1654743 – API accepts password of zero length

Bug 1654743 - API accepts password of zero length

Summary: API accepts password of zero length

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat
Component:	web-admin-tendrl-api
Sub Component:
Version:	rhgs-3.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Neha Gupta
QA Contact:	sds-qe-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1654623
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-29 15:08 UTC by Elena Bondarenko
Modified:	2019-05-08 16:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-08 15:31:17 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Elena Bondarenko 2018-11-29 15:08:15 UTC

Description of problem:

It's possible to change password to empty string using API. The password of zero length shouldn't be accepted by any API endpoint.


Version-Release number of selected component (if applicable):

tendrl-api-1.6.3-8.el7rhgs.noarch


How reproducible:

100%


Steps to Reproduce:

1. Create a user with valid password
2. Change user's password to empty string


Actual results:

The user's password is changed to empty string


Expected results:

WA api will refuse to perform the action if the new password is an empty string.

Comment 3 Elena Bondarenko 2018-11-30 08:18:49 UTC

> Does the API do validation of the password characteristics?
The API checks the length of the password and doesn't allow passwords of length 1-8 or greater than 128 characters, as was required in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1610947
However, empty string is accepted as a password when user details are being edited.

Note You need to log in before you can comment on or make changes to this bug.