How to force a admin user to change their password?

Question

On Magento EE if you go to System > Configuration > Advanced > Admin > Security their is an option to set Password Change to Forced.

If we do this and someone has an expired password will it lock them out - or will it allow them login but force them to update their password?

I've tried looking through the Magento User Guide & Wiki but could find no answer :(

Answer 1

I went into one of our Enterprise installs to check this.

In app/code/core/Enterprise/Pci/Model/Observer.php there is a function called adminAuthenticate in the Observer.

public function adminAuthenticate($observer)
{

First, it updates the locking information:

    // update locking information regardless whether user locked or not
    if ((!$authResult) && ($user->getId())) {
        $now = time();
        $lockThreshold = $this->getAdminLockThreshold();
        $maxFailures = (int)Mage::getStoreConfig('admin/security/lockout_failures');
        if (!($lockThreshold && $maxFailures)) {
            return;
        }
        $failuresNum = (int)$user->getFailuresNum() + 1;
        if ($firstFailureDate = $user->getFirstFailure()) {
            $firstFailureDate = new Zend_Date($firstFailureDate, Varien_Date::DATETIME_INTERNAL_FORMAT);
            $firstFailureDate = $firstFailureDate->toValue();
        }

Then it determines if the admin account is locked out by checking the lockExpires field from admin_user against the current time.

    // check whether user is locked
    if ($lockExpires = $user->getLockExpires()) {
        $lockExpires = new Zend_Date($lockExpires, Varien_Date::DATETIME_INTERNAL_FORMAT);
        $lockExpires = $lockExpires->toValue();
        if ($lockExpires > time()) {
            throw new Mage_Core_Exception(
                Mage::helper('enterprise_pci')->__('This account is locked.'),
                self::ADMIN_USER_LOCKED
            );
        }
    }

Then it pulls the latest password and checks to see if the admin has to complete a forced password change.

$latestPassword = Mage::getResourceSingleton('enterprise_pci/admin_user')->getLatestPassword($user->getId());
    if ($latestPassword) {
        if ($this->_isLatestPasswordExpired($latestPassword)) {
            if ($this->isPasswordChangeForced()) {
                $message = Mage::helper('enterprise_pci')->__('Your password has expired, you must change it now.');
            } else {
                $myAccountUrl = Mage::getSingleton('adminhtml/url')->getUrl('adminhtml/system_account/');
                $message = Mage::helper('enterprise_pci')->__('Your password has expired, please <a href="%s">change it</a>.', $myAccountUrl);
            }
            Mage::getSingleton('adminhtml/session')->addNotice($message);
            if ($message = Mage::getSingleton('adminhtml/session')->getMessages()->getLastAddedMessage()) {
                $message->setIdentifier('enterprise_pci_password_expired')->setIsSticky(true);
                Mage::getSingleton('admin/session')->setPciAdminUserIsPasswordExpired(true);
            }
        }
    }

If the getPciAdminUserIsPasswordExpired session variable is set, then it is caught in the forceAdminPasswordChange function in controller_action_predispatch.

public function forceAdminPasswordChange($observer)
{
    if (!$this->isPasswordChangeForced()) {
        return;
    }
    $session = Mage::getSingleton('admin/session');
    if (!$session->isLoggedIn()) {
        return;
    }
    $actionList = array('adminhtml_system_account_index', 'adminhtml_system_account_save',
        'adminhtml_index_logout');
    $controller = $observer->getEvent()->getControllerAction();
    if (Mage::getSingleton('admin/session')->getPciAdminUserIsPasswordExpired()) {
        if (!in_array($controller->getFullActionName(), $actionList)) {
            if (Mage::getSingleton('admin/session')->isAllowed('admin/system/myaccount')) {
                $controller->getResponse()->setRedirect(Mage::getSingleton('adminhtml/url')
                        ->getUrl('adminhtml/system_account/'));
                $controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_DISPATCH, true);
                $controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_POST_DISPATCH, true);
            } else {
                /*
                 * if admin password is expired and access to 'My Account' page is denied
                 * than we need to do force logout with error message
                 */
                Mage::getSingleton('admin/session')->unsetAll();
                Mage::getSingleton('adminhtml/session')->unsetAll();
                Mage::getSingleton('adminhtml/session')->addError(
                    Mage::helper('enterprise_pci')->__('Your password has expired, please contact administrator.')
                );
                $controller->getRequest()->setDispatched(false);
            }
        }
    }

If the Admin user has a forced password flag set and is allowed to access My Account then they'll be able to update their password themselves. If not, then they'll be logged out with the message Your password has expired, please contact administrator.

Answer 2

Magento will redirect them to /admin/system_account/index/ and offer to change their password. Untill they change it, they won't be able to use Admin panel. So yes, it will lock them out. But take in mind, that feature works for Admin panel's users only.

Answer 3

This is definitely a bug. We discovered the same problem on our installation of EE 1.14.1. Magento provided a patch to fix the problem. It was patch PATCH_SUPEE-5151_EE_1.14.1.0_v1.sh. If you ask them to reference their support case number 236942, they will be able to find it and send it to you (or make it available in the downloads section of your account).

Answer 4

The description of functionality is nice seanbreeden. The problem is that we cannot enforce password change at any moment as needed. If we chose to use this password change enforcement feature this will produce no instant effect.

The password change enforcement as it is on magento EE first needs the user to change or reset their password, and only at this moment one hashed record and the expiration time will be added in enterprise_admin_password table. Yet there are no effects till the day when the password will expire based on the password lifetime we set at System > Configuration > Advanced > Admin > Security.

If the admin users will never change the password voluntary, they will be never enforced to change since there are no records for that user on enterprise_admin_password table.

My answer is that there is no true enforcement for admin password change.

But other than this it makes sense to get locked out if you are enforced to change the password when that time will come, just change it and you will be able to login and fully access the admin site, it worked for me.

Answer 5

Unfortunately it is an all or nothing setting.

If you want to require users to change their password x-days, but allow a user used for an API to have a permanent password, you are out of luck.