I established a site policy as follows:
* Lowercase 1
* Uppercase 1
* Length 6
* Username 1
* Type 2

No expiration period was set.
I did not require user 1 to be held accountable to the policy.

When I logged in as an average user and changed my password, it gave all the appropriate warnings, but allowed me to save anyway.

Other system factors that may cause this bug include:
* Drupal 6.5
* MySQL database 5.0.51a
* PHP 4.4.7
* Web server Apache/1.3.39 (Unix) mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b

I know this is still in Alpha mode. But since it's "recommended" I was hoping it would actually enforce the policy.

Comments

gtaylor’s picture

gtaylor commented

Is it a php version issue?

miglius’s picture

miglius commented

I cannot replicate the issue.

On the entering password there is a js block showing if the password entered has met the site requirements. When saving the page with a bad password the same form is shown again with the form error message on the top of the page listing the policies which were not met. The page is not saved until all policies are met.

gtaylor’s picture

gtaylor commented

the php4 envt. is my sandbox play envt. We'll retry in our dev envt. w/ php5. I'll update you and let you know if I can replicate there.

Other config points:

- we don't have an expiration policy
- user 1 is not held to the expiration policy
- I was testing w/ another user, not user 1. But this user had super user privileges to practically everything.

Again, I'll let you know if we can replicate w/ php5 within a few days.
Thanks for the module!

gtaylor’s picture

gtaylor commented

We tried it on a php5 box and still had the same problem.

But we tried the module on a vanilla install and did NOT have the problem.

I assume it's some kind of module or configuration conflict. Our developer did some debugging and found the following:

Drupal is currently passing wrong parameter from the User Profile form. This causes form to be saved without invocating validation code. If I change passed parameter to right one than Drupal invokes validation function from Password Policy module and it works fine. So it looks more like Drupal issue than the module itself.
user_profile_form_submit function is invoked from user_pages.inc from core user module instead of user_profile_form_validate

Looks like the for some reason proper hook for this module hasn't been registered. The question is why?

We're under a time crunch right now so we decided to hack it rather than chase the root of the problem. Yes, we hacked Drupal core. (Please no 6.7 tomorrow!)

Function form_execute_handler from /includes/form.inc has not invoked user_profile_form_validate as this function seems not to be registered as a handler!?
To fix this we I've added the following line inside form_execute_handler: 

array_push($handlers, "user_profile_form_validate");

Once we're past our deadline we'll go back and figure out which module / config is causing this problem. Look for an update later (couple of weeks) on this thread.

In the mean time, if anything jumps out at you, let us know.

Thanks!

gtaylor’s picture

gtaylor commented
Status: Active » Fixed

Fortunately, this problem went away for us with the latest Drupal 6.7 upgrade.

For what it's worth, the hack we did to get around it while it was a problem did cause some issues during some administrative functions. It caused problems adding and moving blocks and I sometimes got bogus messages when creating users. Though I could work around the later.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

Peter Swietoslawski’s picture

Peter Swietoslawski commented

Actuall gtaylor is right that with Password Policy module installed and set properly you are still able to save week passwords however it's not module fault!!!

More info can be found at #356521: Incorrect form validation processing prevents custom validation functions to be invoked.