Missing password policy validation in rest api

I was setting up a password policy (via userManager extension point) on our nuxeo instance and discovered the following behavior:

Entering a password that does not match the defined policy, when creating a user via WEB-UI, is resulting in an InvalidPasswordException thrown in the class “UserManagerImpl”, but does not lead to corresponding error message in client. So the password is ultimately validated and the creation in not successful, but the user has no idea what went wrong.

The password is not validated in the UserRootObject unlike other preconditions. Additionally the cases that are handled in the UserRootObject are returning hard-coded error messages instead of i18n keys.

If you confirm this issue, I would be happy to provide a pull request.

0 votes

1 answers

112 views

ANSWER



It is true that the UserRootObject is not designed to perform password validation and this is somehow missing.

However, I think the main limitation here is that Web UI does not allow to override the nuxeo-edit-password.html element. Because if you were able to do so, you could locate the password validation logic client side and only submit change when the password is valid.

You are very welcome to submit a PR in any case and we'll see how we can address that.

0 votes