Contrib.social

Password policy doesn't work when updating the user

Open on Drupal.org β†’
Created on 12 March 2015, over 9 years ago
Updated 30 April 2024, about 2 months ago

The password validation and updating the password history only works for a form submit, because it has registered it as form handlers. This means that when a user password gets updated via a different channel (cron, web service, etc.), which triggers the user update hook, the password policy doesn't work.

This is a critical bug in our system, because it allows users to circumvent the password policy in certain scenarios! Could you please fix this and move the validation and update logic into the user update hook?

✨ Feature request
Status

Needs work

Version

4.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom dustinmoris

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States Kristen Pol Santa Cruz, CA, USA

    Thanks to everyone for your work on this issue.

    As the 8.x is no longer supported, I'm postponing this issue for now and need feedback as to whether or not this change is relevant to 4.0.x. If it is, please reopen and change the version and reroll the patch if necessary. If it's not, please closed as "won't fix".

    If there is no response to this in a month addressing the above, it can be closed as "won't fix".

  • Assigned to tcrawford
  • Status changed to Needs work 2 months ago
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    I am re-opening this as it is IMHO still relevant for 4.0.x. I will create an MR (based on the last patch #30) shortly.

  • Merge request !78Issue 2451159: Add a constraint to validate the password (based on patch #30). β†’ (Open) created by tcrawford
  • Pipeline finished with Failed
    2 months ago
    Total: 177s
    #151078
  • Pipeline finished with Failed
    2 months ago
    Total: 209s
    #151131
  • Pipeline finished with Failed
    2 months ago
    Total: 240s
    #151135
  • Pipeline finished with Success
    2 months ago
    Total: 208s
    #151141
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    The tests are passing based on the prior patch (#30) now that I have applied it properly against 4.0.x. cspell/eslint/phpcs/phpstan are failing. However, if I am not mistaken, these appear mostly to be pre-existing code style issues and should therefore likely be fixed in another issue (e.g. Fix the issues reported by phpcs πŸ“Œ Fix the issues reported by phpcs Needs review ).

  • Issue was unassigned.
  • Status changed to Needs review 2 months ago
  • Open on Drupal.org β†’
    Core: 10.2.1 + Environment: PHP 7.4 & MySQL 5.7
    last update 2 months ago
    Waiting for branch to pass
  • Open on Drupal.org β†’
    Core: 10.2.1 + Environment: PHP 7.4 & MySQL 5.7
    last update 2 months ago
    Waiting for branch to pass
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford
  • Status changed to Needs work 2 months ago
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    The PasswordPolicyConstraintValidator coming from patch #30 would appear to have an off by one error as it only adds violations if there are more than 1 rather than more than 0. I have just pushed a commit to fix this. Test coverage must need to be expanded though as this was not captured by testing. Therefore, I am setting this issue back to 'needs work'.

  • Pipeline finished with Success
    2 months ago
    Total: 248s
    #153217
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    I am also getting a type error when registering a new user as the password is null when registering a new user (until it is set subsequently upon email confirmation).

    ```

    The website encountered an unexpected error. Try again later.

    TypeError: Drupal\password_policy\PasswordPolicyValidator::validatePasswordPolicyConstraints(): Argument #1 ($password) must be of type string, null given, called in /app/docroot/modules/contrib/password_policy/src/Plugin/Validation/Constraint/PasswordPolicyConstraintValidator.php on line 88 in Drupal\password_policy\PasswordPolicyValidator->validatePasswordPolicyConstraints() (line 127 of modules/contrib/password_policy/src/PasswordPolicyValidator.php).

    Drupal\password_policy\Plugin\Validation\Constraint\PasswordPolicyConstraintValidator->validate(Object, Object) (Line: 202)
    Drupal\Core\TypedData\Validation\RecursiveContextualValidator->validateConstraints(Object, '00000000000014ef0000000000000000', Array) (Line: 154)
    Drupal\Core\TypedData\Validation\RecursiveContextualValidator->validateNode(Object) (Line: 164)
    Drupal\Core\TypedData\Validation\RecursiveContextualValidator->validateNode(Object, Array, 1) (Line: 106)
    Drupal\Core\TypedData\Validation\RecursiveContextualValidator->validate(Object, NULL, NULL) (Line: 93)
    ...

  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    I have pushed a fix for the above type error to MR !78, but I am leaving the issue in the status of 'needs work' as test coverage is needed.

  • Pipeline finished with Success
    2 months ago
    Total: 185s
    #153305
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    There is also an issue whereby the PasswordPolicyConstraintValidator does not trigger validation properly (where an existing password was not set) as getValue() returns an array.

        // Special case for the password, it being empty means that the existing
    // password should not be changed, ignore empty password fields.
    if ($userUnchanged && !empty($pass)) {
      // Compare the values of the field this is being validated on.
      $triggerValidation = $pass !== $userUnchanged->get('pass')->getValue() && !$user->checkExistingPassword($userUnchanged);
    }

    Pushing a fix for this shortly.

  • Pipeline finished with Success
    2 months ago
    Total: 214s
    #153368
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    Now that we correctly check whether the password has changed, the validation is not triggering when there is an existing password present. It is not clear why we should only trigger validation if the existing password is not correct valid.

        // password should not be changed, ignore empty password fields.
    if ($userUnchanged && !empty($pass)) {
      // Compare the values of the field this is being validated on.
      $triggerValidation = $pass != $userUnchanged->get('pass')->getValue() && !$user->checkExistingPassword($userUnchanged);
      $triggerValidation = $pass !== $userUnchanged->get('pass')->value && !$user->checkExistingPassword($userUnchanged);
    }
  • Pipeline finished with Failed
    2 months ago
    Total: 246s
    #153412
  • Pipeline finished with Failed
    2 months ago
    Total: 188s
    #153428
  • Pipeline finished with Success
    2 months ago
    Total: 187s
    #153598
  • Pipeline finished with Success
    2 months ago
    Total: 246s
    #153651
  • Status changed to Needs review 2 months ago
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    After fixing the issues I found, I have fixed the failing Kernel test and added some test coverage of the constraint validator. Therefore, I am moving this issue to 'Needs review'. Thanks in advance for a review.

  • Pipeline finished with Success
    2 months ago
    Total: 187s
    #153657
  • Pipeline finished with Success
    2 months ago
    Total: 189s
    #153658
  • Status changed to Needs work about 2 months ago
  • Comment about 2 months ago β†’
    πŸ‡¨πŸ‡­Switzerland tcrawford

    Thank you for the review @czigor. I will work through your feedback as time permits. I am leaving the issue unassigned until I have capacity.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024