fix(security): validate demo user password against project policy#140
Merged
ako merged 2 commits intomendixlabs:mainfrom Apr 8, 2026
Merged
fix(security): validate demo user password against project policy#140ako merged 2 commits intomendixlabs:mainfrom
ako merged 2 commits intomendixlabs:mainfrom
Conversation
Adds password validation against project password policy settings (minimum length, require digit, mixed case, symbol). Nil/zero policies accept any password for backward compatibility.
CREATE DEMO USER now checks the password against the project's PasswordPolicy before writing to MPR. Previously, non-compliant passwords were accepted silently but the Mendix runtime would skip creating the user, leading to confusing "unknown user" login errors. Closes mendixlabs#137
AI Code ReviewWhat Looks Good
RecommendationApprove - The PR successfully resolves the reported issue with appropriate validation, clear error messaging, and thorough testing. No MDL syntax changes were introduced, so full-stack consistency requirements don't apply. The changes are scoped to a single concern (password validation for demo users) and maintain code quality standards. The unit test coverage is comprehensive and the full test suite passes. Manual verification with real MPR is pending but the backend logic is sound. Automated review via OpenRouter (Nemotron Super 120B) — workflow source |
ako
approved these changes
Apr 8, 2026
Collaborator
ako
left a comment
ako
left a comment
There was a problem hiding this comment.
Clean fix for a confusing UX problem — silently non-compliant passwords leading to "unknown user" at runtime is a real gotcha.
ValidatePassword()is straightforward with correct nil/zero-value edge cases- Good test coverage (8 cases including nil and zero policy)
- Error message with
SHOW PROJECT SECURITYhint is helpful - Validation before duplicate-user check is the right order
LGTM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PasswordPolicy.ValidatePassword()method insdk/security/that checks password against MinimumLength, RequireDigit, RequireMixedCase, and RequireSymbol settingsexecCreateDemoUsersoCREATE DEMO USERrejects non-compliant passwords at creation time with a clear error message and hintCloses #137
Test plan
ValidatePassword: valid password, too short, no digit, no mixed case, no symbol, empty, nil policy, zero policy (9 cases)make test)CREATE DEMO USER 'test' PASSWORD '1' (User)should fail with policy violation error🤖 Generated with Claude Code