Bug 1394798 - Password criteria - show message (Your password cannot contain your username) but accept anyway
Summary: Password criteria - show message (Your password cannot contain your username)...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.4
Hardware: x86_64
OS: All
unspecified
medium
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Evgeni Golov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-14 13:19 UTC by Waldirio M Pinheiro
Modified: 2019-08-12 14:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:49:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
password warning (78.09 KB, image/png)
2016-11-14 13:22 UTC, Waldirio M Pinheiro 		no flags Details
password accepted (62.46 KB, image/png)
2016-11-14 13:22 UTC, Waldirio M Pinheiro 		no flags Details
virtwho user logged (97.05 KB, image/png)
2016-11-14 13:23 UTC, Waldirio M Pinheiro 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 17334 0 None None None 2016-11-15 08:34:46 UTC

Description Waldirio M Pinheiro 2016-11-14 13:19:23 UTC 
Description of problem:
In my test, I just create one user virtwho and defined the password as virtwho00, in the Password row we can see the message below

  **Password - Your password cannot contain your username**

and in the Verify row

  **Verify - password match**

But after submit, we can see the password was accepted.


Version-Release number of selected component (if applicable):
6.2.4

How reproducible:
100%

Steps to Reproduce:
1. Create new user
2. Define the password with the username as part of password
3. Click on Submit

Actual results:
Accept

Expected results:
Should not accept, once we can see the message **Your password cannot contain your username**

Additional info:
Comment 1 Waldirio M Pinheiro 2016-11-14 13:22:26 UTC 
Created attachment 1220402 [details]
password warning
Comment 2 Waldirio M Pinheiro 2016-11-14 13:22:58 UTC 
Created attachment 1220403 [details]
password accepted
Comment 3 Waldirio M Pinheiro 2016-11-14 13:23:30 UTC 
Created attachment 1220404 [details]
virtwho user logged
Comment 4 Marek Hulan 2016-11-15 08:33:23 UTC 
I don't think we should display such validation message. I don't think admin_kdjgdlkjgsdlkfgjdklgdslkfgjdlfkgj password would be less secure. So as a fix I'll remove the JS validation message.
Comment 5 Marek Hulan 2016-11-15 08:34:44 UTC 
Created redmine issue http://projects.theforeman.org/issues/17334 from this bug
Comment 6 Waldirio M Pinheiro 2016-11-15 08:38:03 UTC 
Hi Marek

Great.

Thank you

Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer
Comment 7 Bryan Kearney 2016-11-15 09:15:13 UTC 
Upstream bug assigned to mhulan
Comment 8 Bryan Kearney 2016-11-15 09:15:16 UTC 
Upstream bug assigned to mhulan
Comment 9 Marek Hulan 2016-11-15 10:06:45 UTC 
After more upstream discussion it turns out that the JS validation still has some value so we'll keep it but change the wording so it does not indicate it's forbidden to include username in password. The result should be in recommendation tone, e.g. "Your password should not contain your username"
Comment 10 Bryan Kearney 2016-11-15 13:15:09 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17334 has been resolved.
Comment 12 Evgeni Golov 2017-08-09 09:24:27 UTC 
Verified.
Version Tested:
Satellite-6.3 Snap 10

Trying to set the password of the user "foo" to "foo123" yields "Your password should not contain your username"

→ VERIFIED
Comment 13 Satellite Program 2018-02-21 16:49:54 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336
Note You need to log in before you can comment on or make changes to this bug.