Description of problem: Even if a user password doesn't meet password requirements, it password change gets accepted. The user doesn't recognize that, because the satellite shows a WebUI red error message about password requirements not to be met. Version-Release number of selected component (if applicable): sat54 How reproducible: always Steps to Reproduce: 1. Navigate to user password change. 2. Change password to <empty_string> 3. Log out and log in as that user. Actual results: Red error gets displayed on the WebUI: Desired Password is required. Confirm Password is required. But the user cannot log in any more. The password was obviously changed. (It's impossible to log in with <empty_string> password. Expected results: If the password requirements aren't met (and a red error shows up on WebUI), the action shall definitely not be applied. Additional info: Similar with a nonempty password shorter than predefined minimal length.
spacewalk.git: 84e41ff5bf8daa60b7329a7f45e32bb48c53d091
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Consequence: Even if a user password didn't meet password requirements, the password change got accepted even if a red error message got displayed on the WebUI. Result: When user password doesn't meet password requirements and a red error message got displayes on the WebUI, password doesn't get changed.
Moving to Verified: Testing procedure: * Password of zero length * Short password (less than 5 characters) Verified against: spacewalk-java-1.2.39-101
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1388.html