Is there a way that Webuser must change their passwort, when they login the first time?
Revo 2.7.2
Login 1.9.7
1 Like
Hereâs an extra that looks useful, but might be outdated
https://modx.com/extras/package/forcedpasswdchange
In Modx its easy enough to guide a user through a password change (just have login page send to pw change page), but it would not require that to happen and the user could click out of it.
To force the change, I think you will need to tell Modx that the pw must be changed. Right now thatâs on user creation, so I am thinking the best way is to put a token in your create user routine, we could assign a flag to the user upon creation, if this is the only function you need.
Then, you could have a checker in your template that would replace content with reset pw page if the flag is set, for all users, then they couldnât run away and would have to reset to remove the flagâŚoh yeah and reset must remove the flag obvs
Will think about this.
Hi,
Easiest would be writing a plugin and attach it to onWebLogin and onModxInit.
You check if it is the first login, and if it is then redirect user to password change page.
To check if it is the first login you could define user attribute âfirst_loginâ = 1 on registration, and change it only if password has been changed and activated (afair its useExtended option in Register snippet)
Not too much of coding⌠and the user canât click out.
Iâve done something similar but for manager, where password expires after X days, password has to meet certain criteria (impossible with default modx validation) and the session expires after X minutes of inactivity (keyboard, ajax etc). User is able to login but canât do anything (connectors included) unless password is changed and activated. It is certainly doable without hacking core, and works just fine.
1 Like
Iâve just undertaken this very task so figured Iâd share my code here.
This is to use with the âLoginâ extra for front end use as opposed to Manager side use.
My solution specifically uses a snippet to check the âcommentsâ field of the User record for a statement indicating the password has been updated and if not, you can use the TPL to push people to the password update form. Iâve then added a hook to the password update form to set that string when the password has been updated.
Note that this solution assumes youâre not using the comments field for anything else. If you are youâll need to find another place to store/retrieve this information.
Snippet: isPasswordReset
Returns 1 for âuser has changed passwordâ and 0 for âuser has never changed passwordâ
<?php
// Get current user and get their profile
$currentUser = $modx->getUser();
if($currentUser) {
$profile = $currentUser->getOne('Profile');
}
if($profile) {
$comment = $profile->get('comment');
// Check for the existence of 'password reset' in the profile comments field
// Return 0 if the password hasn't been updated and return 1 if it has
if(strpos($comment,"Password reset") === false) {
return 0;
} else {
return 1;
}
}
return;
This snippet can be used thus:
[[!isPasswordReset:is=`1`
:then=`[[WhatUserCanDoWhenTheyAreAllGood]]`
:else=`[[ALinkToYourPageThatIncludesYourChangePasswordForm]]`
]]
Then in your [[!ChangePassword]] snippet call, include the option &postHooks=clearPasswordWarning`
Snippet: clearPasswordWarning
Sets the contents of the comments field to include a comment that the user has updated their password and when (in human readable form) so you can see that if you ever want to
<?php
// Get current user and get their profile
$currentUser = $modx->getUser();
if($currentUser) {
$profile = $currentUser->getOne('Profile');
}
// Set the comment that their password has been updated
$profile->set('comment','Password reset: ' . date('r'));
$profile->save();
return;