Bug 1654743 - API accepts password of zero length
Summary: API accepts password of zero length
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: web-admin-tendrl-api
Version: rhgs-3.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Neha Gupta
QA Contact: sds-qe-bugs
Depends On: 1654623
TreeView+ depends on / blocked
Reported: 2018-11-29 15:08 UTC by Elena Bondarenko
Modified: 2019-05-08 16:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-05-08 15:31:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Elena Bondarenko 2018-11-29 15:08:15 UTC
Description of problem:

It's possible to change password to empty string using API. The password of zero length shouldn't be accepted by any API endpoint.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

1. Create a user with valid password
2. Change user's password to empty string

Actual results:

The user's password is changed to empty string

Expected results:

WA api will refuse to perform the action if the new password is an empty string.

Comment 3 Elena Bondarenko 2018-11-30 08:18:49 UTC
> Does the API do validation of the password characteristics?
The API checks the length of the password and doesn't allow passwords of length 1-8 or greater than 128 characters, as was required in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1610947
However, empty string is accepted as a password when user details are being edited.

Note You need to log in before you can comment on or make changes to this bug.