Hi Anthony,

Have you tried setting the minRequiredPasswordLength attribute? example:

<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" minRequiredPasswordLength="7" ... />

You should be able to just add these to the provider config:

http://msdn.microsoft.com/en-us/library/system.web.security.membership.minrequiredpasswordlength.aspx

http://msdn.microsoft.com/en-us/library/system.web.security.membership.minrequirednonalphanumericcharacters.aspx

 

Grtz

L

Hi Jorge, Lennart,

I added the minRequiredPasswordLenght="7" attribute to the Umbraco Membership Provider:

<add name="UmbracoMembershipProvider" 

        type="umbraco.providers.members.UmbracoMembershipProvider" 

        enablePasswordRetrieval="false" 

        enablePasswordReset="true" 

        requiresQuestionAndAnswer="false" 

        defaultMemberTypeAlias="Jobseeker" 

        umbracoApprovePropertyTypeAlias="isApproved" 

        umbracoLockPropertyTypeAlias="isLocked" 

        requiresUniqueEmail="true" 

        passwordFormat="Hashed"

        minRequiredPasswordLength="7" /> 

 But this doesn't seem to have any effect on the password validation. I can still register a member with a password that has less than 7 characters.

Hi Anthony,

From what I can see in the source code the Umbraco membership provider defines the properties as mentioned above, but it does not apply them when creating a member or changing/resetting a password. I guess you could either update the provider (or create a work item on codeplex), or code the password policy into the wizard by hooking into one of its events: 

http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.createuserwizard.creatinguser.aspx

 

Grtz

L

I think the easiest way to get ignored properties into action is just to inherit the existent umbraco provider and override Create/Update methods so to add required validations.

HI Rodion,

You mean inherit the umbraco provider in my user control?

Thanks for the tip,

Anthony

Hi Lennart,

I will create a workitem on codeplex, as I think minRequiredPasswordLength and minRequiredNonAlphaNumericalCharacters should be baked into the Umbraco Membership Provider.

Thanks for the advice,

Anthony

@Lennart, I created the work item: http://umbraco.codeplex.com/workitem/30694

No, I meant to create your own membership provider inheriting from the UmbracoMembershipProvider and register it via web.config instead of the latter. (Actually I think it wouldn't take longer than half an hour).

For instance:

public class NiceUmbracoMembershipProvider : UmbracoMembershipProvider
{
  public override MembershipUser CreateUser(
     string username,
     string password,
     string email,
     string passwordQuestion,
     string passwordAnswer,
     bool isApproved,
     object providerUserKey,
     out MembershipCreateStatus status)
  {
      if(password.Length < m_MinRequiredPasswordLength)
      {
        status = MembershipCreateStatus.InvalidPassword;
        return null;
      }
      return base.CreateUser(username, password, email,
                             passwordQuestion, passwordAnswer,
                             isApproved, providerUserKey,
                             out status);
  }
}

You can override the "UpdateUser" method in a similar way and add any additional validations that you could need.

Than you will need just to register this provider as the default one in your web.config and that's it.

Also, if you use some tool like the RedGate .NET Reflector then you can investigate the code of e.g. Asp.Net SqlMembershipProvideras as a reference implementation.

I created an old issue and I don't know if it's stil valid, but it might be good to look at it before creating you own MembershipProvider: http://umbraco.codeplex.com/workitem/25855

Jeroen

If you want a quick way of doing it, you can do it by adding a RegExp validator to your register user control. The following RegEx wioll ensure that a password is between 8 - 29 characters long, and contains a mix of upper, lower and numeric characters: ^.*(?=.{7,30})(?=.*[\d])(?=.*[a-z])(?=.*[A-Z]).*$

 

@Rodion thanks for the advice, but I think I'm to far now in development of my registration page to rewrite the member logic.

@Tim Thanks I think this can solve my issue in a fast manner. The only thing I'm struggling with is that my CreateUserWizard doesn't seem to stop registering a user when validation fails:

<asp:CreateUserWizardStep ID="cuwStep2" Title="Step 2/2" runat="server">

                    <ContentTemplate>

                    <p><strong>Step 2/2</strong>: Enter your account information</p>

                        <table class="registrationtable">

                            <tr>

                                <td>Email:</td>

                                <td><asp:TextBox ID="Username" runat="server"></asp:TextBox><asp:TextBox ID="Email" runat="server" Visible="false"></asp:TextBox></td>

                                <td><asp:RequiredFieldValidator ID="reqUserName" runat="server" 

                                ToolTip="Username is a required field" 

                                ErrorMessage="Email is a required field" 

                                ControlToValidate="Username" 

                                ValidationGroup="cwMember" 

                                Text="*" />

                                <asp:RegularExpressionValidator ID="regEmail" ControlToValidate="UserName" 

                                Text="*" 

                                ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" 

                                Runat="server" 

