I'd be curious to hear Sabastiaan's argument as to why custom password policies would lower the security in regards to Umbraco's Backoffice. Like, Sabastian, I too have a client that is requesting custom rules and unfortunately they can't be persuaded into a different solution. Though I can create a custom .NET membership provider, I can't hook into Umbraco v8 the same as I did in v7 which means I can't offer the same experience to Backoffice users.
For example, in v7, you could attach event handlers to requests by implementing IHttpModule. In doing so, the Init method gains access to the HttpApplication and you can isolate requests made to Umbraco's API by URL. This allowed us to rewrite URLs and ultimately hide sections and dashboards when the user's current password no longer met the requirements. We would then leave only a custom password change form section visible.
In v8, I've been able to hook into the UserService.SavingUser to capture information about the last time the user logged in, however, I'm not finding a way to alter the sections and dashboards. A section service does not exist in this version because it "has become unnecessary" and the ApplicationTreeService has been deprecated.
Ultimately, I'm looking to answer the question "is there a way to override the requests to '/umbraco/backoffice/umbracoapi/section/getsections' and '/umbraco/backoffice/umbracoapi/dashboard/getdashboard'?
Member password renewal
I have a client who has a lot of members that needs to renew their password every 2 weeks.
They want to notify the member 4 days before expiration.
And if not updated before expiration the member should be disabled and notified.
Any ideas how to obtain this ?
Sounds like a fun project, don't knowif it work with people going on holiday for three weeks ;-)
But I would (I think):
Hope this helps,
Richard
I hate to be that guy, but make sure to read up on this requirement, you can advise them that this actually LOWERS security instead of increasing it.
If they want to be more secure:
Here's an excellent article with great advise: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
I'd be curious to hear Sabastiaan's argument as to why custom password policies would lower the security in regards to Umbraco's Backoffice. Like, Sabastian, I too have a client that is requesting custom rules and unfortunately they can't be persuaded into a different solution. Though I can create a custom .NET membership provider, I can't hook into Umbraco v8 the same as I did in v7 which means I can't offer the same experience to Backoffice users.
For example, in v7, you could attach event handlers to requests by implementing IHttpModule. In doing so, the Init method gains access to the HttpApplication and you can isolate requests made to Umbraco's API by URL. This allowed us to rewrite URLs and ultimately hide sections and dashboards when the user's current password no longer met the requirements. We would then leave only a custom password change form section visible.
In v8, I've been able to hook into the UserService.SavingUser to capture information about the last time the user logged in, however, I'm not finding a way to alter the sections and dashboards. A section service does not exist in this version because it "has become unnecessary" and the ApplicationTreeService has been deprecated.
Ultimately, I'm looking to answer the question "is there a way to override the requests to '/umbraco/backoffice/umbracoapi/section/getsections' and '/umbraco/backoffice/umbracoapi/dashboard/getdashboard'?
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.