| Project: | Password policy |
| Version: | 7.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
Using 7.x-1.0-beta3.
Policy is set for these two conditions.
"Password must be at least 10 characters in length" and "Password must not match any previous password".
The site is setup as visitors can register, but administrator approval is required.
The displayed policy is displayed in two places. On the edit/account page (correct) and user/register page (not correct).
The display on the user/register page has no associated box for a password. Thus the text has no purpose.
On the edit/account page "user/12/edit" the display is correct and needed. See image user_edit_account with green arrow.
The user_register image with the red arrow is the wrong place for this display as there is no registration field associated with the text.
How can this text be removed from the user/register page and retained for the user/ /edit page?
A CSS display none does work for ID account-pass-restrictions. However, it removes both text displays as the ID is the same for both.
In the password policy module around line 450 the restrictions are printed out.
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| user-register.png | 11.7 KB | Ignored: Check issue status. | None | None |
| user_ediit_account.png | 15.01 KB | Ignored: Check issue status. | None | None |
Comments
#1
Please test the attached patch. The logic I added makes sure a password field exists before inserting the policy text.
#2
Applied the patch using gnuwin32. The text is no longer displayed even with a password field being listed. The patch also disables password rules. i.e. if ten characters are required a new password can be created with three, etc.
The patch was applied to the following version and does not work.
version = "7.x-1.0-beta3"
core = "7.x"
project = "password_policy"
datestamp = "1326303648"
#3
Update on using the UNPATCHED beta 3 version. Password is set up as follows:
authenticated user
History all
Length 10
Visibility settings - Checked ON
The following message is displayed in the register (no password field) and edit account (with password field) -- (no change from previous issue) Text displayed in both locations.
* Password must not match any previous password.
* Password must be at least 10 characters in length.
A change is made as follows:
Visibility settings - OFF (no check mark in box)
There is NO message displayed in the register account (no password field). This is as it should be as there is no password field.
The edit account (with password field) is a follows:
The password does not include enough variation to be secure.
* Password must be at least 10 characters in length.
And the message "Password must not match any previous password." is NOT displayed.
The only change made is to either enable or disable the "visibility settings" check box on the password policies setting page.
#4
This is quite strange as I only added a check around
$form['password']to make sure it exists. It should not be impacting which policy messages appear.So is this behavior actually any different with the patch?
#5
When the patch is applied the module stops working. No displayed errors. i.e. if the policy is set for 10 characters that fails when the patch. If the patch is removed the 10 character policy is once again active.
#6
This is so strange. I must have inadvertently changed something after I tested. I'll give it another try soon.
#7
Appreciate the look when you have the time.
Thanks
#8
By not applying this patch, we are just dealing with a usability/UI issue. Let's ignore my patch and I'll take a fresh look now.
#9
Thanks for looking into this when you have time. Running into the same issue and really need the password validation bullets to not appear on the create new account page because I have "Require e-mail verification when a visitor creates an account" checked on the account setting page.
However, as mentioned above a good work around is to uncheck "Show restrictions on password change page." under Visibility settings. You won't see the password rules listed out on the page (which I need) but when you click in the password field on the edit user account page, the password rules do pop in and show up so its a pretty good work around.
#10
For the time being, please apply the basic CSS fix -
#user-register-form #account-pass-restrictions {display: none;
}
#11
#12
In an effort to get this into the 7.x-1.0 release, could someone get this patch tested on their site?
#13
Patch applied to 7.x-1.0-rc2 is working for me and solves issue in #9.
#14
Fixed and committed.
http://drupalcode.org/project/password_policy.git/commit/ae2ae09
#15
#16
Automatically closed -- issue fixed for 2 weeks with no activity.