User with empty password can't reset their password
|Reported by:||Ryan J Ollos||Owned by:||Steffen Hoffmann|
This is perhaps a bit insane of a scenario which came about when testing in a dev environment, where I do things like create users with empty passwords which I would never do on a production system. Still, it potentially reveals some odd corner cases, so I wanted to capture it and let the developer decide what to do with it (with myself having a wide open mind to wontfix perhaps being the most appropriate handling).
- Create a new user with an empty password from the admin page.
- Select Reset password for the user from the admin page.
- Login as the user and verify that you are being forced to change the password.
- Attempt to change the password, which will result in:
The user is not logged out and presented with an authentication dialog, which seems to be the typical response on a successful password change. Subsequent attempts to change the password have the same result, except the Thank you notice goes away after the first attempt.
This ties in to the need to have a minimum allowed password length. Is that something the AccountManagerPlugin should eventually support, or should the store be enforcing a minimum length?