@@ -1815,6 +1815,60 @@ Some simple javascript might help in the last step. If you have high volume
18151815you could search for all currently-Pending users and do a bulk edit of all
18161816their roles at once (again probably with some simple javascript help).
18171817
1818+ .. _sensitive_changes:
1819+
1820+ Confirming Users Making Sensitive Account Changes
1821+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1822+
1823+ Some changes to account data: user passwords or email addresses are
1824+ particularly sensitive. The `OWASP Authentication`_ recommendations
1825+ include asking for a re-authentication or confirmation step when making
1826+ these changes. This can be easily implemented using an auditor.
1827+
1828+ Create a file in your detectors directory with the following
1829+ contents::
1830+
1831+ from roundup.cgi.exceptions import Reauth
1832+
1833+ def confirmid(db, cl, nodeid, newvalues):
1834+
1835+ if hasattr(db, 'reauth_done'):
1836+ # the user has confirmed their identity
1837+ return
1838+
1839+ # if the password or email are changing, require id confirmation
1840+ if 'password' in newvalues:
1841+ raise Reauth('Add an optional message to the user')
1842+
1843+ if 'address' in newvalues:
1844+ raise Reauth('Add an optional message to the user')
1845+
1846+ def init(db):
1847+ db.user.audit('set', confirmid, priority=110)
1848+
1849+ If a change is made to any user's password or address fields, the user
1850+ making the change will be shown a page where they have to enter an
1851+ identity verifier (by default the invoking user's account password).
1852+ If the verifier is successfully verified it will set the
1853+ ``reauth_done`` attribute on the db object and reprocess the change.
1854+
1855+ The default auditor priority is 100. This auditor is set to run
1856+ **after** most other auditors. This allows the user to correct any
1857+ failing information on the form before being asked to confirm their
1858+ identity. Once they confirm their identity the change is expected to
1859+ be committed without issue. See :ref:`Confirming the User` for
1860+ details on customizing the verification operation.
1861+
1862+ Also you could use an existing auditor and add::
1863+
1864+ if 'someproperty' in newvalues and not hasattr(db, 'reauth_done'):
1865+ raise Reauth('Need verification before changing someproperty')
1866+
1867+ at the end of the auditor (after all checks are done) to force user
1868+ verification. Just make sure you import Reauth at the top of the file.
1869+
1870+ .. _`OWASP Authentication`:
1871+ https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features
18181872
18191873Changes to the Web User Interface
18201874---------------------------------
@@ -2436,6 +2490,10 @@ The `reference document`_ also has examples:
24362490 <reference.html#extending-the-configuration-file>`_.
24372491* `Adding a new Permission <reference.html#adding-a-new-permission>`_
24382492
2493+ as does the design document:
2494+
2495+ * `detector examples <design.html#detector-example>`_
2496+
24392497Examples on the Wiki
24402498====================
24412499
0 commit comments