Is there any magento plugin that has the features below:
- force the user changed password in every 90 days.
- change password must required min 8 char
extensionsmagento2passwordSecurity
Is there any magento plugin that has the features below:
You can write a small custom extension that checks if the user has permission to access the site.
Your config.xml
would look something like this
<?xml version="1.0"?>
<config>
<modules>
<[Namespace]_[Module]>
<version>1.0.0</version>
</[Namespace]_[Module]>
</modules>
<global>
<models>
<[module]>
<class>[Namespace]_[Module]_Model</class>
</[module]>
</models>
<events>
<controller_front_init_before>
<observers>
<[namespace]_[module]_access_observer>
<type>singleton</type>
<class>[Namespace]_[Module]_Model_Observer</class>
<method>checkAccess</method>
</[namespace]_[module]_access_observer>
</observers>
</controller_front_init_before>
</events>
</global>
</config>
And your observer class something like this
class [Namespace]_[Module]_Model_Observer
{
public function checkAccess()
{
$adminurl = (string)Mage::getConfig()->getNode('admin/routers/adminhtml/args/frontName');
$urlstring = Mage::helper('core/url')->getCurrentUrl();
$url = Mage::getSingleton('core/url')->parseUrl($urlstring);
if (strstr($url->path, "/{$adminurl}")) return $this; // this is the admin section
// get admin session
Mage::getSingleton('core/session', array('name' => 'adminhtml'))->start();
$admin_logged_in = Mage::getSingleton('admin/session', array('name' => 'adminhtml'))->isLoggedIn();
// return to frontend section
Mage::getSingleton('core/session', array('name' => 'frontend'))->start();
if (!$admin_logged_in)
{
die('No access!');
}
}
}
I went into one of our Enterprise installs to check this.
In app/code/core/Enterprise/Pci/Model/Observer.php
there is a function called adminAuthenticate
in the Observer.
public function adminAuthenticate($observer)
{
First, it updates the locking information:
// update locking information regardless whether user locked or not
if ((!$authResult) && ($user->getId())) {
$now = time();
$lockThreshold = $this->getAdminLockThreshold();
$maxFailures = (int)Mage::getStoreConfig('admin/security/lockout_failures');
if (!($lockThreshold && $maxFailures)) {
return;
}
$failuresNum = (int)$user->getFailuresNum() + 1;
if ($firstFailureDate = $user->getFirstFailure()) {
$firstFailureDate = new Zend_Date($firstFailureDate, Varien_Date::DATETIME_INTERNAL_FORMAT);
$firstFailureDate = $firstFailureDate->toValue();
}
Then it determines if the admin account is locked out by checking the lockExpires
field from admin_user
against the current time.
// check whether user is locked
if ($lockExpires = $user->getLockExpires()) {
$lockExpires = new Zend_Date($lockExpires, Varien_Date::DATETIME_INTERNAL_FORMAT);
$lockExpires = $lockExpires->toValue();
if ($lockExpires > time()) {
throw new Mage_Core_Exception(
Mage::helper('enterprise_pci')->__('This account is locked.'),
self::ADMIN_USER_LOCKED
);
}
}
Then it pulls the latest password and checks to see if the admin has to complete a forced password change.
$latestPassword = Mage::getResourceSingleton('enterprise_pci/admin_user')->getLatestPassword($user->getId());
if ($latestPassword) {
if ($this->_isLatestPasswordExpired($latestPassword)) {
if ($this->isPasswordChangeForced()) {
$message = Mage::helper('enterprise_pci')->__('Your password has expired, you must change it now.');
} else {
$myAccountUrl = Mage::getSingleton('adminhtml/url')->getUrl('adminhtml/system_account/');
$message = Mage::helper('enterprise_pci')->__('Your password has expired, please <a href="%s">change it</a>.', $myAccountUrl);
}
Mage::getSingleton('adminhtml/session')->addNotice($message);
if ($message = Mage::getSingleton('adminhtml/session')->getMessages()->getLastAddedMessage()) {
$message->setIdentifier('enterprise_pci_password_expired')->setIsSticky(true);
Mage::getSingleton('admin/session')->setPciAdminUserIsPasswordExpired(true);
}
}
}
If the getPciAdminUserIsPasswordExpired
session variable is set, then it is caught in the forceAdminPasswordChange function in controller_action_predispatch
.
public function forceAdminPasswordChange($observer)
{
if (!$this->isPasswordChangeForced()) {
return;
}
$session = Mage::getSingleton('admin/session');
if (!$session->isLoggedIn()) {
return;
}
$actionList = array('adminhtml_system_account_index', 'adminhtml_system_account_save',
'adminhtml_index_logout');
$controller = $observer->getEvent()->getControllerAction();
if (Mage::getSingleton('admin/session')->getPciAdminUserIsPasswordExpired()) {
if (!in_array($controller->getFullActionName(), $actionList)) {
if (Mage::getSingleton('admin/session')->isAllowed('admin/system/myaccount')) {
$controller->getResponse()->setRedirect(Mage::getSingleton('adminhtml/url')
->getUrl('adminhtml/system_account/'));
$controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_DISPATCH, true);
$controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_POST_DISPATCH, true);
} else {
/*
* if admin password is expired and access to 'My Account' page is denied
* than we need to do force logout with error message
*/
Mage::getSingleton('admin/session')->unsetAll();
Mage::getSingleton('adminhtml/session')->unsetAll();
Mage::getSingleton('adminhtml/session')->addError(
Mage::helper('enterprise_pci')->__('Your password has expired, please contact administrator.')
);
$controller->getRequest()->setDispatched(false);
}
}
}
If the Admin user has a forced password flag set and is allowed to access My Account then they'll be able to update their password themselves. If not, then they'll be logged out with the message Your password has expired, please contact administrator.
Best Answer
Password lifetime
This is a standard feature of Magento 2 (CE + EE). In the system configuration there is a section for "security" (see "Advanced" > "Admin") where you can define the Password Lifetime in days (for example 90) and set the password change behaviour (forced or recommended).
See also: http://docs.magento.com/m2/ce/user_guide/stores/security-admin.html
Password length
The current minimum password length for admin users is 7 characters.
As far as I know there is currently no extension that sets the minimum password length to 8.