@Findus23 opened this Issue on July 27th 2022 Member

Whenever a new user in Matomo is created or a password is changed Matomo calls the UsersManager.checkPassword event and if it fails, warns the user that the password is insecure.
https://github.com/matomo-org/matomo/blob/5df7397b4276a8f23e5537b7ba84394f4238dbed/plugins/UsersManager/UsersManager.php#L155

That's used by https://plugins.matomo.org/PasswordVerifier and other plugins to disallow some kind of passwords.

But with the new invitation process and acceptInvitation() this function is never called in the process and only the builtin basic check is done:
https://github.com/matomo-org/matomo/blob/5df7397b4276a8f23e5537b7ba84394f4238dbed/plugins/Login/Controller.php#L574-L577

This means users could sign up with passwords that don't match the password requirements.

Matomo Version: 04c1149d81bd5e48671f212f9a1cbd12fa10ef85

This Issue was closed on August 1st 2022
Powered by GitHub Issue Mirror