                                ValidationGroup="cwMember" /></td>

                            </tr>

                            <tr>

                                <td>Password:</td>

                                <td><asp:TextBox ID="Password" runat="server" TextMode="Password"></asp:TextBox></td>

                                <td><asp:RequiredFieldValidator 

                                ID="reqPassword" 

                                runat="server" 

                                ControlToValidate="Password" 

                                ValidationGroup="cwMember" 

                                Text="*" 

                                ErrorMessage="Password is a required field" />                               

                                </td>

                            </tr>

                            <tr>

                                <td>Confirm Password:</td>

                                <td><asp:TextBox ID="txtConfirmPassword" runat="server" TextMode="Password"></asp:TextBox></td>

                                <td><asp:RequiredFieldValidator

                                 ID="reqConfirmPassword"

                                 runat="server"

                                 Display="Dynamic" 

                                 ControlToValidate="txtConfirmPassword" 

                                 ValidationGroup="cwMember" 

                                 Text="Confirm password" />

                                 <asp:CompareValidator ID="cmpPassword" 

                                 runat="server"

                                 Display="Dynamic" 

                                 ControlToValidate="Password" 

                                 ControlToCompare="txtConfirmPassword"                                  

                                 Text="*"

                                 ErrorMessage="Passwords are not equal" />

                                </td>

                            </tr>

                        </table>               

                        <asp:PlaceHolder ID="phValidationSummary" runat="server"></asp:PlaceHolder>

                        <asp:ValidationSummary 

                        ID="vsSummary" 

                        runat="server" 

                        ValidationGroup="cwMember" 

                        DisplayMode="BulletList" 

                        HeaderText="Correct the following:" />                                                

                    </ContentTemplate>                                                        

                </asp:CreateUserWizardStep>                                            

                <asp:CompleteWizardStep ID="cuwStep3" runat="server">

                    <ContentTemplate>

                        <p>User should now be created, but not approved...</p>

                        <asp:HyperLink ID="hlAuth" runat="server"></asp:HyperLink>

                    </ContentTemplate>

                </asp:CompleteWizardStep>

            </WizardSteps>

        </asp:CreateUserWizard>

 

I use a CreateUserError event handler to handle validation errors in the createuserwizardstep:

protected void cwMember_CreateUserError(object sender, CreateUserErrorEventArgs e)

        {

            StringBuilder sb = new StringBuilder();

            CreateUserWizard cuw = (CreateUserWizard)sender;

            switch (e.CreateUserError)

            {

                case MembershipCreateStatus.DuplicateEmail:

                    sb.Append(cuw.DuplicateEmailErrorMessage.ToString());

                    break;

                case MembershipCreateStatus.DuplicateUserName:

                    sb.Append("this email address is already registered, please use another email address");

                    break;                

                case MembershipCreateStatus.InvalidEmail:

                    sb.Append(cuw.InvalidEmailErrorMessage.ToString());

                    break;

                case MembershipCreateStatus.InvalidPassword:

                    sb.Append(cuw.InvalidPasswordErrorMessage.ToString());

                    break;                

                case MembershipCreateStatus.InvalidUserName:

                    sb.Append("username is not valid");

                    break;                

                case MembershipCreateStatus.UserRejected:

                    sb.Append("administrator said 'no way'");

                    break;

                default:

                    break;

            }

            CreateUserWizardStep cuwStep2 = cuw.FindControl("cuwStep2") as CreateUserWizardStep;

            PlaceHolder phValidationSummary = (PlaceHolder)cuwStep2.ContentTemplateContainer.FindControl("phValidationSummary");

            CustomValidator cvError = new CustomValidator();

            cvError.ValidationGroup = "cwMember";

            cvError.ErrorMessage = sb.ToString();

            cvError.IsValid = false;

            phValidationSummary.Controls.Add(cvError);

 

        }

But for some reason only validation that that is catched in the CreateUserError event is handled. I only posted this issue on StackOverFlow.com: 

http://stackoverflow.com/questions/9052563/how-to-stop-creatuserwizard-control-creating-user-when-passwords-are-not-equal

Thanks for your advice,

Anthony

@Anthony, it looks like your compare validator for the password is not a member of the "cwMember" validator group like the rest of the validators. If you add that to the group, does it work?

I managed to add policy complexity rules to Umbraco accounts by adding the minRequiredPasswordLength and minRequiredNonalphanumericCharacters attributes to the UsersMembershipProvider and not the UmbracoMembershipProvider. A comment in the code indicates that the UmbracoMembershipProvider is not used for CMS accounts. This is on version 7.7.2.

 <providers>
    <clear />
    <add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="2" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="false" />
    <add name="UsersMembershipProvider" type="Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco"  minRequiredPasswordLength="14" minRequiredNonalphanumericCharacters="1" />
  </providers>

is working on a reply...