Description of problem: It's possible to change password to empty string using API. The password of zero length shouldn't be accepted by any API endpoint. Version-Release number of selected component (if applicable): tendrl-api-1.6.3-8.el7rhgs.noarch How reproducible: 100% Steps to Reproduce: 1. Create a user with valid password 2. Change user's password to empty string Actual results: The user's password is changed to empty string Expected results: WA api will refuse to perform the action if the new password is an empty string.
> Does the API do validation of the password characteristics? The API checks the length of the password and doesn't allow passwords of length 1-8 or greater than 128 characters, as was required in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1610947 However, empty string is accepted as a password when user details are being edited.