Invitation process doesn't trigger insecure password check #19573
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
not-in-changelog
For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
Whenever a new user in Matomo is created or a password is changed Matomo calls the
UsersManager.checkPassword
event and if it fails, warns the user that the password is insecure.matomo/plugins/UsersManager/UsersManager.php
Line 155 in 5df7397
That's used by https://plugins.matomo.org/PasswordVerifier and other plugins to disallow some kind of passwords.
But with the new invitation process and
acceptInvitation()
this function is never called in the process and only the builtin basic check is done:matomo/plugins/Login/Controller.php
Lines 574 to 577 in 5df7397
This means users could sign up with passwords that don't match the password requirements.
Matomo Version: 04c1149
The text was updated successfully, but these errors were encountered: