Roundcube Community Forum

 

force password change for known users

Started by priitl, December 13, 2024, 04:12:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

priitl

December 13, 2024, 04:12:30 PM
Hi!

I'm not sure if the following question is for the topic but I hope "Feel free to talk about anything and everything in this board" is open enough.

My question is about "password" plugin where there's an option to force password change for the new users
Quote$config['password_force_new_user'] = true;

This plugin works fine but not for already known users. I couldn't find an answer to the mechanism behind it- how does the plugin know that the user is "new"?
The main goal would be the situation where administrator can force user to change his/her password. Even for known user. I just found a bunch of users who hasn't changed their password a long time and i'd like to force them to do so quietly without contact them directly. In that case I can also "blame" system that it detected a very old password and system forced it, not me. :)

Thanks!


 

JohnDoh

#1
December 15, 2024, 03:04:33 AM
The password_force_new_user option makes user of the user_create and login_after plugin hooks to know when a new Roundcube user (different from an IMAP user and typically created automatically on first login) has been created and redirect them to the password screen.

The are no options available out of the box for the type of action you are suggesting but I think its achievable. I think you also want to make use of the login_after hook. In that handler you could insert your logic for checking the password age and if your criteria are met then redirect in the same way it currently does for new users.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more...

priitl

#2
December 15, 2024, 05:37:10 AM
Thank You for the reply.

So that means that if I don't want (actually can't because I'm not a PHP pro) to dig in to code and build some solid logic to check password age I just need to find the place in the roundcube database "record" and modify/delete it? So roundcube thinks that the user is "new" and forces for the password change.

I understand that it is not a good solution and the way to walk but I think it might be the easiest.
Maybe I should create a new user, make a database dumb, log in, change password and make another dump to compare what has changed? It would be cool if there's some boolean to change from 1 to 0. :D

SKaero

#3
December 15, 2024, 12:08:22 PM
Quote from: priitl on December 15, 2024, 05:37:10 AMI just need to find the place in the roundcube database "record" and modify/delete it? So roundcube thinks that the user is "new" and forces for the password change.
This is would be a very bad way to do this since that would remove all of the users settings and contacts in there address book.

The feature doesn't exist out of the box so you really would need to make or modify a plugin to do it correctly.

priitl

#4
December 15, 2024, 03:25:40 PM
Thank You, SKaero!

Looks like I still have to contact with the users directly to avoid bigger issues and avoid coding.  :p

Hopefully there's an option to force password change in the future releases.



Thanks!
Print
Go Up Pages1
User actions