be_secure_pw issueshttps://git.spooner.io/spooner/be_secure_pw/-/issues2023-09-20T11:51:59Zhttps://git.spooner.io/spooner/be_secure_pw/-/issues/36TYPO3 12.4 Compatible Version2023-09-20T11:51:59ZHeiko BihlmaierTYPO3 12.4 Compatible VersionIs there any information yet when this extension will be available for TYPO3 v12?
GreetingsIs there any information yet when this extension will be available for TYPO3 v12?
GreetingsHeiko BihlmaierHeiko Bihlmaierhttps://git.spooner.io/spooner/be_secure_pw/-/issues/35Don't force LDAP users to change the password2023-04-19T12:40:48ZTobias SchäferDon't force LDAP users to change the passwordHello,
I have installed be_secure_pw on TYPO3 v11 together with EXT:ig_ldap_sso_auth. The "Force changing the password" option of be_secure_pw works fine with local users but it doesn't makes sense with LDAP users since those users have...Hello,
I have installed be_secure_pw on TYPO3 v11 together with EXT:ig_ldap_sso_auth. The "Force changing the password" option of be_secure_pw works fine with local users but it doesn't makes sense with LDAP users since those users have to change the password in the directory system.
Even if the LDAP user tries to change the password in the TYPO3 backend the database column tx_besecurepw_lastpwchange doesn't get updated. So it would makes sense to not force users to change the password if the database column tx_igldapssoauth_id equals 1 for that user.
Best regards,
Tobias Schäferhttps://git.spooner.io/spooner/be_secure_pw/-/issues/34After enforced password change, redirect enabled backend modules again, but s...2022-11-09T10:22:22ZThomas WittichAfter enforced password change, redirect enabled backend modules again, but stays on user-settings, account-securityDear Thomas & Marcus,
here the third outcome of the testings:
- Admin: setup of be_secure_pw with "enforce", valid-timespan set and 2 mandatory patterns out of 4
- Admin: Enforce editor-user to change password
- Continue as editor:
- L...Dear Thomas & Marcus,
here the third outcome of the testings:
- Admin: setup of be_secure_pw with "enforce", valid-timespan set and 2 mandatory patterns out of 4
- Admin: Enforce editor-user to change password
- Continue as editor:
- Login to typo3
- Panel Account security of user settings shows up with restricted access to all other backendmodules
- User changes password successfully
- User gets redirected to:
- All backend modules enabled again - user COULD click to another backenmodule
- BUT gets represented the acount-security of user-settings again with the old-/new-password-fields
- Users intention is most of the time: "Ah, i don't understand why, but i have to change the password again. I was enforce to do it before, and it's not finsihed"
- Users intetion is to be stucked
Expected:
- After the user-redirect, amongst the backend-module-sidebar, also the area which display the curent module should be shown.
- The module which is setup in tab "at start" in the user settings should be shown
Installation:
* Typo3 11.5.17
* be_secure_pw 10.1.3
How to proceed here?
Many thanks to you!
Greets, Thomashttps://git.spooner.io/spooner/be_secure_pw/-/issues/33Wired message after password change in user-settings2022-11-09T10:13:20ZThomas WittichWired message after password change in user-settingsHi Thomas & Marcus,
another outcome of these tests hits the password checks after the login, when a user provides a new password in the user settings.
- Admin: setup of be_secure_pw with "enforce", valid-timespan set and 2 mandatory pa...Hi Thomas & Marcus,
another outcome of these tests hits the password checks after the login, when a user provides a new password in the user settings.
- Admin: setup of be_secure_pw with "enforce", valid-timespan set and 2 mandatory patterns out of 4
- Continued as editor:
- When i do all things correctly, means: providing correct old and two time correct new passwords, all is fine;
- When i do proved the correct old passwd, but not meet all restrictions for the new password, the extension mentions me in the red message about it. This text is not translated. As well, some instance (extension or core) tells the user, that the **password is saved**. This is an extrem misleading message: The password is indeed - correctly - not saved. The old one is in place. The red and the green message are opposite of each other.
- Additionally, another gree message tells the user that the user settings are saved. Which is basically ok, but may be interpreted wrong by user which are just users and not typo3-nerds.
![secure-pwd-2](/uploads/9983a01a153ae4cef0b528f18a23e239/secure-pwd-2.jpg)
Expected behavior:
- When a password is declined because the given restrictions are not met,
- The message "Password was not changed!" with it's text about the restrictions should be translated; (Please point out the location - i'll do it)
- The message "Neues Password - Ihr Passwort wurde aktualisiert." must not appear here.
