你好,
我正在将论坛迁移到 Discourse。我采用了与 discourse-migratepassword 插件相同的方法,允许用户使用其当前密码登录,但这些密码可能不够安全。
我希望允许用户登录,但如果其密码不符合 Discourse 的密码设置要求,则强制他们在登录后更改密码。
目前是否有方法可以实现这一点?如果没有,我应该从哪里入手将其作为插件来实现?
谢谢!
Sounds like it would be useful as an option on the discourse-migratepassword plugin. Slightly surprised it isn’t already.
Yeah, we can use that in the plugin too, happy to contribute that back if I implement it.
I was thinking in adding a custom_field to the user and render an alert until the user changes their password, but forcing them to change it sounds like a better option (not sure where to look to achieve this)
Well, I’m not forcing users to change their password, but we are rendering an alert on every login until they do so.
I’m setting a user.custom_fields['migratepassword_policy'] = true if the password doesn’t comply with Discourse settings and using that to conditionally render the modal, and we also send a password reset email once after they log in for the first time (with the insecure password)
What do you guys think?
I think it was enabled without an option in the past - if your password was too short, you were required to do a password reset instead.
The policy was flipped because this was locking people out of their accounts (dead email accounts).
Yeah, in this case we allow users to get into the platform with their current password, but we will render that modal until they change it (they can click OK or click outside the modal and it will close)
Maybe adding a “contact support if you don’t have access to your email anymore” message will do in case of dead email accounts
嘿,我们正好也需要完全相同的功能:我们将通过 API 创建用户并设置默认密码……用户首次登录后,应强制其修改密码……
你们是怎么实现的?
谢谢!
您不应使用默认密码创建用户,而应为其生成随机密码,且切勿将其发送给用户。随后,他们可以在登录页面使用“忘记密码”链接先重置密码,然后再进行登录。
99% 的用户没有邮箱地址 ^^,我们不想只为“忘记密码邮件”添加这么多邮箱。
除了使用真实邮箱,还有其他办法吗?
这将是一个大问题,因为在 Discourse 中,电子邮件被视为身份标识。
如果您希望对登录流程拥有完全控制权以符合您的标准,我建议使用 Discourse 官方单点登录 (sso)。
Discourse 现在支持过期密码的原生功能。
为此,您需要运行:
user = User.find_by_username(username)
UserPasswordExpirer.expire_user_password(user)
托管客户的 Discourse 管理员可以执行此操作,或者您可以进入容器,运行 rails 控制台并对特定用户执行此操作。