? Pending
Pull Request for # 7158

User tests: Successful: Unsuccessful:

avatar dgt41
dgt41
10 May 2016

Steps to reproduce the issue

Install Joomla! and use in the user-name a "forbidden character like:
< > \ " ' % ; ( ) &

In my case the credentials where:
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs

In the installation process this user/password combination was accepted, installation went fine, but one could not log-in any more.

After I changed the username in the Database login was possible again.

Expected result

I would expect that during installation there would be a warning, that prevented me from choosing an username that renders the Superadministrator Login useless. Like the one that is used if one registers a new user in the backend.

Actual result

Installation with unusable username is possible. Therefore creating a not usable SuperAdmin account on installation

Testing

Install this as new branch https://github.com/dgt41/joomla-cms/archive/admin_username.zip
try to enter username containing < > \ " ' % ; ( ) &

a1379de 10 May 2016 avatar dgt41 init
avatar dgt41 dgt41 - open - 10 May 2016
avatar dgt41 dgt41 - change - 10 May 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 10 May 2016
Labels Added: ?
avatar zero-24 zero-24 - change - 10 May 2016
Rel_Number 0 7158
Relation Type Pull Request for
avatar zero-24 zero-24 - change - 10 May 2016
Category Installation
avatar zero-24 zero-24 - change - 10 May 2016
Easy No Yes
avatar dgt41 dgt41 - change - 10 May 2016
The description was changed
avatar framontb
framontb - comment - 10 May 2016

I changed the type to "<field name="admin_user" type="username" ... " but it doesn't stops me from choosing '&&&&' as admin_user. Will I be doing something wrong?

avatar andrepereiradasilva
andrepereiradasilva - comment - 10 May 2016

same result as @framontb

avatar dgt41
dgt41 - comment - 10 May 2016

Once you hit the next button the validation should kick in and remove those characters

avatar andrepereiradasilva
andrepereiradasilva - comment - 10 May 2016

so no warning for the user that is admin username changed?

avatar dgt41
dgt41 - comment - 10 May 2016

@andrepereiradasilva yup, and that's not good for UX point of view

avatar brianteeman
brianteeman - comment - 10 May 2016

Seriously guys try to test and think a little before rushing to a PR.

avatar framontb
framontb - comment - 10 May 2016

This configuration:
<field name="admin_user" type="text" id="admin_user" class="inputbox validate-username"
label="INSTL_ADMIN_USER_LABEL"
required="true"
filter="username"
/>

works for me in the way you say @dgt41 . It removes the "bad characters" and go ahead. The user get advised because the text box change to red... but I think it should not go ahead to second step.
Perhaps could you merge your javascript solution with the rule I did? So the registration don't go to second step without a good username.

31b6721 10 May 2016 avatar dgt41 oops
ae26aeb 10 May 2016 avatar dgt41 more
avatar framontb
framontb - comment - 12 May 2016

This is not working as expected because javascript code clean "wrong" characters in admin_user field, so they never reach the server after next-button is pressed. So the rule in server side never applies. It seems time to make a decision?:

  • Better javascript solution (intrusive)
  • Better php rule in server side solution (non intrusive)
  • Modifying javascript for non changing the admin_user field but alert.

EDIT: true solution could be remove the filter="username" tag in field. So the field is not filtered but the javascript code warning turning the box red, and php rule works.
EDIT 2: and of course add this tag: validate="installation.username", so the rule applies.
EDIT 3: @dgt41 what do you think about?

avatar framontb framontb - reference | da47a23 - 19 May 16
avatar bhavikTailored bhavikTailored - test_item - 1 Jul 2016 - Tested unsuccessfully
avatar bhavikTailored
bhavikTailored - comment - 1 Jul 2016

I have tested this item ? unsuccessfully on ae26aeb

I have used same credentials which you provided for login. I have successfully login in administrator.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel gunjanpatel - test_item - 1 Jul 2016 - Tested unsuccessfully
avatar gunjanpatel
gunjanpatel - comment - 1 Jul 2016

I have tested this item ? unsuccessfully on ae26aeb

I have tested with https://github.com/joomla/joomla-cms/archive/staging.zip using username and password given in your test instructions while installing joomla.
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs

Using the same username and password I was able to login in backend after installing joomla.

Tried with your https://github.com/dgt41/joomla-cms/archive/admin_username.zip and did the same. No difference with joomla staging branch and your admin_username branch.

