I have tested this item ? unsuccessfully on e30121f

I can still set a password = username for my own account using this url
administrator/index.php?option=com_admin&view=profile&layout=edit&id=349 which is the edit account link in the top right

I have tested this item ? unsuccessfully on e30121f

I can still set a password = username for my own account using this url
administrator/index.php?option=com_admin&view=profile&layout=edit&id=349 which is the edit account link in the top right

if you not digit the password and click save yes, but this is exepected (i cannot retrieve the clear password if you don't digit it)
but if you try to change you password and set equal to username than it works

remaining issue:
While installing J, I can use admin/admin

I tested this simple patch which works fine here.

diff --git a/installation/model/setup.php b/installation/model/setup.php
index 0089d22..ee860be 100644
--- a/installation/model/setup.php
+++ b/installation/model/setup.php
@@ -417,4 +417,11 @@
 		}
 
+		if ($data['admin_user'] === $data['admin_password'])
+		{
+			JFactory::getApplication()->enqueueMessage(JText::_('JLIB_USER_ERROR_PASSWORD_MATCH_USERNAME'), 'warning');
+
+			return false;
+		}
+
 		// Filter and validate the form data.
 		$data   = $form->filter($data);

Evidently, the new string has to be added to installation .ini file.

I have tested this item ✅ successfully on c0220e3

thanks @infograf768 for the installation part

please re-test

I have tested this item ✅ successfully on f34b5d1

@alikon
I should have tested further
Although it works in first screen, I get the same error when dealing with the database page with the Notice

[21-Nov-2017 14:12:52 Europe/Berlin] PHP Notice:  Undefined index: admin_user in /Applications/MAMP/htdocs/testnew/stagingcms/installation/model/setup.php on line 419
[21-Nov-2017 14:12:52 Europe/Berlin] PHP Notice:  Undefined index: admin_password in /Applications/MAMP/htdocs/testnew/stagingcms/installation/model/setup.php on line 419

Checking if the values are set solves it here

		if (isset($data['admin_user']) && isset($data['admin_user']))
		{
			if ($data['admin_user'] === $data['admin_password'])
			{
				JFactory::getApplication()->enqueueMessage(JText::_('JLIB_USER_ERROR_PASSWORD_MATCH_USERNAME'), 'warning');
			
				return false;
			}
		}

Also, it looks like it does not work when editing a user in back-end

@alikon
EDIT: In fact, except for installation which needs some care (see above), this patch only works when creating a new user in backend.
It does not work for new registration or for editing an existing user in front as well as backend.

As said before, you cannot detect if the username and password are the same when editing a user because the plaintext password is not stored (in fact, the only time we have the plaintext password available is when a login form is submitted (used to validate hashes) or user profile form is submitted and the user is changing their password).

Hi,

I've successfully tested this patch both in back end and front end, creating a new user and upadating password of existing user (Joomla! 3.8.3-dev).

In backend I get an error : Save failed with the following error: Username and password must not match.
In frontend I get a warning (updating) : Profile could not be saved: Could not bind profile data: Username and password must not match.
In frontend I get a warning (creating new one) : Failed to bind registration data: Username and password must not match.

Please be patient with me, I've just started my contributions as a tester, let me know if I'm doing wrong.

@infograf768 added "some care" for the install part

It does not work for new registration

please elaborate

It does not work for editing an existing user in front as well as backend

it works, i mean check is done, if you enter a password see more complete explanation #18766 (comment) than short mine

@ladyjer
you are doing right, just you need to test the install part too

looking forward to see your contribution as a coder too ?

In the backend, select Edit Account in the upper right corner.
Click Save button.

In the error log:

PHP Notice:  Undefined index: username in C:\xampp\htdocs\joomla-cms-staging\libraries\src\User\User.php on line 686

good catch @Quy
Edit Account fixed

So it is still possible to have the same username and password under Edit Account since the username is not in the array to check??

unfortunately yes if you have this situation before this pr
it's outside of scope of this pr to fix previous situation where username===passowrd

unfortunately yes

It shouldn't be that bad to fix this for all cases, how about an ajax call somewhere in the back end with the username, then hash it check if same as password and either return true or false?

Since the password field will be rewritten as custom field instead of plain js (to make it css framework agnostic!) we can add the needed lines there (shouldn't be much code anyways)

@dgt41 sounds good to me
and if it take few lines of code sounds even better,

My comments here
#18766 (comment)
are now solved.
Allow or not modifying UserName when editing profile in frontend also works here.
Remains only the "Edit Account" in backend where we still can modify and get same username and password.

Hi,

concerning issue on "Edit account" in backend, it can be fixed removing lines from 135 to 140 in /administrator/components/com_admin/models/profile.php

	$isUsernameCompliant = $this->getState('user.username.compliant');

	if (!JComponentHelper::getParams('com_users')->get('change_login_name') && $isUsernameCompliant)
	{
		unset($data['username']);
	}

It's the same change applied by @alikon on file components/com_users/models/profile.php on commit 7063a43

@ladyjer This code is for the Change Username setting under Global Configuration > Users. If this setting is set to No, by removing this code, the username can be changed on the frontend using Firefox Developer Toolbox even though it is read only.

@Quy please re-check now should prevent username change by browsers Inspect tools

I have tested this item ✅ successfully on 9f12f11

I have tested this item ✅ successfully on 9f12f11

Ready to Commit after two successful tests.

thank you all folks, great teamworking ?

Sorry folks, I still have issues.
Although it does work for admin/admin, if I change the username to adminuser and use the same in password, user is saved.

@infograf768 should the RTC-Label deleted?

I would if someone can confirm my findings

@infograf768 your movie is showing that you are using the saved password for a user called adminuser and not necessarily the password "adminuser"

@brianteeman
I do not understand your comment.
What I did is modify the user
The username was admin and password was also admin
I changed the username to adminuser and then also changed the password to adminuser which should not have been accepted.

Hmm
It looks like if I Type letter by letter adminuser and not use the firefox already known "adminuser" password (which is remembered by Firefox as a password used for another site in my localhost), it works fine.
Weird.

Yes that is what I am saying. Are you sure that the saved password is "adminuser"

I have deleted all saved login/passwords from Firefox and although it does not display anymore the possible passwords, by typing it works now.

Tagging for 3.9 as this has the potential to be a disruptive change (so let's not do it in a general maintenance release, just so it's clear I'm not saying don't do it at all just that it needs to be properly highlighted).

Looking back at this, the feedback from @dgrammatiko in #18766 (comment) was never addressed, and honestly you kind of need that otherwise this entire PR has no point.

I have tested this item ✅ successfully on 9f12f11