Ask Question
« General Questions on Nuxeo

Missing password policy validation in rest api

I was setting up a password policy (via userManager extension point) on our nuxeo instance and discovered the following behavior:

Entering a password that does not match the defined policy, when creating a user via WEB-UI, is resulting in an InvalidPasswordException thrown in the class “UserManagerImpl”, but does not lead to corresponding error message in client. So the password is ultimately validated and the creation in not successful, but the user has no idea what went wrong.

The password is not validated in the UserRootObject unlike other preconditions. Additionally the cases that are handled in the UserRootObject are returning hard-coded error messages instead of i18n keys.

If you confirm this issue, I would be happy to provide a pull request.

Christoph Haselmann
Member (35)   1   1   0 		07/16/2018 ( History)
0 votes
1 answers
1276 views
ANSWER
ANSWERS

It is true that the UserRootObject is not designed to perform password validation and this is somehow missing.

However, I think the main limitation here is that Web UI does not allow to override the nuxeo-edit-password.html element. Because if you were able to do so, you could locate the password validation logic client side and only submit change when the password is valid.

You are very welcome to submit a PR in any case and we'll see how we can address that.

Guillaume Renard
Member (1.7K)   2   4   5 		07/17/2018 ( History)
0 votes
Follow
Tags
Linked Questions
Related Questions
Nuxeo SQL Database Schema Creation
Nuxeo java client
Unauthorized when getting docker 11
Deafult login user and password not accepted
Complete workflow task through REST API
Programmatically logging-in within a OpenURL WebEngine Project
How to validate a numeric range float field in Nuxeo Studio on a form layout?
Visibility of documents according to the State
Automation client authentication for Sql Server users.