Re: [web2py] Re: Requiring password on registration
Grazie On Sun, Aug 12, 2012 at 12:09 PM, Anthony wrote: > Note, this has now been fixed in trunk: > http://code.google.com/p/web2py/source/detail?r=73b2137eb32e61abc47b491786643d46c199 > > > On Saturday, August 11, 2012 11:21:12 PM UTC-4, Anthony wrote: >> >> Looks like a bug in the wizard: >> >> db.auth_user.password.requires = CRYPT(key=auth.settings.hmac_**key) >> >> should be: >> >> db.auth_user.password.requires = >> CRYPT(key=auth.settings.hmac_**key,min_length >> =4) >> >> Actually, maybe the wizard should simply use auth.define_tables() instead >> of manually creating the auth_user table -- would be easier to keep the >> wizard consistent with standard apps. >> >> Anthony >> >> On Saturday, August 11, 2012 8:40:12 PM UTC-4, Yarin wrote: >>> >>> Anthony- I'm on 1.99.7 stable. Just tried it it with a fresh basic app >>> and there the problem doesn't exist. However, if you use the *app wizard >>> *, and just click through accepting all the defaults, it will recreate >>> the issue. Note also that it DOES allow logging in with no password >>> subsequent to the registration. Adding the requires.insert(0,IS_**LENGTH >>> (minsize=5)) has no effect. >>> >>> I've attached the app I just generated with the wizard on all default >>> settings. >>> >>> >>> On Saturday, August 11, 2012 7:10:29 PM UTC-4, Anthony wrote: Anthony's correct- this is in Auth, but is not being respected: > settings.password_min_length = 4 > I just created a fresh app using trunk, and when I try to register without a password, I get a "too short" error message on the password field. What version of web2py are you using? Can we see your Auth related code? Or maybe you can pack and attach a simple app that exhibits the behavior. > Massimo - "For security reason it will not be accepted for logging > anyway." - Not sure what you meant but it registered me and logged me in > with an empty pass. > By default, when you first register, you are automatically logged in upon registration (this can be disabled). I think Massimo meant that subsequently you will not be able to continue to login with an empty password. > I also tried inserting: > db.auth_user.password.requires**.insert(0,IS_LENGTH(minsize=5)**) > What happens whey you try that -- does it generate an error, or simply allow you to register without a password? Anthony -- > > > > --
[web2py] Re: Requiring password on registration
Note, this has now been fixed in trunk: http://code.google.com/p/web2py/source/detail?r=73b2137eb32e61abc47b491786643d46c199 On Saturday, August 11, 2012 11:21:12 PM UTC-4, Anthony wrote: > > Looks like a bug in the wizard: > > db.auth_user.password.requires = CRYPT(key=auth.settings.hmac_key) > > should be: > > db.auth_user.password.requires = CRYPT(key=auth.settings.hmac_key,min_length > =4) > > Actually, maybe the wizard should simply use auth.define_tables() instead > of manually creating the auth_user table -- would be easier to keep the > wizard consistent with standard apps. > > Anthony > > On Saturday, August 11, 2012 8:40:12 PM UTC-4, Yarin wrote: >> >> Anthony- I'm on 1.99.7 stable. Just tried it it with a fresh basic app >> and there the problem doesn't exist. However, if you use the *app wizard*, >> and just click through accepting all the defaults, it will recreate the >> issue. Note also that it DOES allow logging in with no password subsequent >> to the registration. Adding the requires.insert(0,IS_LENGTH(minsize=5)) has >> no effect. >> >> I've attached the app I just generated with the wizard on all default >> settings. >> >> >> On Saturday, August 11, 2012 7:10:29 PM UTC-4, Anthony wrote: >>> >>> Anthony's correct- this is in Auth, but is not being respected: settings.password_min_length = 4 >>> >>> I just created a fresh app using trunk, and when I try to register >>> without a password, I get a "too short" error message on the password >>> field. What version of web2py are you using? Can we see your Auth related >>> code? Or maybe you can pack and attach a simple app that exhibits the >>> behavior. >>> >>> Massimo - "For security reason it will not be accepted for logging anyway." - Not sure what you meant but it registered me and logged me in with an empty pass. >>> >>> By default, when you first register, you are automatically logged in >>> upon registration (this can be disabled). I think Massimo meant that >>> subsequently you will not be able to continue to login with an empty >>> password. >>> >>> I also tried inserting: db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) >>> >>> What happens whey you try that -- does it generate an error, or simply >>> allow you to register without a password? >>> >>> Anthony >>> >>> --
