On Magento EE if you go to System > Configuration > Advanced > Admin > Security their is an option to set Password Change to Forced.
If we do this and someone has an expired password will it lock them out – or will it allow them login but force them to update their password?
I've tried looking through the Magento User Guide & Wiki but could find no answer 🙁
Best Answer
I went into one of our Enterprise installs to check this.
In
app/code/core/Enterprise/Pci/Model/Observer.php
there is a function calledadminAuthenticate
in the Observer.First, it updates the locking information:
Then it determines if the admin account is locked out by checking the
lockExpires
field fromadmin_user
against the current time.Then it pulls the latest password and checks to see if the admin has to complete a forced password change.
If the
getPciAdminUserIsPasswordExpired
session variable is set, then it is caught in the forceAdminPasswordChange function incontroller_action_predispatch
.If the Admin user has a forced password flag set and is allowed to access My Account then they'll be able to update their password themselves. If not, then they'll be logged out with the message
Your password has expired, please contact administrator.