Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Don't check for existing password emptyness #315

Merged
merged 1 commit into from
May 11, 2016

Conversation

maxpoulin64
Copy link
Member

Pointed out by @pugabear, it's possible for a user to have an empty password. There isn't really a need to check for password emptyness, it will simply fail with wrong old password instead. This allows users with an empty password to be created and allows them to set a password.

While I think a temporary password should be used instead, we allow creating a user with no password so we should also handle it.

Pointed out by @pugabear, it's possible for a user to have an empty password. There isn't really a need to check for password emptyness, it will simply fail with wrong old password instead.
@maxpoulin64 maxpoulin64 added Type: Bug Issues that report and PRs that solve any defects that cause unexpected behaviors. second review needed labels May 10, 2016
@astorije
Copy link
Member

@maxpoulin64, why not reversing this and instead prevent creating/using empty passwords altogether?
I don't see a good use case for that and it's much, much better security-wise IMO.

@astorije astorije added the Type: Security Security concern or PRs that must be reviewed with extra care regarding security. label May 10, 2016
@astorije astorije self-assigned this May 10, 2016
@maxpoulin64
Copy link
Member Author

@astorije: as said on IRC, I'm not a fan of it either but I don't see any case where we'd want to block password changes when there is no existing password either. I'll mark this as not ready for merging and disallow empty password later and fix #316 while at it.

@maxpoulin64 maxpoulin64 added the Meta: Do Not Merge This PR should not be merged. label May 10, 2016
@astorije
Copy link
Member

Do you think there is a value as reviewing/merging this by itself, or the changes you have here will be removed with the other fix you mention?

@maxpoulin64
Copy link
Member Author

No, I was thinking of doing both. I consider the current behavior to be a bug, because it's possible to get into a situation where the user can't use the feature because of conflicting conditions. The user will still be able to get into this situation if the json is edited manually, but it's reasonable to disallow it through the official ways. And there really is no possible harm by not doing that check, as comparing an empty password to a non-empty password will return a failure anyway.

@maxpoulin64 maxpoulin64 removed the Meta: Do Not Merge This PR should not be merged. label May 10, 2016
@xPaw
Copy link
Member

xPaw commented May 11, 2016

👍

The check is pretty much unnecessary here, as it compares the password either way. Merge whenever.

@astorije
Copy link
Member

👍

@astorije astorije merged commit 91f016c into thelounge:master May 11, 2016
@astorije astorije added this to the ★ Next Release milestone May 15, 2016
@maxpoulin64 maxpoulin64 deleted the empty-password branch May 28, 2016 22:02
matburnham pushed a commit to matburnham/lounge that referenced this pull request Sep 6, 2017
Don't check for existing password emptyness
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Type: Bug Issues that report and PRs that solve any defects that cause unexpected behaviors. Type: Security Security concern or PRs that must be reviewed with extra care regarding security.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants