
2019-04-13 05:11 blocka Note Added: 51463
2019-04-15 18:02 ollehar Note Added: 51472
2019-04-15 20:05 blocka Note Added: 51473
2020-08-24 13:09 Mazi Note Added: 59588
2020-08-26 15:38 DenisChenu Note Added: 59638
2020-08-26 15:50 Mazi Note Added: 59639
2023-02-03 17:26 ollehar Status assigned => resolved
2023-02-03 17:26 ollehar Resolution open => fixed
2023-02-03 17:26 ollehar Note Added: 73658
2024-11-19 18:15 c_schmitz Status resolved => closed