Validate password strength when resetting password

Bug #616528 reported by Natalia Bidart on 2010-08-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical SSO provider
High
Łukasz Czyżykowski
Ubuntu Single Sign On Client
Medium
Natalia Bidart
ubuntu-sso-client (Ubuntu)
Medium
Ubuntu One Client Engineering team

Bug Description

When user enters password reset token we need to validate the new passwords.

Related branches

Changed in ubuntu-sso-client:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Naty Bidart (nataliabidart)
tags: added: u1-natty
Anthony Lenton (elachuni) wrote :

The canonical-identity-provider api should validate password resets in the exact same way the website does.

Changed in canonical-identity-provider:
milestone: none → 2.9.0
Changed in canonical-identity-provider:
importance: Undecided → High

Anthony, can you explain in more detail what do you mean by that?

Anthony Lenton (elachuni) wrote :

Yup.

In webservice's models.py, set_new_password currently isn't calling password_policy_compliant to verify the strength of the password, so (if a consumer doesn't validate the password for us) the user could end up with a very weak password or even an empty one.

The only other place where you can set your password via the api is when you register(). The code currently uses a form to validate the parameters you pass in here, and this form calls password_policy_compliant in its validation code. I think ideally we'd do the same in set_new_password.

Changed in canonical-identity-provider:
milestone: 2.9.0 → 2.8.0
Changed in ubuntu-sso-client (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Ubuntu One Desktop+ team (ubuntuone-desktop+)
milestone: none → ubuntu-10.10
tags: added: desktop+ u1-maverick
removed: u1-natty
Changed in canonical-identity-provider:
status: New → Confirmed
Changed in canonical-identity-provider:
assignee: nobody → Łukasz Czyżykowski (lukasz-czyzykowski)
Changed in canonical-identity-provider:
status: Confirmed → In Progress
Natalia Bidart (nataliabidart) wrote :

Within ubuntu-sso-client, we also need to validate that password1 and password2 match.

Changed in ubuntu-sso-client:
importance: High → Medium
summary: - Validate password strength and matching when resetting password
+ Validate password strength when resetting password
David Owen (dsowen) on 2010-08-23
Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Dave Morley (davmor2) wrote :

Passes for sso on ec2

Changed in canonical-isd-qa:
status: New → Confirmed
assignee: nobody → Dave Morley (davmor2)
milestone: none → canonical-identity-provider+2.8.0
Changed in ubuntu-sso-client:
status: Confirmed → In Progress
dobey (dobey) on 2010-08-27
Changed in ubuntu-sso-client:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-sso-client - 0.99.4-0ubuntu1

---------------
ubuntu-sso-client (0.99.4-0ubuntu1) maverick; urgency=low

  * New upstream release:

  [ <email address hidden> ]
    * Validate form data for verify token page, request password token and set
    new password (LP: #625361).
    * Validate password strength on reset password page (LP: #616528).
    * Labels are not as wide as the parent windowm but a little bit less wide
    (LP: #625009).

  [ Alejandro J. Cura <email address hidden> ]
    * Store the credentials after the email validation step (LP: #625003)

  [ <email address hidden>
    * Every form can be submitted by activating the buttons and/or the entries
    (LP: #616421).

  [ David Planella <email address hidden> ]
    * Make setup.py actually use python-distutils-extra, which will allow the
    .deb package to build the POT file required to import translations into
    Launchpad (LP: #624891).

  [ <email address hidden> ]
    * Errors from SSO servers are being shown now to users, matching
    error-specific to fields (LP: #616101).
    * Also, be robust when SSO server answer with a string where it's supposed
    to be a list (LP: #623447).

  [ Alejandro J. Cura <email address hidden> ]
    * Use the keyring unlocking gnomekeyring APIs (LP: #623622)
    * Search all keyrings for the credentials (LP: #624033)

  [ <email address hidden> ]
    * Customize "help_text" for the login only dialog (LP: #624097).
    * Label areas are as wide as the parent window (LP: #616551).

  [ Alejandro J. Cura <email address hidden> ]
    * The list of error strings as returned by the SSO webservice can't go thru
    DBus (LP: #624358).
 -- Sebastien Bacher <email address hidden> Mon, 30 Aug 2010 19:10:13 +0200

Changed in ubuntu-sso-client (Ubuntu):
status: Triaged → Fix Released
Changed in ubuntu-sso-client:
status: Fix Committed → Fix Released
Julien Funk (jaboing) on 2010-08-31
Changed in canonical-isd-qa:
importance: Undecided → High
Julien Funk (jaboing) wrote :

Was part of the Doctest that dsowen ran for me. Pass in Staging.

Changed in canonical-isd-qa:
status: Confirmed → Fix Committed
Dave Morley (davmor2) on 2010-09-07
Changed in canonical-isd-qa:
status: Fix Committed → Fix Released
David Owen (dsowen) on 2010-09-07
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers