Opened 5 years ago

Closed 4 years ago

#5414 closed defect (fixed)

Login-validator arbitrary and capricious

Reported by: mi Owned by:
Priority: minor Milestone:
Component: programming Keywords:
Cc: Parent Tickets:

Description

Using gmg adduser I created an account for myself named "mi". However, when I tried to login using it, I was told, the login-field must be between 3 and 30 characters long.

This is wrong on many levels:
. The authenticator should not be verifying the length of submitted login and password at all. Such checks might be appropriate for a new account-creation, but I was logging-in, not creating account.
. Even if you disagree with the above, gmg adduser should've rejected the name as too short instead.
. Not only is the lower limit of 3 too high -- a family installation can easily have one-letter accounts, the upper limit of 30 is too low as well. Though over 30 is unusual for an account-name, an e-mail address can easily exceed 30 characters.

I was able to login using my e-mail address instead of username, but this needs fixing (along with tests/test_auth.py).

Subtickets

Change History (5)

comment:1 Changed 5 years ago by Christopher Allan Webber

Yes I don't remember the justification for this restriction. It probably makes no sense.

comment:2 Changed 5 years ago by jsandoval

Owner: set to jsandoval
Status: newin_progress

comment:3 Changed 5 years ago by jsandoval

I created a branch named login-validator-5414 for review in this clone url: git@…:jsandovalc/mediagoblin.git

comment:4 Changed 5 years ago by jsandoval

Owner: jsandoval deleted
Status: in_progressreview

comment:5 Changed 4 years ago by Boris Bobrov

Resolution: fixed
Status: reviewclosed

thank you, merged!

Note: See TracTickets for help on using tickets.