FEATURE: new setting min_admin_password_length and better default

2024-11-27 09:36:19 -05:00 · 2016-03-02 14:01:38 +05:30 · 2016-03-02 14:01:38 +05:30 · 50e65634d7
commit 50e65634d7
parent c15c483931
6 changed files with 23 additions and 6 deletions
--- a/app/views/users/password_reset.html.erb
+++ b/app/views/users/password_reset.html.erb
@ -37,7 +37,7 @@
        <p>
          <span style="display: none;"><input name="username" type="text" value="<%= @user.username %>"></span>
          <input id="user_password" name="password" size="30" type="password" maxlength="<%= User.max_password_length %>" onkeypress="capsLock(event)">
-          <label><%= t('js.user.password.instructions', count: SiteSetting.min_password_length) %></label>
+          <label><%= t('js.user.password.instructions', count: @user.admin? ? SiteSetting.min_admin_password_length : SiteSetting.min_password_length) %></label>
        </p>
        <div id="capsLockWarning" class="caps-lock-warning" style="visibility:hidden"><i class="fa fa-exclamation-triangle"></i> <%= t 'js.login.caps_lock_warning' %></div>
        <p>
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -915,6 +915,7 @@ en:
    reserved_usernames: "Usernames for which signup is not allowed."

    min_password_length: "Minimum password length."
+    min_admin_password_length: "Minimum password length for Admin."
    block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords."

    enable_sso: "Enable single sign on via an external site (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -292,7 +292,11 @@ users:
    default: "admin|moderator|administrator|mod|sys|system|community|info|you|name|username|user|nickname|discourse|discourseorg|discourseforum|support"
  min_password_length:
    client: true
-    default: 8
+    default: 10
+    min: 1
+  min_admin_password_length:
+    client: true
+    default: 15
    min: 1
  block_common_passwords: true
  enforce_global_nicknames:
--- a/lib/validators/password_validator.rb
+++ b/lib/validators/password_validator.rb
@ -6,6 +6,8 @@ class PasswordValidator < ActiveModel::EachValidator
    return unless record.password_required?
    if value.nil?
      record.errors.add(attribute, :blank)
+    elsif value.length < SiteSetting.min_admin_password_length && record.admin?
+      record.errors.add(attribute, :too_short, count: SiteSetting.min_admin_password_length)
    elsif value.length < SiteSetting.min_password_length
      record.errors.add(attribute, :too_short, count: SiteSetting.min_password_length)
    elsif record.username.present? && value == record.username
--- a/spec/components/validators/password_validator_spec.rb
+++ b/spec/components/validators/password_validator_spec.rb
@ -40,6 +40,15 @@ describe PasswordValidator do
          validate
          expect(record.errors[:password]).to be_present
        end
+
+        it "adds an error when user is admin and password is less than 15 chars" do
+          SiteSetting.min_admin_password_length = 15
+
+          @password = "12345678912"
+          record.admin = true
+          validate
+          expect(record.errors[:password]).to be_present
+        end
      end

      context "min password length is 12" do
@ -55,6 +64,7 @@ describe PasswordValidator do

    context "password is commonly used" do
      before do
+        SiteSetting.stubs(:min_password_length).returns(8)
        CommonPasswords.stubs(:common_password?).returns(true)
      end

@ -74,7 +84,7 @@ describe PasswordValidator do
    end

    it "adds an error when password is the same as the username" do
-      @password = "porkchops1"
+      @password = "porkchops1234"
      record.username = @password
      validate
      expect(record.errors[:password]).to be_present
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -723,7 +723,7 @@ describe UsersController do
      context "with values for the fields" do
        let(:create_params) { {
          name: @user.name,
-          password: 'watwatwat',
+          password: 'watwatwatwat',
          username: @user.username,
          email: @user.email,
          user_fields: {
@ -773,7 +773,7 @@ describe UsersController do
      context "without values for the fields" do
        let(:create_params) { {
          name: @user.name,
-          password: 'watwatwat',
+          password: 'watwatwatwat',
          username: @user.username,
          email: @user.email,
        } }
@ -793,7 +793,7 @@ describe UsersController do
      let!(:staged) { Fabricate(:staged, email: "staged@account.com") }

      it "succeeds" do
-        xhr :post, :create, email: staged.email, username: "zogstrip", password: "P4ssw0rd"
+        xhr :post, :create, email: staged.email, username: "zogstrip", password: "P4ssw0rd$$"
        result = ::JSON.parse(response.body)
        expect(result["success"]).to eq(true)
        expect(User.find_by(email: staged.email).staged).to eq(false)