In webservice's models.py, set_new_password currently isn't calling password_policy_compliant to verify the strength of the password, so (if a consumer doesn't validate the password for us) the user could end up with a very weak password or even an empty one.
The only other place where you can set your password via the api is when you register(). The code currently uses a form to validate the parameters you pass in here, and this form calls password_policy_compliant in its validation code. I think ideally we'd do the same in set_new_password.
Yup.
In webservice's models.py, set_new_password currently isn't calling password_ policy_ compliant to verify the strength of the password, so (if a consumer doesn't validate the password for us) the user could end up with a very weak password or even an empty one.
The only other place where you can set your password via the api is when you register(). The code currently uses a form to validate the parameters you pass in here, and this form calls password_ policy_ compliant in its validation code. I think ideally we'd do the same in set_new_password.