Is anyone using "must_change_password"?

While working on plone.login during the Midsummer Sprint, I came across "must_change_password". This is a member property that, if set, will prevent a user from doing anything within the site until they've changed their password. In theory this seems useful. We don't seem to be using it at all however. It doesn't exist as a default memberdata property and the tests for the feature all have to create it before attempting to test it.

Is anyone currently using this? Do we want to continue supporting it? Should it be exposed in the UI somewhere?

yes, it seems to be useful; if nobody else responds, you should probably just open a new issue to leave it documented until someones needs it.

I would agree that it fits in with Plone's security message, that we should be able to require password changes.

The only plugin that I know that has similar funtionality is But I've no idea how it impliments it. It uses monkey patching it places which is always a sign that some parts should be in the core.

This plugin is similar but doesn't deal with enforcement pw changes - I did however recently make it plone 5 compatible and introduce a new feature I was surprised was missing from plone and its plugins. The ability to restrict logins to whitelisted IP ranges.

1 Like