Vés al contingut principal

Configuració de les galetes

Fem servir galetes per assegurar les funcionalitats bàsiques del lloc web i per a millorar la teva experiència en línia. Pots configurar i acceptar l'ús de galetes, i modificar les teves opcions de consentiment en qualsevol moment.

Essencials

Preferències

Analítiques i estadístiques

Màrqueting

This proposal has been implemented

  • Reviewed by @product and accepted in the main project
  • Funded by Barcelona City Council
  • Developed by Mainio Tech
  • Available in release 0.27 via #9347

Strong password policy for Admin users

Avatar: InnovacióDemocràtica InnovacióDemocràtica Finished

Ref. GDPR07

Is your feature request related to a problem? Please describe.
As an administrator, I want to have better rules for the security of my user account.

Describe the solution you’d like

We should have stronger password rules for administrator users, like:

  • it should change every 90 days
  • it should not be repeated (for the last 5 times)
  • it should have at least 15 characters

As in other related APIs and configurations, this should have an initializer/secret/environment variable.

In all cases, the password still needs to pass the PasswordValidator

DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE

True by default

If enabled it’ll check that the password has at least one lowercase, one uppercase, one number and one special character

DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS

15 by default

DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION

90 by default

After this many days without changing the password, when an administrator logins it should see a “Change my password” form

DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES

5 by default

When an administrator changes its password, it can’t reuse these old passwords.

Describe alternatives you’ve considered
To not be able to change this kind of settings, but some organizations would want to relax or make stricter these rules

Does this issue could impact on users private data?
Yes, it’s about passwords.

Acceptance criteria

  • Given that the app has disabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
    And I’m an administrator
    When I change my password and give a password without one lowercase, one uppercase, one number or one special character
    Then it’s says that the provided password is valid
  • Given that the app has enabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
    And I’m an administrator
    When I change my password and give a password without one lowercase, one uppercase, one number or one special character
    Then it’s says that the provided password is invalid
  • Given that the app has enabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
    And I’m an administrator
    When I change my password and give a password with one lowercase, one uppercase, one number or one special character
    Then it’s says that the provided password is valid
  • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS env var to 8,
    And I’m an administrator
    When I change my password and give a password with 7 characters
    Then it’s says that the provided password is invalid
  • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS env var to 8,
    And I’m an administrator
    When I change my password and give a password with 9 characters
    Then it’s says that the provided password is valid
  • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION env var to 30,
    And I’m an administrator that has changed its password 31 days ago
    When I login
    Then I’m asked to change my password
  • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION env var to 30,
    And I’m an administrator that has changed its password 7 days ago
    When I login
    Then I’m not asked to change my password
  • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES env var to 2,
    And I’m an administrator
    When I change my password and give my old password
    Then it’s says that the provided password is invalid
Comentari

Confirmar

Si us plau, inicia la sessió

La contrasenya és massa curta.

Compartir