Bug 1654743 - API accepts password of zero length
Summary: API accepts password of zero length
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: web-admin-tendrl-api
Version: rhgs-3.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Neha Gupta
QA Contact: sds-qe-bugs
URL:
Whiteboard:
Depends On: 1654623
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-29 15:08 UTC by Elena Bondarenko
Modified: 2019-05-08 16:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-08 15:31:17 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Elena Bondarenko 2018-11-29 15:08:15 UTC
Description of problem:

It's possible to change password to empty string using API. The password of zero length shouldn't be accepted by any API endpoint.


Version-Release number of selected component (if applicable):

tendrl-api-1.6.3-8.el7rhgs.noarch


How reproducible:

100%


Steps to Reproduce:

1. Create a user with valid password
2. Change user's password to empty string


Actual results:

The user's password is changed to empty string


Expected results:

WA api will refuse to perform the action if the new password is an empty string.

Comment 3 Elena Bondarenko 2018-11-30 08:18:49 UTC
> Does the API do validation of the password characteristics?
The API checks the length of the password and doesn't allow passwords of length 1-8 or greater than 128 characters, as was required in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1610947
However, empty string is accepted as a password when user details are being edited.


Note You need to log in before you can comment on or make changes to this bug.