Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce password validation rules on 'Forgot your password?' form #9090

Merged
merged 11 commits into from
Apr 8, 2022
Merged

Enforce password validation rules on 'Forgot your password?' form #9090

merged 11 commits into from
Apr 8, 2022

Conversation

andreslucena
Copy link
Member

@andreslucena andreslucena commented Mar 24, 2022
edited

馃帺 What? Why?

Password validation rules didn't get enforced when a registered user reset their password through the "Forgot your password?" form (from Devise).

This PR fixes that.

I guess we could remove the validation from the forms:

decidim/decidim-core/app/forms/decidim/registration_form.rb

Line 21 in 05b9883

validates :password, password: { name: :name, email: :email, username: :nickname }

decidim/decidim-core/app/forms/decidim/account_form.rb

Line 28 in 05b9883

validates :password, password: { name: :name, email: :email, username: :nickname }, if: -> { password.present? }

But before changing that, I want to see the specs if it fails some flows that don't need passwords (like Invitations)

(Never mind, we need that so the Forms validations work correctly. If not it gives an error without any detail on what exactly is the error)

馃搶 Related Issues

Testing

  1. Do the "Forgot your password?" flow until the password and confirmation screen
  2. Fill a password that doesn't follow the rules, for instance "1234567890"
  3. Save it
  4. See that it gives you a validation error

鈾ワ笍 Thank you!

@andreslucena andreslucena added module: core type: fix PRs that implement a fix for a bug labels Mar 24, 2022
ahukkanen
ahukkanen requested changes Apr 1, 2022
View reviewed changes
Copy link
Contributor

@ahukkanen ahukkanen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few small things I noticed. Otherwise this is great and works fine!

decidim-core/lib/devise/models/decidim_validatable.rb Outdated Show resolved Hide resolved
decidim-core/app/validators/password_validator.rb Outdated Show resolved Hide resolved
@andreslucena
Copy link
Member Author

Failing related specs, I need to check them

@andreslucena andreslucena marked this pull request as draft April 7, 2022 09:43
@andreslucena andreslucena marked this pull request as ready for review April 8, 2022 11:48
@andreslucena
Copy link
Member Author

This is ready to be reviewed again.

Just a comment, the only place that I know for sure that we're not enforcing the password validator is in system. My idea is to handle that in other PR after this is merged.

@ahukkanen ahukkanen merged commit e445131 into develop Apr 8, 2022
@ahukkanen ahukkanen deleted the fix/password-validator-on-forgot branch April 8, 2022 13:55
This was referenced Apr 19, 2022
Merged
Merged
Closed
@andreslucena andreslucena mentioned this pull request Apr 29, 2022
Merged
andreslucena added a commit that referenced this pull request May 6, 2022
@andreslucena
Enforce password validation rules on 'Forgot your password?' form (#9090
6a61167 
)

* Enforce password validation rules on 'Forgot your password?' form

* Improve guard clause for organization

* Use a not common password for user factory

* Remove unecessary Devise password_length setting

* Change default common password in seeds

* Change default common password in specs

* Change default common password in specs

* Change domain in specs to example.org

* Change default common password in specs

* Fix organization guard clause as suggested in code review
@andreslucena andreslucena mentioned this pull request May 6, 2022
Merged
ahukkanen pushed a commit that referenced this pull request May 10, 2022
@andreslucena
Enforce password validation rules on 'Forgot your password?' form (#9090
d507169 
) (#9245)

* Enforce password validation rules on 'Forgot your password?' form

* Improve guard clause for organization

* Use a not common password for user factory

* Remove unecessary Devise password_length setting

* Change default common password in seeds

* Change default common password in specs

* Change default common password in specs

* Change domain in specs to example.org

* Change default common password in specs

* Fix organization guard clause as suggested in code review
@verarojman verarojman mentioned this pull request Jul 14, 2022
Merged
12 tasks
@microstudi microstudi mentioned this pull request Jul 28, 2022
Closed
@microstudi microstudi mentioned this pull request Aug 26, 2022
Closed
12 tasks
@microstudi microstudi mentioned this pull request Sep 13, 2022
Merged
@alecslupu alecslupu added this to the 0.27.0 milestone Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahukkanen ahukkanen ahukkanen approved these changes

Assignees
No one assigned
Labels
module: core type: fix PRs that implement a fix for a bug
Projects
None yet
Milestone
0.27.0
Development

Successfully merging this pull request may close these issues.

Password validation isn't enforced when resetting password
3 participants
@andreslucena @ahukkanen @alecslupu