In function password_policy_constraint_history_validate($password, $constraint, $account) the $account object is modified which causes some problem when we use the password_policy_validate to custom forms. In my case I am using the Password Reset Landing Page (PRLP) module and I am adding password_policy_password_validate() to user_reset_form and since the password_policy_constraint_history_validate alters the $account object, it causes the PRLP module to fail. So I patched the code as follow to restore the original password. 

function password_policy_constraint_history_validate($password, $constraint, $account) {
      require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
     $old_passwords = _password_policy_constraint_history_old_passwords($constraint, $account->uid);


// Storing org pass
     $org_pass = $account->pass;</strong>

     foreach ($old_passwords as $pw) {
       $account->pass = $pw;
       if (user_check_password($password, $account)) {

//Restoring org pass
	account->pass = $org_pass;

      return FALSE;
    }
  }

//Restoring org pass
   $account->pass = $org_pass;

  return TRUE;
}
CommentFileSizeAuthor
#4 password_policy-7.x-1.x-avoid_changing_account_in_history_constraint-2490548-4.patch887 bytesAohRveTPV
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

msmani’s picture

msmani CreditAttribution: msmani commented
Issue summary: View changes
msmani’s picture

msmani CreditAttribution: msmani commented
Issue summary: View changes
msmani’s picture

msmani CreditAttribution: msmani commented
Title: For constraint validation $account is passed as reference » In history constraint validation $account object is modified
AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Version: 7.x-1.11 » 7.x-1.x-dev
Category: Task » Bug report
Status: Active » Needs review
FileSize
password_policy-7.x-1.x-avoid_changing_account_in_history_constraint-2490548-4.patch887 bytes

Thanks for the problem report and patch. I view this as a bug.

It might be better to just create a temporary account object that can be modified. It adds only one line of code versus three, and avoids the duplicate $account->pass = $org_pass; lines. Any problems with this patch?

Status: Needs review » Needs work

The last submitted patch, 4: password_policy-7.x-1.x-avoid_changing_account_in_history_constraint-2490548-4.patch, failed testing.

Status: Needs work » Needs review

msmani queued 4: password_policy-7.x-1.x-avoid_changing_account_in_history_constraint-2490548-4.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 4: password_policy-7.x-1.x-avoid_changing_account_in_history_constraint-2490548-4.patch, failed testing.

AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Status: Needs work » Needs review

Forgot to push a commit before posting patch.

AohRveTPV queued 4: password_policy-7.x-1.x-avoid_changing_account_in_history_constraint-2490548-4.patch for re-testing.

AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented

It seems like constraint validation should not even be able to modify the account object. Maybe we should be duplicating the object or changing it to an array before passing it to validate(). Not sure of the performance implications of either of those changes.

  • AohRveTPV committed bfe94a7 on 7.x-1.x 
    Issue #2490548 by AohRveTPV: In history constraint validation $account...
AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Status: Needs review » Fixed

Committed #4 because it seems like a straightforward fix, and there has been four weeks of opportunity for review/testing.

AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Version: 7.x-1.x-dev » 6.x-1.x-dev
Status: Fixed » Patch (to be ported)
AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Status: Patch (to be ported) » Fixed

Confirmed 6.x-1.x does not have this bug.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.