Contrib.social

Password policy bypass for admin not working

Open on Drupal.org โ†’
Created on 14 June 2024, 6 months ago

Problem/Motivation

As an administrator one can bypass the password policy when creating a new user. However, when saving the user with a password not matching the current policy, an error is thrown:

Drupal\Core\Entity\EntityStorageException: The password must satisfy the following password policy rules:<div class="item-list"><ul><li class="password-policy-invalid-rule marker">Must be at least 8 characters long.</li><li class="password-policy-valid-rule">Must contain at least 1 lowercase character.</li><li class="password-policy-invalid-rule marker">Must contain at least 1 uppercase character.</li><li class="password-policy-invalid-rule marker">Must contain at least 1 special character.</li><li class="password-policy-invalid-rule marker">Must contain at least 1 numeric character.</li></ul></div> in Drupal\Core\Entity\Sql\SqlContentEntityStorage->save() (line 817 of /mnt/cephfs/sites/d/dealerhenkel/henkelman-portal/releases/77/web/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php).

Steps to reproduce

  • Install module and enable a policy
  • Create a new user (logged in as admin), using a password nรณt matching the policy

Proposed resolution

Make sure the bypass works

๐Ÿ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

lukelathouwers

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @lukelathouwers
  • Comment 2 months ago โ†’
    dhruv.mittal

    i created new user while logged in as admin and not matching the password policy but did not got any errors so working fine for me

  • Comment 2 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium kriboogh

    The exception bug is fixed (other issue).

    I also added an extra note in the module's readme on how the "bypass password policy" is supposed to be interpreted.

    When you assign this permissions to a role, it doesn't mean that this role can create users with a password not following the policy. It means users who have this permission, their password is not validated. The validation is done on the actual user being created, not the current user creating the new user.

    So in order to create users as an administrator, who's password is not suppose to follow the policy, you simple apply a role with this permission to that new user .

  • Comment about 2 months ago โ†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024