When registering or editing a user, if you enter 0
in the password field, you'll get a form error Password field is required.
Although '0' is a terrible password, it should be valid input as far as this form is concerned, so the error is wrong.
If you created the user with password '0', you can't log in with that user.
Beta phase evaluation
Issue category | Bug because the form error is wrong. |
---|---|
Issue priority | Normal, because 0 is the worst password in the world. |
Prioritized changes | The main goal of this issue is to fix a bug—a confusing form error. |
Comment | File | Size | Author |
---|---|---|---|
#29 | 2563751-29.patch | 4.86 KB | pietmarcus |
#23 | Error in Login: Before patch.jpg | 77.02 KB | NikitaJain |
#23 | Edit account set password '0' : Before patch.jpg | 95.37 KB | NikitaJain |
#23 | Create new account: Before Patch.jpg | 81.28 KB | NikitaJain |
#23 | My Account.png | 117.39 KB | NikitaJain |
Comments
Comment #2
rocketeerbkw CreditAttribution: rocketeerbkw commentedThis is because
\Drupal\Core\Render\Element\PasswordConfirm
usesempty()
which treats0
as falsey.I changed it to
strlen() > 0
.Comment #3
cilefen CreditAttribution: cilefen commentedI added a test.
Comment #4
cilefen CreditAttribution: cilefen commentedComment #6
cilefen CreditAttribution: cilefen commentedComment #7
rocketeerbkw CreditAttribution: rocketeerbkw commentedRemoving myself so anyone can feel free to take on the novice part.
Comment #8
cilefen CreditAttribution: cilefen commentedThe novice task is to offer a review.
I wonder if the zeros in the form steps should be quoted as strings.
Comment #9
ieguskiza CreditAttribution: ieguskiza commentedComment #10
ieguskiza CreditAttribution: ieguskiza as a volunteer commentedComment #11
ieguskiza CreditAttribution: ieguskiza as a volunteer commentedHi,
revised both patches on a fresh D8 install:
- Confirmed that fail test actually fails.
- Confirmed that the test after applying the patch passes correctly.
Apt to be labeled as RTBC
Regards,
Imanol
Comment #12
ieguskiza CreditAttribution: ieguskiza as a volunteer commentedComment #13
Anonymous (not verified) CreditAttribution: Anonymous at XIO commentedThe patch looks good, and manually testing revealed that I'm able to create a user with password 0. However, I'm not able to log-in. So back to needs work to investigate that.
As for #8, I'm not sure, but I'd think you should add the quotes.
Comment #14
borisson_You can now log in with that user.
UserAuth
also usedempty($password)
, changed that tostrlen
as well.Comment #15
borisson_Added a test for
UserAuth
to prevent regressions.Comment #16
Anonymous (not verified) CreditAttribution: Anonymous at XIO commentedI manually verified that creating a user with password 0 is allowed, and that such a user can login.
The tests seem good to me, we have a beta eval and IS is up to date. So RTBC.
Comment #17
rocketeerbkw CreditAttribution: rocketeerbkw commentedThe "current password" on edit user form also errors on 0. I'm working on a patch for that too.
Comment #18
rocketeerbkw CreditAttribution: rocketeerbkw commentedI fixed the "Current password" AND pass/confirm pass fields on edit user page but it needs tests for both those scenarios.
Comment #19
borisson_Added a test for the pass/confirm fields on user edit.
Comment #20
NikitaJain CreditAttribution: NikitaJain commentedTested this patch password_field_errors-2563751-19.patch. It works fine. Manually verified that I am able to create a user with password 0 and able to login with same password after applying the patch. Screenshots attached.
Comment #22
borisson_I don't think the failures in #19 are related to this issue, They're all installer related and this doesn't touch Installer code.
I uploaded the patch from #19 again here. If this passes I think it can go back to RTBC (per #20)
Comment #23
NikitaJain CreditAttribution: NikitaJain commentedTested password_field_errors-2563751-19_0.patch on Firefox and chrome for Ubuntu 14.04. It works fine. Manually verified that creating a user with password '0' is allowed and user can able to login successfully with same password after applying the patch.
Screenshots attached.
Comment #24
alexpottThis is a funny issue and obviously no one should have a password of 0 but 0 is just as valid as 1. Committed fb8e894 and pushed to 8.0.x. Thanks!
Comment #26
cilefen CreditAttribution: cilefen commentedComment #28
pietmarcus CreditAttribution: pietmarcus as a volunteer commentedI'll backport this issue to drupal 7.
Comment #29
pietmarcus CreditAttribution: pietmarcus as a volunteer commentedManaged to port it to Drupal 7. Automatic and manual tests all worked. Please review!
Comment #30
Revathi.B CreditAttribution: Revathi.B commentedTested 2563751-29.patch.It works great.thanks for the patch.
Comment #31
Revathi.B CreditAttribution: Revathi.B commentedHi pietmarcus,
Your patch works great as per our need.
Comment #32
Pradnya Pingat CreditAttribution: Pradnya Pingat commentedworked fine.
Comment #33
Pradnya Pingat CreditAttribution: Pradnya Pingat commentedComment #34
Pradnya Pingat CreditAttribution: Pradnya Pingat commentedComment #35
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedThere is a lot of mismatch of using trim() + strlen() and only using strlen(), but D8 has the same and sync of code is more important to me.
I think we make it impossible to use " " as password now. But I think empty was empty before, so its not a regression and " " might indeed be considered as fill out the password field ...
Marked for commit.
Comment #36
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedYeah, at least when you create a user account via the UI a password of " " seems like it's blocked already, so I think that's OK. And if we're wrong and this issue results in blocking the ability of someone who actually has a password of " " from logging in, that's not a bad thing since they really should change their password anyway :)
I removed the following on commit, since we don't reference issues like that unless there's a very specific reason to do so (I realize the Drupal 8 tests have this too, but it's only a code comment change and can be removed in Drupal 8 later if desired):