OnChange client script - How to prevent the use of the Save and/or Update button until field value passes validation

cynlink1 · ‎10-23-2018

Hello,

I am trying to craft an onChange client script to validate the password strength of password entered directly on the user records (sys_user) by admins (not via the Password Reset functionality). My client script is partially functional as the alert is being presented when the validation condition is not met. However, the client script is not preventing the record from being saved or updated.

The script seems to work when tested using only the Save button OR only the Update button. However, if you click Save, receive the alert that the password is too weak, click OK, then click Update, you can bypass the validation. Same applies if you use the Update button first, fail the validation, then immediate click the Save button.

Table: sys_user

UI type: desktop

Type: onChange

Field name: Password

Goran WitchDoc · ‎10-30-2018

As we talked, try this:

function onSubmit() {
	
	//AVB script to require strong passwords
	
	var rules = 'Password must be at least 8 characters long and contain a digit, an uppercase letter, a lowercase letter, and a special character.';
	var user_password = g_form.getValue('user_password');
	if(g_form.isNewRecord()||user_password != '')
		{
		//check password length
		if(user_password.length<8){
			alert(getMessage('TOO SHORT:  ') + rules);
			return false;
		}
		//check password for digit
		var digit_pattern = new RegExp('[0-9]', 'g');
		if (!digit_pattern.test(user_password)) {
			alert(getMessage('DIGIT MISSING: ' + rules));
			return false;
		}
		//check password for uppercase
		var upper_pattern = new RegExp('[A-Z]', 'g');
		if (!upper_pattern.test(user_password)) {
			alert(getMessage('UPPERCASE MISSING: ' + rules));
			return false;
		}
		//check password lowercase
		var lower_pattern = new RegExp('[a-z]', 'g');
		if (!lower_pattern.test(user_password)) {
			alert(getMessage('LOWERCASE MISSING: ' + rules));
			return false;
		}
		//check password for special
		var special_pattern = new RegExp("[,!@#\$%\^&\*\(\);\\\/\|<>'\"\.\:]", "g");
		if (!special_pattern.test(user_password)) {
			alert(getMessage('SPECIAL CHARACTER MISSING: ' + rules));
			return false;
		}
		else {
			alert(getMessage('Password saved'));
		}
	}
}

//Göran

Feel free to connect with me:

LinkedIn
Twitter
Subscribe to my YouTube Channel

View solution in original post

Mark Stanger · ‎10-24-2018

So why haven't you done what I've suggested? An 'onChange' script and an 'onSubmit' script is exactly what you need. Both doing the exact same validations, just at different times.

cynlink1 · ‎10-24-2018

Hi Mark,

I did try adding an 'onSubmit' script as suggested. Doing so prevented the record from being saved if the password was not strong enough whenever ANY field changed on the form. However, my requirement is to validate the strength of the password only when these two specific scenarios are presented:

1.) Upon new user creation in the client user form

2.) When the password field is updated for an existing user

We do not want to force the password to be validated (and changed) when fields other than the password change (e.g., title, department, mobile phone, etc.). This is my current obstacle.

Please let me know if I am not explaining this well.

Thanks,

Cyndi

Mark Stanger · ‎10-24-2018

I think what you're missing is that's exactly what this does! Just take out 'alert' line at the end and the check can run every time, but be completely transparent to the user unless the password is messed up. There's no reason to alert users when the password is changed successfully. You only need to catch it when there's a problem. Remove the following line and you're golden.

alert(getMessage('Password saved'));

cynlink1 · ‎10-29-2018

Hi Mark,

Thank you for your help to date. I really appreciate the assistance. However, I do not know how to further clarify our need to ONLY validate the strength of a user's password when the password field is changed - not when any field on the user form changes. There are valid business scenarios where we do not want or need to enforce password validation when fields such as the title, department, etc. changes on the user form.

Below is a scenario that I hope will paint a clearer picture of a scenario when we would not want to enforce validation on the password field.

Scenario: User who authenticates via multi-provider SSO

- Password is NULL before any edits

- The actual user or a user admin updates a field on the user's record (e.g., mobile phone, department, etc.)

- The password field should NOT be validated onSubmit because the ServiceNow password is not being used in our SSO implementation. It should be allowed to be null.

I just need to figure out the right condition (along with syntax) to add to the onSubmit client script so the script evaluates if the password field was changed.

Does this example provide you with additional clarity?

Cyndi

Mark Stanger · ‎10-29-2018

I see. .changed is the correct way to do this but if that's causing a conflict maybe you could consider just checking some combination of the field being null and an indicator of whether or not they're using SSO or a local login?