[web2py] Re: Requiring password on registration
db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) did not fix it on it's own, but db.auth_user.password.requires = CRYPT(key=auth.settings.hmac_key,min_length =4) did fix it. Thanks a lot for your help. On Saturday, August 11, 2012 11:42:35 PM UTC-4, Anthony wrote: > > Note also that it DOES allow logging in with no password subsequent to the >> registration. > > > Right, it looks like login will allow no password if password length is > enforced only by CRYPT (it actually overrides the CRYPT min_length > attribute). I don't think it will override IS_STRONG or IS_LENGTH, though. > > >> Adding the requires.insert(0,IS_LENGTH(minsize=5)) has no effect. > > > I'm not able to unpack/install the app you attached (seems to be > corrupted), but when I insert IS_LENGTH in my own test app as you have > above, it works fine. Would have to see your code to figure out what's > wrong. > > Anthony > --
[web2py] Re: Requiring password on registration
> > Note also that it DOES allow logging in with no password subsequent to the > registration. Right, it looks like login will allow no password if password length is enforced only by CRYPT (it actually overrides the CRYPT min_length attribute). I don't think it will override IS_STRONG or IS_LENGTH, though. > Adding the requires.insert(0,IS_LENGTH(minsize=5)) has no effect. I'm not able to unpack/install the app you attached (seems to be corrupted), but when I insert IS_LENGTH in my own test app as you have above, it works fine. Would have to see your code to figure out what's wrong. Anthony --
[web2py] Re: Requiring password on registration
Looks like a bug in the wizard: db.auth_user.password.requires = CRYPT(key=auth.settings.hmac_key) should be: db.auth_user.password.requires = CRYPT(key=auth.settings.hmac_key,min_length =4) Actually, maybe the wizard should simply use auth.define_tables() instead of manually creating the auth_user table -- would be easier to keep the wizard consistent with standard apps. Anthony On Saturday, August 11, 2012 8:40:12 PM UTC-4, Yarin wrote: > > Anthony- I'm on 1.99.7 stable. Just tried it it with a fresh basic app and > there the problem doesn't exist. However, if you use the *app wizard*, > and just click through accepting all the defaults, it will recreate the > issue. Note also that it DOES allow logging in with no password subsequent > to the registration. Adding the requires.insert(0,IS_LENGTH(minsize=5)) has > no effect. > > I've attached the app I just generated with the wizard on all default > settings. > > > On Saturday, August 11, 2012 7:10:29 PM UTC-4, Anthony wrote: >> >> Anthony's correct- this is in Auth, but is not being respected: >>> settings.password_min_length = 4 >>> >> >> I just created a fresh app using trunk, and when I try to register >> without a password, I get a "too short" error message on the password >> field. What version of web2py are you using? Can we see your Auth related >> code? Or maybe you can pack and attach a simple app that exhibits the >> behavior. >> >> >>> Massimo - "For security reason it will not be accepted for logging >>> anyway." - Not sure what you meant but it registered me and logged me in >>> with an empty pass. >>> >> >> By default, when you first register, you are automatically logged in upon >> registration (this can be disabled). I think Massimo meant that >> subsequently you will not be able to continue to login with an empty >> password. >> >> >>> I also tried inserting: >>> db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) >>> >> >> What happens whey you try that -- does it generate an error, or simply >> allow you to register without a password? >> >> Anthony >> >> --
[web2py] Re: Requiring password on registration
> > Anthony's correct- this is in Auth, but is not being respected: > settings.password_min_length = 4 > I just created a fresh app using trunk, and when I try to register without a password, I get a "too short" error message on the password field. What version of web2py are you using? Can we see your Auth related code? Or maybe you can pack and attach a simple app that exhibits the behavior. > Massimo - "For security reason it will not be accepted for logging > anyway." - Not sure what you meant but it registered me and logged me in > with an empty pass. > By default, when you first register, you are automatically logged in upon registration (this can be disabled). I think Massimo meant that subsequently you will not be able to continue to login with an empty password. > I also tried inserting: > db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) > What happens whey you try that -- does it generate an error, or simply allow you to register without a password? Anthony --
