Bug 673212

Summary: Password with less than minlength characters accepted
Product: Red Hat Satellite 5 Reporter: Tomas Lestach <tlestach>
Component: WebUIAssignee: Tomas Lestach <tlestach>
Status: CLOSED ERRATA QA Contact: Šimon Lukašík <slukasik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 540CC: cperry, slukasik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-java-1.2.39-101 Doc Type: Bug Fix
Doc Text:
Consequence: Even if a user password didn't meet password requirements, the password change got accepted even if a red error message got displayed on the WebUI. Result: When user password doesn't meet password requirements and a red error message got displayes on the WebUI, password doesn't get changed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-20 08:21:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 715348    

Description Tomas Lestach 2011-01-27 18:03:53 UTC 
Description of problem:
Even if a user password doesn't meet password requirements, it password change gets accepted. The user doesn't recognize that, because the satellite shows a WebUI red error message about password requirements not to be met.

Version-Release number of selected component (if applicable):
sat54

How reproducible:
always

Steps to Reproduce:
1. Navigate to user password change.
2. Change password to <empty_string>
3. Log out and log in as that user.
  
Actual results:
Red error gets displayed on the WebUI:
Desired Password is required.
Confirm Password is required.

But the user cannot log in any more. The password was obviously changed. (It's impossible to log in with <empty_string> password.

Expected results:
If the password requirements aren't met (and a red error shows up on WebUI), the action shall definitely not be applied.

Additional info:
Similar with a nonempty password shorter than predefined minimal length.
Comment 1 Tomas Lestach 2011-01-27 18:04:27 UTC 
spacewalk.git: 84e41ff5bf8daa60b7329a7f45e32bb48c53d091
Comment 4 Tomas Lestach 2011-09-27 15:26:41 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Consequence:
Even if a user password didn't meet password requirements, the password change got accepted even if a red error message got displayed on the WebUI.
Result:
When user password doesn't meet password requirements and a red error message got displayes on the WebUI, password doesn't get changed.
Comment 5 Šimon Lukašík 2011-10-03 12:42:11 UTC 
Moving to Verified:

Testing procedure:
 * Password of zero length
 * Short password (less than 5 characters)

Verified against:
spacewalk-java-1.2.39-101
Comment 6 errata-xmlrpc 2011-10-20 08:21:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1388.html