- The message "User settings - saved" should be supressed here
System:
* Typo3 11.5.17
* be_secure_pw 10.1.3
Any clue how to proceed here?
Thx, Thomashttps://git.spooner.io/spooner/be_secure_pw/-/issues/32Password can be set weak with "reset-password"-typo3-core-function, even when...2022-11-09T10:01:02ZThomas WittichPassword can be set weak with "reset-password"-typo3-core-function, even when be_secure_pw is setted up correctlyHi Thomas & Marcus,
sorry, went in another issues with the whole password restriction process within the same project.
We did dedicated testing on some cases - i'll split them up in several items.
The test where:
- Admin: setup of be_s...Hi Thomas & Marcus,
sorry, went in another issues with the whole password restriction process within the same project.
We did dedicated testing on some cases - i'll split them up in several items.
The test where:
- Admin: setup of be_secure_pw with "enforce", valid-timespan set and 2 mandatory patterns out of 4
- Editor: login-panel, click reset password
- click reset-pwd-link in received email
- ![secure-pwd-4](/uploads/5174fd76ab7ea77f1eeea584ea5afaa9/secure-pwd-4.jpg)
- Intro-text mentions not the configured restrictions
- I can provide a weak password without mentioning anything, although the configured restrictions
- After clicking the button, this panel appears:
- ![secure-pwd-3](/uploads/e14491ac3f8bbd0035150fbc25991533/secure-pwd-3.jpg)
- This one i would have expected with the extension not installed / configured. This the extension given, would have expected an faild password change panel.
- After that, i can login as usual (password is not enforced as strong, even not after the login, which would be anyways a step too much to enforce it)
Expected:
- Proper text of configured restirctions, translated (which i could do)
- Proper check of the password against the configured restrictions
Installation:
- Typo3 11.5.17
- be_secure_pw 10.1.3
Any help there?
Thank you,
Thomashttps://git.spooner.io/spooner/be_secure_pw/-/issues/31Missing DB field tx_besecurepw_forcepasswordchange incompatible with TYPO3 11...2022-10-28T07:23:36ZHans Van DijkMissing DB field tx_besecurepw_forcepasswordchange incompatible with TYPO3 11.5 BE listviewAs a BE user of TYPO3 11.5, you want to show all be_users columns in the list view of the root page with id=0.
If you select this option "Check all" under the button "Show columns" of the "Backend user" table you get a 503 error: "Unknow...As a BE user of TYPO3 11.5, you want to show all be_users columns in the list view of the root page with id=0.
If you select this option "Check all" under the button "Show columns" of the "Backend user" table you get a 503 error: "Unknown column 'tx_besecurepw_forcepasswordchange' in 'field list'".!
[image-20221027-100003](/uploads/258df03ede5b6b312f71eff1b88f8067/image-20221027-100003.png)Thomas LöfflerThomas Löfflerhttps://git.spooner.io/spooner/be_secure_pw/-/issues/23Enable passwort checks for forgot password process2022-10-27T13:45:08ZLidia DeminEnable passwort checks for forgot password processMany thanks for your awesome extension! It would be great, if the setup password requirements would also apply to the reset password form of the forgot password process. Currently the password preferences for this form validation are har...Many thanks for your awesome extension! It would be great, if the setup password requirements would also apply to the reset password form of the forgot password process. Currently the password preferences for this form validation are hardcoded in `TYPO3\CMS\Backend\Authentication\PasswordReset::resetPassword`.
I'm not certain what would be the proper solution here: a hook in the core method or to override it. What do you think (especially regarding security)?
Tested with EXT:be_secure_pw 10.1.2 and TYPO3 11.5Thomas LöfflerThomas Löfflerhttps://git.spooner.io/spooner/be_secure_pw/-/issues/14Creates a user with a blank password if the password is invalid2019-12-06T11:43:30ZChristian HellmundCreates a user with a blank password if the password is invalidIf you use be_secure_pw (8.0.1) and create a new backend user with an invalid password, the user will be created with a blank password.
Happened in several projects with TYPO3 8.7.24If you use be_secure_pw (8.0.1) and create a new backend user with an invalid password, the user will be created with a blank password.
Happened in several projects with TYPO3 8.7.24