[web2py] Re: Requiring password on registration
Anthony's correct- this is in Auth, but is not being respected: settings.password_min_length = 4 Massimo - "For security reason it will not be accepted for logging anyway." - Not sure what you meant but it registered me and logged me in with an empty pass. I also tried inserting: db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) in db.py and it hasn't fixed it. Bug report? . On Saturday, August 11, 2012 4:43:43 PM UTC-4, Anthony wrote: > > According to the code: > > settings.password_min_length = 4 > > and > > table[passfield].requires = [ > CRYPT(key=settings.hmac_key, min_length=settings.password_min_length)] > > So, isn't the minimum password length 4 by default? > > Anthony > > On Saturday, August 11, 2012 3:21:06 PM UTC-4, Massimo Di Pierro wrote: >> >> This was discussed once I people said there should be no default minimum >> length for password. So technically a zero length password can be inserted. >> For security reason it will not be accepted for logging anyway. >> >> db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) >> >> On Saturday, 11 August 2012 10:26:37 UTC-5, Yarin wrote: >>> >>> The default login form does not require a password to be entered when >>> registering. Is this intentional? Seems a funny default. >>> >>> I can't figure out how to require a password. >>> >>> I added >>> db.auth_user.password.requires = IS_NOT_EMPTY(error_message=auth. >>> messages.is_empty) >>> >>> and added >>> required=True >>> >>> to the db password field definition, but it still lets me register >>> without any password... >>> >> On Saturday, August 11, 2012 4:43:43 PM UTC-4, Anthony wrote: > > According to the code: > > settings.password_min_length = 4 > > and > > table[passfield].requires = [ > CRYPT(key=settings.hmac_key, min_length=settings.password_min_length)] > > So, isn't the minimum password length 4 by default? > > Anthony > > On Saturday, August 11, 2012 3:21:06 PM UTC-4, Massimo Di Pierro wrote: >> >> This was discussed once I people said there should be no default minimum >> length for password. So technically a zero length password can be inserted. >> For security reason it will not be accepted for logging anyway. >> >> db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) >> >> On Saturday, 11 August 2012 10:26:37 UTC-5, Yarin wrote: >>> >>> The default login form does not require a password to be entered when >>> registering. Is this intentional? Seems a funny default. >>> >>> I can't figure out how to require a password. >>> >>> I added >>> db.auth_user.password.requires = IS_NOT_EMPTY(error_message=auth. >>> messages.is_empty) >>> >>> and added >>> required=True >>> >>> to the db password field definition, but it still lets me register >>> without any password... >>> >> --
[web2py] Re: Requiring password on registration
According to the code: settings.password_min_length = 4 and table[passfield].requires = [ CRYPT(key=settings.hmac_key, min_length=settings.password_min_length)] So, isn't the minimum password length 4 by default? Anthony On Saturday, August 11, 2012 3:21:06 PM UTC-4, Massimo Di Pierro wrote: > > This was discussed once I people said there should be no default minimum > length for password. So technically a zero length password can be inserted. > For security reason it will not be accepted for logging anyway. > > db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) > > On Saturday, 11 August 2012 10:26:37 UTC-5, Yarin wrote: >> >> The default login form does not require a password to be entered when >> registering. Is this intentional? Seems a funny default. >> >> I can't figure out how to require a password. >> >> I added >> db.auth_user.password.requires = IS_NOT_EMPTY(error_message=auth.messages >> .is_empty) >> >> and added >> required=True >> >> to the db password field definition, but it still lets me register >> without any password... >> > --
[web2py] Re: Requiring password on registration
This was discussed once I people said there should be no default minimum length for password. So technically a zero length password can be inserted. For security reason it will not be accepted for logging anyway. db.auth_user.password.requires.insert(0,IS_LENGTH(minsize=5)) On Saturday, 11 August 2012 10:26:37 UTC-5, Yarin wrote: > > The default login form does not require a password to be entered when > registering. Is this intentional? Seems a funny default. > > I can't figure out how to require a password. > > I added > db.auth_user.password.requires = IS_NOT_EMPTY(error_message=auth.messages. > is_empty) > > and added > required=True > > to the db password field definition, but it still lets me register without > any password... > --