I have created two video for the same.
With Joomla staging: https://youtu.be/YS0eSZRqRDQ
With your branch admin_username: https://youtu.be/skolh5i_FIc

Thanks.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel gunjanpatel - alter_testresult - 1 Jul 2016 - gunjanpatel: Tested successfully
avatar gunjanpatel
gunjanpatel - comment - 1 Jul 2016

Sorry @dgt41 please ignore my previous test. I have logged it successfully now and this test is success for.

Using joomla staging branch when I am installing with following,
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs

After installation complete I am not able to login.

When I am using your branch admin_username i.e. your patch works successfully and it filters characters which are not valid.

screen shot 2016-07-01 at 08 15 08

Thanks for fixing this issue.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar bhavikTailored bhavikTailored - test_item - 1 Jul 2016 - Tested successfully
avatar bhavikTailored
bhavikTailored - comment - 1 Jul 2016

I have tested this item successfully on ae26aeb

I am sorry, I have tested again and found it successful. I misunderstood { and & character. It is counting { as valid but & as invalid character.

Thanks, it works for me so this patch is tested successfully.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel
gunjanpatel - comment - 1 Jul 2016

One weird thing is that I am choosing username S9nFA7N7x7tL}jXOJqIx&vQk3jSF while login. Notice & is still in username and I am able to login with username having & in it while during installation & was already filtered out.
Still second thought in my mind that this is a valid test or now.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel gunjanpatel - test_item - 4 Jul 2016 - Tested successfully
avatar gunjanpatel
gunjanpatel - comment - 4 Jul 2016

I have tested this item successfully on ae26aeb


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel
gunjanpatel - comment - 4 Jul 2016

@dgt41 I am not sure why but travis is not happy ?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar zero-24
zero-24 - comment - 4 Jul 2016

@dgt41 @gunjanpatel

CS error found by Mr. Travis ;)

FILE: ...home/travis/build/joomla/joomla-cms/installation/form/rule/username.php
--------------------------------------------------------------------------------
FOUND 1 ERROR(S) AFFECTING 1 LINE(S)
--------------------------------------------------------------------------------
 29 | ERROR | Expected 1 blank line before member var; 0 found
--------------------------------------------------------------------------------
UPGRADE TO PHP_CODESNIFFER 2.0 TO FIX ERRORS AUTOMATICALLY
--------------------------------------------------------------------------------
c278ba8 4 Jul 2016 avatar dgt41 CS
avatar joomla-cms-bot
joomla-cms-bot - comment - 4 Jul 2016

This PR has received new commits.

CC: @bhavikTailored, @gunjanpatel


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel gunjanpatel - test_item - 11 Jul 2016 - Tested successfully
avatar gunjanpatel
gunjanpatel - comment - 11 Jul 2016

I have tested this item successfully on c278ba8


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar gunjanpatel gunjanpatel - change - 11 Jul 2016
Status Pending Ready to Commit
avatar gunjanpatel
gunjanpatel - comment - 11 Jul 2016

Setting RTC as we have two successful tests.
Thanks.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar joomla-cms-bot joomla-cms-bot - change - 11 Jul 2016
Labels Added: ?
avatar roland-d roland-d - change - 16 Jul 2016
Status Ready to Commit Information Required
Labels
avatar roland-d
roland-d - comment - 16 Jul 2016

Removing the RTC label here because I don't think this PR is complete.

There should be a message to the user the username is invalid instead of just cleaning it without notice. The same way as the password field works.

As for my test, I don't see the username being cleaned. I did see it happen once but not anymore after clicking Next and back a few times. It will only highlight the field as incorrect when you focus out of the field.

Now I found out something else doing the following:
1. I copy-pasted your username into the field
2. Ignored the error
3. Clicked Next
4. Click back and see the ) is stripped out
5. Add the ) back into the username
6. Click Next
7. Click Back
8. Notice the ) is still there


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10391.

avatar joomla-cms-bot joomla-cms-bot - change - 16 Jul 2016
Labels Removed: ?
avatar dgt41
dgt41 - comment - 13 Sep 2016

@roland-d since there is another PR for ajaxifying this field, is this still relative or should I just close it?

avatar roland-d
roland-d - comment - 13 Sep 2016

@dgt41 Does the other PR also touch the installation part? If so, I guess we can close this one.

avatar dgt41
dgt41 - comment - 13 Sep 2016

@roland-d I have no clue, also I don't know if the checks are only if the name exists or more specific if the name doesn't contain illegal characters. I guess I'll have to test that...

avatar dgt41 dgt41 - change - 11 Oct 2016
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2016-10-11 11:36:25
Closed_By dgt41
avatar dgt41 dgt41 - close - 11 Oct 2016

Add a Comment

Login with GitHub to post a comment