Bug 30091 - Passwords are not validated in wizard
Passwords are not validated in wizard
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Wizards
UCS@school 3.1
Other Linux
: P3 normal (vote)
: UCS@school 3.1
Assigned To: Jascha Geerds
Florian Best
:
Depends on:
Blocks: 30109 31337
  Show dependency treegraph
 
Reported: 2013-01-21 14:01 CET by Dirk Wiesenthal
Modified: 2013-05-10 17:22 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Troubleshooting, Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2013-01-21 14:01:31 CET
* It is possible to set an empty password for new users.
* It is not validated whether the first password matches the second. A red exclamation mark may appear but that does not prevent the form from being submitted. The first password input is chosen as the password.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2013-01-22 09:55:39 CET
I think this should be fixed sooner than "UCS@school 3.x" since it would explain some non-reproducible difficulties users have reported.
Do you have any idea how complex a fix would be?
Comment 2 Dirk Wiesenthal univentionstaff 2013-01-22 11:02:01 CET
(In reply to comment #1)
> Do you have any idea how complex a fix would be?

(In reply to comment #0)
> * It is possible to set an empty password for new users.
One line

> * It is not validated whether the first password matches the second. A red
> exclamation mark may appear but that does not prevent the form from being
> submitted. The first password input is chosen as the password.
Depends. We could hack the wizard. The problem is PasswordInputBox: It does not provide a function "validate", which is required to be validated by a Form's validate(). Obviously this function is not called very often. Otherwise we would have seen this bug earlier.

The correct fix would require an errata update for umc-frontend.
Comment 3 Alexander Kläser univentionstaff 2013-01-22 11:10:45 CET
(In reply to comment #2)
> ...
> Depends. We could hack the wizard. The problem is PasswordInputBox: It does not
> provide a function "validate", which is required to be validated by a Form's
> validate(). Obviously this function is not called very often. Otherwise we
> would have seen this bug earlier.
> 
> The correct fix would require an errata update for umc-frontend.

I can call isValid() in the PasswordInputBox which will return false if passwords do not match. An explicite call to isValid() is just missing in the wizards module. Therefore it should not be any problem to fix this behaviour.
Comment 4 Dirk Wiesenthal univentionstaff 2013-01-22 11:37:27 CET
(In reply to comment #3)
> I can call isValid() in the PasswordInputBox which will return false if
> passwords do not match. An explicite call to isValid() is just missing in the
> wizards module. Therefore it should not be any problem to fix this behaviour.

Yes, calling isValid() would stop the form from being submitted. But as far as I can see, isValid() is not the same as validate(). It does not set the red exclamation mark (and some more?). While this may be non-critical, the real problem remains: PasswordInputBox has no "validate()"-function and everyone using it in a form one wants to validate, has to workaround this bug. It doesn't even tell you there is a problem. It silently refuses to check the PasswordInputBox. If you do not test it explicitly, you will see "some non-reproducible difficulties users have reported".
Comment 5 Jascha Geerds univentionstaff 2013-01-22 17:29:22 CET
(In reply to comment #0)
> * It is possible to set an empty password for new users.

That isn't a bug. The import script generates a random password if none is passed.

> * It is not validated whether the first password matches the second. A red
> exclamation mark may appear but that does not prevent the form from being
> submitted. The first password input is chosen as the password.

Fixed in ucs-school-umc-wizards (2.0.6-1). This is just a workaround for #30109 and #30110
Comment 6 Florian Best univentionstaff 2013-01-23 08:44:26 CET
(In reply to comment #5)
> (In reply to comment #0)
> > * It is possible to set an empty password for new users.
> 
> That isn't a bug. The import script generates a random password if none is
> passed.
> 
> > * It is not validated whether the first password matches the second. A red
> > exclamation mark may appear but that does not prevent the form from being
> > submitted. The first password input is chosen as the password.
> 
> Fixed in ucs-school-umc-wizards (2.0.6-1). This is just a workaround for #30109
> and #30110

The fix looks good but one thing is not working yet:
if the invalid password input box is focused the red exclamation mark is not displayed. All other invalid focused widgets shows it.

changelog OK
Comment 7 Jascha Geerds univentionstaff 2013-01-23 10:25:13 CET
(In reply to comment #6)
> The fix looks good but one thing is not working yet:
> if the invalid password input box is focused the red exclamation mark is not
> displayed. All other invalid focused widgets shows it.

This only occurs if the left box is empty. In other cases, the red exclamation mark will be displayed.
Comment 8 Florian Best univentionstaff 2013-01-23 10:41:36 CET
(In reply to comment #7)
> This only occurs if the left box is empty. In other cases, the red exclamation
> mark will be displayed.
OK
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2013-02-15 17:51:14 CET
UCS@school 3.1 has been released: 
 http://forum.univention.de/viewtopic.php?f=26&t=2364

If this error occurs again, please use "Clone This Bug".