1610190 – Revealing password on Add/Edit User pages breaks functionality of that pages

Bug 1610190 - Revealing password on Add/Edit User pages breaks functionality of that pages

Summary: Revealing password on Add/Edit User pages breaks functionality of that pages

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	web-admin-tendrl-ui
Sub Component:
Version:	rhgs-3.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Neha Gupta
QA Contact:	sds-qe-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-31 07:29 UTC by Daniel Horák
Modified:	2019-05-08 20:37 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-08 20:37:11 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Edit User page: passwords are hidden and the fields have red borders - because the inserted password is too short and are not the same. (21.11 KB, image/png) 2018-07-31 07:32 UTC, Daniel Horák	no flags	Details
Edit User page: passwords are revealed and the fields doesn't have red borders anymore - although the inserted passwords are too short and are not the same. (20.29 KB, image/png) 2018-07-31 07:35 UTC, Daniel Horák	no flags	Details
Edit user validation screenshot 1 (48.32 KB, image/png) 2018-08-02 09:12 UTC, Neha Gupta	no flags	Details
Edit user validation screenshot 2 (49.44 KB, image/png) 2018-08-02 09:13 UTC, Neha Gupta	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	Tendrl ui issues 1080	0	None	None	None	2018-10-23 03:54:01 UTC

Description Daniel Horák 2018-07-31 07:29:56 UTC

Description of problem:
  When you try to update User password from Users -> Edit User page and you
  will reveal the password by clicking on the "eye" icon, the behaviour of the
  page will break:
  * it will not check the password requirements anymore (length, match between
    password and password confirmation,...)
  * it will not submit the password in the PUT API request.

  Similarly there is some problems when creating new user on "Add User" page.

Version-Release number of selected component (if applicable):
  tendrl-ansible-1.6.3-5.el7rhgs.noarch
  tendrl-api-1.6.3-4.el7rhgs.noarch
  tendrl-api-httpd-1.6.3-4.el7rhgs.noarch
  tendrl-commons-1.6.3-9.el7rhgs.noarch
  tendrl-grafana-plugins-1.6.3-7.el7rhgs.noarch
  tendrl-grafana-selinux-1.5.4-2.el7rhgs.noarch
  tendrl-monitoring-integration-1.6.3-7.el7rhgs.noarch
  tendrl-node-agent-1.6.3-9.el7rhgs.noarch
  tendrl-notifier-1.6.3-4.el7rhgs.noarch
  tendrl-selinux-1.5.4-2.el7rhgs.noarch
  tendrl-ui-1.6.3-8.el7rhgs.noarch


How reproducible:
  100%


Steps to Reproduce:
1. Go to User Management -> Users page (wheel icon in the upper right corner)
2. Open Edit User page (Edit button for the particular user on Users page)
3. Insert some short string (e.g. 3 characters) into "New Password" field.
4. Insert some other characters into "Confirm Password" field.
5. Click on "eye" icons on both New and Confirm Password fields.
6. (Open Developer tools Console and) Save the Edit User form.

Actual results:
3. The field is marked red, because the password is too short.
4. The field is marked red, because the password is too short and doesn't match
    the "New Password" field.
5. The red border around both Password fields disappear - as everything is ok.
6. The form is submitted and it shows "User Successfully Updated." message,
    but the PUT API request doesn't contain password.
    For example:
      {
        "name":"Admin",
        "username":"admin",
        "email":"root",
        "role":"admin",
        "email_notifications":false
      }

Expected results:
  Revealing password shouldn't break the functionality of the page.

Additional info:
  See the screenshots.

Comment 1 Daniel Horák 2018-07-31 07:32:01 UTC

Created attachment 1471706 [details]
Edit User page: passwords are hidden and the fields have red borders - because the inserted password is too short and are not the same.

Comment 2 Daniel Horák 2018-07-31 07:35:01 UTC

Created attachment 1471707 [details]
Edit User page: passwords are revealed and the fields doesn't have red borders anymore - although the inserted passwords are too short and are not the same.

Also when you submit this form, the API PUT request doesn't contain password.
For example:
  {
    "name":"Admin",
    "username":"admin",
    "email":"root",
    "role":"admin",
    "email_notifications":false
  }

Comment 3 Martin Bukatovic 2018-07-31 10:50:59 UTC

Asking for blocker? flag, as this could:

 * lock out user thinking that the password has been changed
 * have security implications, when user could think that password is changed
   while it's not

Comment 6 Neha Gupta 2018-08-02 09:12:03 UTC

@dahorak I am not able to reproduce this issue. Attaching screenshots for the same.

Comment 7 Neha Gupta 2018-08-02 09:12:53 UTC

Created attachment 1472573 [details]
Edit user validation screenshot 1

Comment 8 Neha Gupta 2018-08-02 09:13:22 UTC

Created attachment 1472575 [details]
Edit user validation screenshot 2

Comment 9 Daniel Horák 2018-08-02 09:46:10 UTC

@Neha, I've tried to retest it in multiple browsers/versions and it seems to be problem specifically with firefox.

* in chromium-67.0.3396.79-1.fc27.x86_64 - works correctly
* in firefox-60.0-0.4.el7.x86_64 - the behavior is broken

Note You need to log in before you can comment on or make changes to this bug.