User tests: Successful: Unsuccessful:
Install Joomla! and use in the user-name a "forbidden character like:
< > \ " ' % ; ( ) &
In my case the credentials where:
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs
In the installation process this user/password combination was accepted, installation went fine, but one could not log-in any more.
After I changed the username in the Database login was possible again.
I would expect that during installation there would be a warning, that prevented me from choosing an username that renders the Superadministrator Login useless. Like the one that is used if one registers a new user in the backend.
Installation with unusable username is possible. Therefore creating a not usable SuperAdmin account on installation
Install this as new branch https://github.com/dgt41/joomla-cms/archive/admin_username.zip
try to enter username containing < > \ " ' % ; ( ) &
Status | New | ⇒ | Pending |
Labels |
Added:
?
|
Rel_Number | 0 | ⇒ | 7158 |
Relation Type | ⇒ | Pull Request for |
Category | ⇒ | Installation |
Easy | No | ⇒ | Yes |
Once you hit the next button the validation should kick in and remove those characters
so no warning for the user that is admin username changed?
@andrepereiradasilva yup, and that's not good for UX point of view
Seriously guys try to test and think a little before rushing to a PR.
This configuration:
<field name="admin_user" type="text" id="admin_user" class="inputbox validate-username"
label="INSTL_ADMIN_USER_LABEL"
required="true"
filter="username"
/>
works for me in the way you say @dgt41 . It removes the "bad characters" and go ahead. The user get advised because the text box change to red... but I think it should not go ahead to second step.
Perhaps could you merge your javascript solution with the rule I did? So the registration don't go to second step without a good username.
This is not working as expected because javascript code clean "wrong" characters in admin_user field, so they never reach the server after next-button is pressed. So the rule in server side never applies. It seems time to make a decision?:
EDIT: true solution could be remove the filter="username"
tag in field. So the field is not filtered but the javascript code warning turning the box red, and php rule works.
EDIT 2: and of course add this tag: validate="installation.username"
, so the rule applies.
EDIT 3: @dgt41 what do you think about?
I have tested this item
I have used same credentials which you provided for login. I have successfully login in administrator.
I have tested this item
I have tested with https://github.com/joomla/joomla-cms/archive/staging.zip using username and password given in your test instructions while installing joomla.
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs
Using the same username and password I was able to login in backend after installing joomla.
Tried with your https://github.com/dgt41/joomla-cms/archive/admin_username.zip and did the same. No difference with joomla staging branch and your admin_username branch.
I have created two video for the same.
With Joomla staging: https://youtu.be/YS0eSZRqRDQ
With your branch admin_username: https://youtu.be/skolh5i_FIc
Thanks.
Sorry @dgt41 please ignore my previous test. I have logged it successfully now and this test is success for.
Using joomla staging branch when I am installing with following,
Admin-User: S9nFA7N7x7tL}jXOJqIx&vQk3jSF
JAdmin-Pass: msevXL0Stl,BV7szpufhMwo10^IV8SRs
After installation complete I am not able to login.
When I am using your branch admin_username
i.e. your patch works successfully and it filters characters which are not valid.
Thanks for fixing this issue.
I have tested this item
I am sorry, I have tested again and found it successful. I misunderstood {
and &
character. It is counting {
as valid but &
as invalid character.
Thanks, it works for me so this patch is tested successfully.
One weird thing is that I am choosing username S9nFA7N7x7tL}jXOJqIx&vQk3jSF
while login. Notice &
is still in username and I am able to login with username having &
in it while during installation &
was already filtered out.
Still second thought in my mind that this is a valid test or now.
I have tested this item
@dgt41 I am not sure why but travis is not happy
CS error found by Mr. Travis ;)
FILE: ...home/travis/build/joomla/joomla-cms/installation/form/rule/username.php
--------------------------------------------------------------------------------
FOUND 1 ERROR(S) AFFECTING 1 LINE(S)
--------------------------------------------------------------------------------
29 | ERROR | Expected 1 blank line before member var; 0 found
--------------------------------------------------------------------------------
UPGRADE TO PHP_CODESNIFFER 2.0 TO FIX ERRORS AUTOMATICALLY
--------------------------------------------------------------------------------
This PR has received new commits.
CC: @bhavikTailored, @gunjanpatel
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
Setting RTC as we have two successful tests.
Thanks.
Labels |
Added:
?
|
Status | Ready to Commit | ⇒ | Information Required |
Labels |
Removing the RTC label here because I don't think this PR is complete.
There should be a message to the user the username is invalid instead of just cleaning it without notice. The same way as the password field works.
As for my test, I don't see the username being cleaned. I did see it happen once but not anymore after clicking Next and back a few times. It will only highlight the field as incorrect when you focus out of the field.
Now I found out something else doing the following:
1. I copy-pasted your username into the field
2. Ignored the error
3. Clicked Next
4. Click back and see the ) is stripped out
5. Add the ) back into the username
6. Click Next
7. Click Back
8. Notice the ) is still there
Labels |
Removed:
?
|
Status | Information Required | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-10-11 11:36:25 |
Closed_By | ⇒ | dgt41 |
I changed the type to "<field name="admin_user" type="username" ... " but it doesn't stops me from choosing '&&&&' as admin_user. Will I be doing something wrong?