You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Kenton Taylor <kt...@slashdotmedia.com> on 2019/04/04 14:43:52 UTC
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password c
hanges
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password c hanges**
**Status:** in-progress
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Thu Apr 04, 2019 02:43 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Kenton Taylor <kt...@slashdotmedia.com>.
- **status**: in-progress --> review
- **Comment**:
All set in new fixup.
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** review
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Tue Apr 09, 2019 07:56 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Dave Brondsema <da...@brondsema.net>.
- **status**: review --> in-progress
- **Comment**:
* Some `allura.tests.functional.test_auth` tests are failing, I believe because `hibp_password_check` is set to true, and test.ini also inherits from development.ini. Perhaps best to set it to false by default? Or could set it to false in test.ini
* For consistency, can you rename the config to `auth.hibp_password_check` and put it with the rest of the `auth.*` settings related to accounts & security?
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** in-progress
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Mon Apr 08, 2019 03:47 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Dave Brondsema <da...@brondsema.net>.
- **status**: review --> closed
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** closed
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Tue Apr 09, 2019 09:07 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Kenton Taylor <kt...@slashdotmedia.com>.
- **status**: in-progress --> review
- **Comment**:
kt/8274
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** review
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Thu Apr 04, 2019 02:44 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Dave Brondsema <da...@brondsema.net>.
- **status**: review --> open
- **Reviewer**: Dave Brondsema
- **Comment**:
How about doing the check in `PasswordChangeBase.to_python` which is shared between all the forms usage? If we're lucky the existing error handling will just work too, and can clean up the url repetion for `failure_redirect_url`. And if you're able to undo the changes to controllers, that'll avoid conflicts with my TurboGears changes which tweaked controllers calling `to_python`.
Careful adding `__future__` to existing files, it may change behavior. Seems to be ok here though.
`User-Agent` should probably use `config['site_name']`
`hibp_password_check` config should go in development.ini rather than docker-dev, and add an explanation for it.
me: test pwd expired and change forms' validation
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** open
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Thu Apr 04, 2019 03:14 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Kenton Taylor <kt...@slashdotmedia.com>.
- **summary**: Add optional HaveIBeenPwned checks for password c hanges --> Add optional HaveIBeenPwned checks for password changes
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** in-progress
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Thu Apr 04, 2019 02:43 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Kenton Taylor <kt...@slashdotmedia.com>.
- **status**: open --> review
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** review
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Mon Apr 08, 2019 03:47 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] Re: #8274 Add optional HaveIBeenPwned checks for password
changes
Posted by Kenton Taylor <kt...@slashdotmedia.com>.
Fixup pushed. As discussed, I originally considered placing this in `PasswordChangeBase`, but that felt like too "core" of an area for it; also, placing the checks in the controller allows the controller to determine how to react, rather than it being an immutable behavior.
---
** [tickets:#8274] Add optional HaveIBeenPwned checks for password changes**
**Status:** open
**Milestone:** unreleased
**Created:** Thu Apr 04, 2019 02:43 PM UTC by Kenton Taylor
**Last Updated:** Fri Apr 05, 2019 10:19 PM UTC
**Owner:** Kenton Taylor
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.