Contrib.social

Existing users can set passwords that do not comply to the policy

Open on Drupal.org →
Created on 7 June 2024, 7 months ago
Updated 6 August 2024, 5 months ago

Problem/Motivation

Apologies in advance if this is a duplicate or expected behaviour.

As far as I can see, existing users are able to set passwords that do not comply with the password policy.

After installing the password_policy module, new users are forced to comply, but an existing buser changing their password is not.

Steps to reproduce

Install Drupal 10.2.5

Create a user with a simple password

install password_policy 4.0.1

with:

- Password Character Length Policy
- Password Character Types Policy
- Password Characters of Type Policy

Create a password policy with minimum length 8, 3 character types etc.

Edit the user created before enabling password_policy.

Set a new password that fails the policy, like 'pass'

Save, and see the password being accepted.

Then try logging in as that user and changing the password to something else, like 'word'

See that being accepted too, even though the table shows that the password fails on multiple counts.

Are we missing a step to initialise existing user accounts in some way?

Many thanks,

Finn

🐛 Bug report
Status

Closed: works as designed

Version

4.0

Component

Code

Created by

🇬🇧United Kingdom Finn Lewis

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Finn Lewis
  • Status changed to Needs review 5 months ago
  • Comment 5 months ago
    🇮🇳India vinai_katiyar Delhi NCR

    Hello @Finn Lewis,

    I tried to reproduce the issue as you mentioned the steps but I am getting password errors if I am not entering the password as per the Password Policy for existing users.

    Kindly refer to the attached screenshots. It might help you to fix the issue.

  • Comment 5 months ago
    🇮🇳India vishalkhode

    Hi @Finn Lewis,

    I'm also not able to reproduce the issue. Can you re-validate again and also verify if you've selected Roles when configuring the Password policy and the user who's changing the password has the same role ?

  • Comment 5 months ago
    🇬🇧United Kingdom Finn Lewis

    Hi folks,

    Thank you and sorry not to respons sooner. I think we traced this down to a conflict with another module.

    I will check and report back.

  • Status changed to Closed: works as designed 5 months ago
  • Comment 5 months ago
    🇬🇧United Kingdom Finn Lewis

    Ah yes, see https://www.drupal.org/project/hide_revision_field/issues/3462079#commen... 🐛 Use of $form['actions']['submit']['#validate'] ? Active

    It seems perhaps like hide_revision_field overwrites the validation.

    I'll close this and follow up there.

    Thanks again!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024