Overview

I wanted to use Password Policy module to force strong passwords for user. However after successful module installation I was still able to save user profile form with week password (and as it turned out it's not Password Policy module fault!)

Steps

  • Install vanilla Drupal 6.8
  • Install Password Policy module (6.x-1-0.alpha1)
  • Define default policy admin/settings/password_policy/add (any password policy - settings here are irrelevant)
  • Enable Picture Support for users admin/user/settings
  • Test it on any user profile e.g.: user/1/edit by typing new password that would not match policy requirement

Expected Behavior

AJAX box displayed properly warning that my password is weak and while saving form should get the waring that he password is incorrect.

What Happened

AJAX box correctly warns the password doesn't conform to policy, however I'm still able to save form.

I thought it's Password Policy module issue till I didn't turned off Picture support for users under /admin/user/settings. All of a sudden typing week password and saving user profile form complained (as expected) that typed password is wrong and didn't allow me to save form.

I've debbuged the code and this is what I found:

  1. After you hit Save button on user profile form along the way of function invocation /user/user.module user_edit_form is invoked and in the line 1535 it assigns value to $form['#validate']
  2. Later on /form.inc drupal_prepare_form is invoked and in the line 513 the condition for the $form value is checked. And if the $form['#validate'] doesn't exist array with validation callback function user_profile_form_validate is assigned.

After $form['#validate'] has been already assigned value in step 1 it will never reach assignment in step 2 that way making it not possible to invoke validation fuctions of Password Profile module or any other module like user.

I've attached a patch that will fix this behaviour.

CommentFileSizeAuthor
drupal-form.patch844 bytesPeter Swietoslawski
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Dave Reid’s picture

Status: Active » Closed (duplicate)

Better solution provided in #361702: drupal_prepare_form() should always add default validate and submit handlers that needs to be fixed in 7.x first, then will be backported.

wickedskaman’s picture

Status: Closed (duplicate) » Patch (to be ported)

The patch linked needs to be ported to D6. This is still an issue... unless I am mistaken in my testing.

Status: Patch (to be ported) » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.