New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password can be reset wiithout new password confirmation. #15909
Comments
This essentially needs a client-side validation of the password to be same in both the inputs, and should be added here. https://github.com/freeCodeCamp/freeCodeCamp/blob/backup/master/server/views/account/reset.jade#L15 The server-side code is all fine. |
Potential contributors, please add some jQuery based validation in the reset view mentioned above. Also note that this needs to go into the Happy fixing! |
@raisedadead Looking forward to fix this. This would be my first open source contribution to freeCodeCamp |
Yes please go ahead! |
All input validations must be carried out on the server side also. Just client side validation is not the solution. Server side code needs to be fixed as well. |
Please elaborate, or point to code which is to be fixed. |
Are you looking for the change password button to be disabled until both inputs are filled and matched or do you want an error message thrown? |
@tracyalison11 we would like to display an error message (basic html5 validation), and of course blocking the submit until the form has validated. some inspiration https://www.html5rocks.com/en/tutorials/forms/constraintvalidation/ |
@raisedadead I have been working on this. Hoping to add PR before the end of the day |
If password can be changed without confirmation, this clearly means that there is no validation on the server side. The lack of validation at the server side itself is an issue which needs to be fixed. |
Did you get a chance to look at the server side code and confirm this? And that there is actually no validation? What the SF article suggests is totally valid, and thanks for sharing it.
But that said, the use case we have here has one additional server-side check already. Hence my comments earlier. IMHO, I suggest you to please confirm this yourself if you so, please by actually checking the code. Should you face issues finding it, we would be glad to help you. Yes, that said the client side view needs to be fixed, which again as per the article you shared:
And I totally agree. Finally, this issue basically boils down to the fact that we had missed doing so in letting the user know that the form was not okay, as pointed out by OP. |
Thanks a lot
في الثلاثاء، ٢٦ سبتمبر، ٢٠١٧, mrugesh mohapatra <notifications@github.com>
كتب:
… If password can be changed without confirmation, this clearly means that
there is no validation on the server side.
Did you get a chance to look at the server side code and confirm this? And
that there is actually no validation?
What the SF article suggests is totally valid, and thanks for sharing it.
*... Server-side validation is also crucial due to the fact that
client-side validation can be completely bypassed by turning off
JavaScript. ...*
But that said, the use case we have here has one additional server-side
check already. Hence my comments earlier. IMHO, I suggest you to please
confirm this yourself if you so, please by actually checking the code.
Should you face issues finding it, we would be glad to help you.
Yes, that said the client side view needs to be fixed, which again as per
the article you shared:
*... In practice, all it does is prevent your client (with JS enabled) to
know whether the form is okay ...*
And I totally agree.
Finally, this issue basically boils down to the fact that we had missed
doing so in letting the user know that the form was not okay, as pointed
out by OP.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#15909 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AYPt1YgL5wWUzn87k1_X2r1oA9xoaf7rks5smSSVgaJpZM4PhIhj>
.
|
Issue Description
User can reset their password by only fiilling out new password field without filling out password confirmation.
How to reproduce it:
Browser Information
Screenshot
The text was updated successfully, but these errors were encountered: