I'd be curious to hear Sabastiaan's personal argument as to why custom password policies would lower the security in regards to Umbraco's Backoffice. Like, Sabastian, I too have a client that is requesting custom rules and unfortunately they can't be persuaded into a different solution. Though I can create a custom .NET membership provider, I can't hook into Umbraco v8 the same as I did in v7 which means I can't offer the same experience to Backoffice users.
For example, in v7, you could attach event handlers to requests by implementing IHttpModule. In doing so, the Init method gains access to the HttpApplication and you can isolate requests made to Umbraco's API by URL. This allowed us to rewrite URLs and ultimately hide sections and dashboards when the user's current password no longer met the requirements. We would then leave only a custom password change form section visible.
In v8, I've been able to hook into the UserService.SavingUser to capture information about the last time the user logged in, however, I'm not finding a way to alter the sections and dashboards. A section service does not exist in this version because it "has become unnecessary" and the ApplicationTreeService has been deprecated.
Ultimately, I'm looking to answer the question "is there a way to override the requests to '/umbraco/backoffice/umbracoapi/section/getsections' and '/umbraco/backoffice/umbracoapi/dashboard/getdashboard'?
I know this response is late and the problem has probably already been solved but I want to direct you to this post because we had similar requirements
If I were tasked with this problem, I'd leverage Sebastiaan's Umbraco/Hangfire solution. Create a task that runs say once an hour that compares all users' (lastPasswordChangeDate + 10 days) in the umbracoUser table to the current date/time. If they're roughly equal, send them a reminder that they're password is expiring in ~4 days. I'd then create a separate task that disables and notifies users whose passwords were last changed 2 weeks or more ago. To disable the user, I'd set the userDisabled and userNoConsole bits in the umbracoUser table high.
Member password renewal
I have a client who has a lot of members that needs to renew their password every 2 weeks.
They want to notify the member 4 days before expiration.
And if not updated before expiration the member should be disabled and notified.
Any ideas how to obtain this ?
Sounds like a fun project, don't knowif it work with people going on holiday for three weeks ;-)
But I would (I think):
Hope this helps,
Richard
I hate to be that guy, but make sure to read up on this requirement, you can advise them that this actually LOWERS security instead of increasing it.
If they want to be more secure:
Here's an excellent article with great advise: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
I'd be curious to hear Sabastiaan's personal argument as to why custom password policies would lower the security in regards to Umbraco's Backoffice. Like, Sabastian, I too have a client that is requesting custom rules and unfortunately they can't be persuaded into a different solution. Though I can create a custom .NET membership provider, I can't hook into Umbraco v8 the same as I did in v7 which means I can't offer the same experience to Backoffice users.
For example, in v7, you could attach event handlers to requests by implementing IHttpModule. In doing so, the Init method gains access to the HttpApplication and you can isolate requests made to Umbraco's API by URL. This allowed us to rewrite URLs and ultimately hide sections and dashboards when the user's current password no longer met the requirements. We would then leave only a custom password change form section visible.
In v8, I've been able to hook into the UserService.SavingUser to capture information about the last time the user logged in, however, I'm not finding a way to alter the sections and dashboards. A section service does not exist in this version because it "has become unnecessary" and the ApplicationTreeService has been deprecated.
Ultimately, I'm looking to answer the question "is there a way to override the requests to '/umbraco/backoffice/umbracoapi/section/getsections' and '/umbraco/backoffice/umbracoapi/dashboard/getdashboard'?
Sebastian,
I know this response is late and the problem has probably already been solved but I want to direct you to this post because we had similar requirements
If I were tasked with this problem, I'd leverage Sebastiaan's Umbraco/Hangfire solution. Create a task that runs say once an hour that compares all users' (lastPasswordChangeDate + 10 days) in the umbracoUser table to the current date/time. If they're roughly equal, send them a reminder that they're password is expiring in ~4 days. I'd then create a separate task that disables and notifies users whose passwords were last changed 2 weeks or more ago. To disable the user, I'd set the userDisabled and userNoConsole bits in the umbracoUser table high.
Hope this helps!
is working on a reply...