mod_admin_identity

Provides identity management in the admin - for example the storage of usernames and passwords.

It provides a user interface where you can create new users for the admin system. There is also an option to send these new users an e-mail with their password.

Create new users

See the User management chapter in the User Guide for more information about the user management interface.

Configure new user category

To configure the category that new users will be placed in, set the mod_admin_identity.new_user_category configuration parameter to that category’s unique name.

Password Complexity Rules

By default Zotonic only enforces that your password is not blank. However, if you, your clients or your business require the enforcement of Password Complexity Rules Zotonic provides it.

Configuring Password Rules

After logging into the administration interface of your site, go to the Config section and click Make a new config setting. In the dialog box, enter mod_admin_identity for Module, password_regex for Key and your password rule regular expression for Value.

After saving, your password complexity rule will now be enforced on all future password changes.

Advice on Building a Password Regular Expression

A typical password_regex should start with ^.* and end with .*$. This allows everything by default and allows you to assert typical password rules like:

  • must be at least 8 characters long (?=.{8,})
  • must have at least one number (?=.*[0-9])
  • must have at least one lower-case letter (?=.*[a-z])
  • must have at least one upper-case letter (?=.*[A-Z])
  • must have at least one special character (?=.*[@#$%^&+=])

Putting those rules all together gives the following password_regex:

^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

To understand the mechanics behind this regular expression see Password validation with regular expressions.

Migrating from an older password hashing scheme

When you migrate a legacy system to Zotonic, you might not want your users to re-enter their password before they can log in again.

By implementing the identity_password_match notification, you can have your legacy passwords stored in a custom hashed format, and notify the system that it needs to re-hash the password to the Zotonic-native format. The notification has the following fields:

-record(identity_password_match, {rsc_id, password, hash}).

Your migration script might have set the username_pw identity with a marker tuple which contains a password in MD5 format:

m_identity:set_by_type(AccountId, username_pw, Email, {hash, md5, MD5Password}, Context),

Now, in Zotonic when you want users to log on using this MD5 stored password, you implement identity_password_match and do the md5 check like this:

observe_identity_password_match(#identity_password_match{password=Password, hash={hash, md5, Hash}}, _Context) ->
  case binary_to_list(erlang:md5(Password)) =:= z_utils:hex_decode(Hash) of
      true ->
          {ok, rehash};
      false ->
          {error, password}
  end;
observe_identity_password_match(#identity_password_match{}, _Context) ->
  undefined. %% fall through

This checks the password against the old MD5 format. The {ok, rehash} return value indicates that the user’s password hash will be updated by Zotonic, and as such, this method is only called once per user, as the next time the password is stored using Zotonic’s internal hashing scheme.

Edit on GitHub

Models

m_admin_identity

Not yet documented.

Dispatch rules

admin_dispatch

Dispatch rules Name Path Resource Args admin_user [“admin”,”users”] controller_admin [{template,”admin_users.tpl”}

Filters

normalize_email

Normalize an email address, used in the identity management.

Actions

delete_username

Delete the username from a user, no confirmation.

dialog_delete_username

Open a dialog to confirm the deletion of the username of a user.

dialog_set_username_password

Show a dialog for setting a username / password on the given resource (which is usually a person).

dialog_user_add

Show a dialog for adding a user. This creates a person resource and adds a username / password to it.

Validators

email_unique

Check if an entered e-mail address is unique, by looking in the m_identity table for the email key:

username_unique

Check if an entered username is unique, by looking in the m_identity table for the given username:

See also

User management

Create new users In the admin, under ‘Auth’ > ‘Users’ you can find a list of all users. Use the ‘Make a new user’…

Referred by

All dispatch rules

All the dispatch rules from all modules. For a background on dispatch rules, see The URL dispatch system.