I realized while working on issue #1467184 that when an administrator creates an account, the created field gets set in the password_policy_history table. The Delay constraint checks that field when verifying whether a user is allowed to update their password.

If a delay constraint is in effect and the administrator checks the "Force password change on next login" box when creating a new account, the user is forced to change their password when they log in, but if the delay hasn't elapsed, they will be unable to change their password.

CommentFileSizeAuthor
#14 password_policy-1468172-delay_catch_22-14.patch812 byteserikwebb
#3 password_policy-avoid_catch_22-1468172-3.patch717 bytesmatt v.

Comments

erikwebb’s picture

erikwebb commented

So what's the resolution to this? Whenever the policy is updated, set a changed date for the delay constraint? What does the arithmetic look like there?

matt v.’s picture

matt v. commented

My initial thought was to bypass the delay constraint, if the account is marked "Force password change on next login." I can't think of a scenario where you'd genuinely want to force someone to change their password but also delay them from doing so.

What do you think?

matt v.’s picture

matt v. commented
Status: Active » Needs review
StatusFileSize
new password_policy-avoid_catch_22-1468172-3.patch717 bytes

Here's a patch that bypasses the delay validation, if a user's account is marked "Force password change on next login."

This patch assumes password_policy-delay_constraint-1467184-2.patch has already been applied.

erikwebb’s picture

erikwebb commented

Just because I've run into issues in other patches. Can you confirm the force password change flag is reset after this is set?

matt v.’s picture

matt v. commented

@erikwebb, I'm not 100% sure I understand the question; however, I tested several manually created accounts with a delay set, both with and without the password change flag checked and I didn't encounter any issues. I also ran all the latest simpletests and they all passed.

Status: Needs review » Needs work

The last submitted patch, password_policy-avoid_catch_22-1468172-3.patch, failed testing.

erikwebb’s picture

erikwebb commented
Status: Needs work » Needs review

#3: password_policy-avoid_catch_22-1468172-3.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, password_policy-avoid_catch_22-1468172-3.patch, failed testing.

erikwebb’s picture

erikwebb commented
Version: 7.x-1.0-rc2 » 7.x-1.x-dev
Status: Needs work » Needs review
erikwebb’s picture

erikwebb commented

#3: password_policy-avoid_catch_22-1468172-3.patch queued for re-testing.

erikwebb’s picture

erikwebb commented
Status: Needs review » Fixed

Fixed and committed.

http://drupalcode.org/project/password_policy.git/commit/c9098d7

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

erikwebb’s picture

erikwebb commented
Version: 7.x-1.x-dev » 6.x-1.x-dev
Status: Closed (fixed) » Patch (to be ported)
erikwebb’s picture

erikwebb commented
Status: Patch (to be ported) » Needs review
StatusFileSize
new password_policy-1468172-delay_catch_22-14.patch812 bytes
deekayen’s picture

deekayen commented
Version: 6.x-1.x-dev » 7.x-2.x-dev
Issue summary: View changes
Status: Needs review » Patch (to be ported)
aohrvetpv’s picture

aohrvetpv commented
Status: Patch (to be ported) » Fixed

Issue does not affect 7.x-2.x since it does not (yet) have a "force password change at next login" feature.

Was committed on 6.x-1.x by deekayen:
http://drupalcode.org/project/password_policy.git/commit/b00f1a5

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.