[ajcosta]

Hi,

I'm running community version 3.2.3 and can’t seem to get Password Expiration date to work.
Have followed https://wiki.processmaker.com/3.0/Authe ... tomization and to test it I have set define('PPP_EXPIRATION_IN', 1); to one day, but my password don’t expire.

Can anyone help in this matter?

thanks

Aj

[amosbatto]

I just checked the code and you are right. It looks like someone changed the authentication code and it no longer works correctly in version 3.2.3.

Here is how to fix it. Edit workflow/engine/classes/model/UsersProperties.php and change lines 183-4 from:

Code: Select all

            $fDays = $oCalendar->calculateDuration( date( 'Y-m-d H:i:s' ), $sLastUpdate );
            if ($fDays > (PPP_EXPIRATION_IN * 24) || $nowLogin) {

To:

Code: Select all

            //convert from seconds to days:
            $fDays = $oCalendar->calculateDuration( date( 'Y-m-d H:i:s' ), $sLastUpdate ) / (24*60*60);
            
            if ($fDays > PPP_EXPIRATION_IN || $nowLogin) {

(The problem is that calculateDuration() returns the difference in seconds, so it has to be converted to days.)

Then, edit workflow/engine/methods/login/authentication.php and change lines 298-300 from:

Code: Select all

    $aErrors       = $oUserProperty->validatePassword($_POST['form']['USR_PASSWORD'], $aUserProperty['USR_LAST_UPDATE_DATE'], $aUserProperty['USR_LOGGED_NEXT_TIME'], true);
    
    if (!empty($aErrors) && in_array("ID_PPP_CHANGE_PASSWORD_AFTER_NEXT_LOGIN", $aErrors)) {

To:

Code: Select all

    $aErrors       = $oUserProperty->validatePassword($_POST['form']['USR_PASSWORD'], $aUserProperty['USR_LAST_UPDATE_DATE'], $aUserProperty['USR_LOGGED_NEXT_TIME'], false);

    if (!empty($aErrors)) {

Now, when you login, you should see a screen like:

passwordNoncomplianceScreen.png (818.22 KiB) Viewed 3597 times

[amosbatto]

I filed a bug report about this to get it fixed:
https://processmaker.atlassian.net/browse/TRI-3679

[ajcosta]

Thanks Amosbatto

Its working ok now.

Have another question thow, is it possible to define a user whose password never expires?

Gracias

Aj

[amosbatto]

Have another question thow, is it possible to define a user whose password never expires?

PPP_EXPIRATION_IN is universal, so it is set for all users.
Of course, it is only checked when the user logs in, so you won't have to reset the password if the user doesn't login. For example, you could define PPP_EXPIRATION_IN for a time when the user won't login, then comment it out in the db.php when the user will login.

Another option is to change the source code. For example, in workflow/engine/classes/model/UserProperties.php:175, change from:

Code: Select all

    (PPP_EXPIRATION_IN > 0) {

To:

Code: Select all

    (PPP_EXPIRATION_IN > 0 and (!isset($_SESSION['USR_USERNAME']) or $_SESSION['USR_USERNAME'] != 'admin')) {

Now the "admin" user will never have to change his password.

A third option is to not use PPP_EXPIRATION_IN. Instead, manually mark the option "User must change password at next Login" in each user's profile, except the user whose password shouldn't change.

If you don't want to do this manually, then change the USERS_PROPERTIES.USR_LOGGED_NEXT_TIME from 0 to 1 to force the user to change her password on the next login.

For example, the following would force all the users except admin, sally and bob to change their passwords on the next login:

Code: Select all

mysql -u root -p
USE wf_workflow;
UPDATE USERS_PROPERTIES AS UP JOIN USERS AS U ON U.USR_UID=UP.USR_UID SET UP.USR_LOGGED_NEXT_TIME=0 
WHERE U.USR_USERNAME NOT IN ('admin', 'sally', 'bob');
EXIT;

[ajcosta]

Thank you Amosbatto, have gone with the second option and all is ok.