Overview
I wanted to use Password Policy module to force strong passwords for user. However after successful module installation I was still able to save user profile form with week password (and as it turned out it's not Password Policy module fault!)
Steps
- Install vanilla Drupal 6.8
- Install Password Policy module (6.x-1-0.alpha1)
- Define default policy admin/settings/password_policy/add (any password policy - settings here are irrelevant)
- Enable Picture Support for users admin/user/settings
- Test it on any user profile e.g.: user/1/edit by typing new password that would not match policy requirement
Expected Behavior
AJAX box displayed properly warning that my password is weak and while saving form should get the waring that he password is incorrect.
What Happened
AJAX box correctly warns the password doesn't conform to policy, however I'm still able to save form.
I thought it's Password Policy module issue till I didn't turned off Picture support for users under /admin/user/settings. All of a sudden typing week password and saving user profile form complained (as expected) that typed password is wrong and didn't allow me to save form.
I've debbuged the code and this is what I found:
- After you hit Save button on user profile form along the way of function invocation /user/user.module user_edit_form is invoked and in the line 1535 it assigns value to $form['#validate']
- Later on /form.inc drupal_prepare_form is invoked and in the line 513 the condition for the $form value is checked. And if the $form['#validate'] doesn't exist array with validation callback function user_profile_form_validate is assigned.
After $form['#validate'] has been already assigned value in step 1 it will never reach assignment in step 2 that way making it not possible to invoke validation fuctions of Password Profile module or any other module like user.
I've attached a patch that will fix this behaviour.
Comment | File | Size | Author |
---|---|---|---|
drupal-form.patch | 844 bytes | Peter Swietoslawski | |
Comments
Comment #1
Dave ReidBetter solution provided in #361702: drupal_prepare_form() should always add default validate and submit handlers that needs to be fixed in 7.x first, then will be backported.
Comment #2
wickedskaman CreditAttribution: wickedskaman commentedThe patch linked needs to be ported to D6. This is still an issue... unless I am mistaken in my testing.