@Starker3 opened this Issue on October 13th 2022 Contributor

Attempting to delete a user in Matomo 4.12.0 can result in the following error after entering the admin password:
image

This results in the user not being deleted.

Error message text:
This password is too weak, please supply another value or reset it. <a href='/0'>#0</a> /var/www/html/plugins/UsersManager/UsersManager.php(190): Piwik\Plugins\UsersManager\UsersManager::checkBasicPasswordStrength('xx') <a href='/1'>#1</a> /var/www/html/plugins/Login/Auth.php(188): Piwik\Plugins\UsersManager\UsersManager::getPasswordHash('xx') <a href='/2'>#2</a> /var/www/html/plugins/Login/PasswordVerifier.php(53): Piwik\Plugins\Login\Auth->setPassword('xx') <a href='/3'>#3</a> /var/www/html/core/Plugin/API.php(134): Piwik\Plugins\Login\PasswordVerifier->isPasswordCorrect('user', 'xx') <a href='/4'>#4</a> /var/www/html/plugins/UsersManager/API.php(975): Piwik\Plugin\API->confirmCurrentUserPassword('xx') <a href='/5'>#5</a> [internal function]: Piwik\Plugins\UsersManager\API->deleteUser('user_to_delete', 'xx') <a href='/6'>#6</a> /var/www/html/core/API/Proxy.php(244): call_user_func_array(Array, Array) <a href='/7'>#7</a> /var/www/html/core/Context.php(28): Piwik\API\Proxy->Piwik\API\{closure}() <a href='/8'>#8</a> /var/www/html/core/API/Proxy.php(335): Piwik\Context::executeWithQueryParameters(Array, Object(Closure)) <a href='/9'>#9</a> /var/www/html/core/API/Request.php(267): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'deleteUser', Array) <a href='/10'>#10</a> /var/www/html/plugins/API/API.php(483): Piwik\API\Request->process() <a href='/11'>#11</a> [internal function]: Piwik\Plugins\API\API->getBulkRequest(Array) <a href='/12'>#12</a> /var/www/html/core/API/Proxy.php(244): call_user_func_array(Array, Array) <a href='/13'>#13</a> /var/www/html/core/Context.php(28): Piwik\API\Proxy->Piwik\API\{closure}() <a href='/14'>#14</a> /var/www/html/core/API/Proxy.php(335): Piwik\Context::executeWithQueryParameters(Array, Object(Closure)) <a href='/15'>#15</a> /var/www/html/core/API/Request.php(267): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'getBulkRequest', Array) <a href='/16'>#16</a> /var/www/html/plugins/API/Controller.php(45): Piwik\API\Request->process() <a href='/17'>#17</a> [internal function]: Piwik\Plugins\API\Controller->index() <a href='/18'>#18</a> /var/www/html/core/FrontController.php(631): call_user_func_array(Array, Array) <a href='/19'>#19</a> /var/www/html/core/FrontController.php(169): Piwik\FrontController->doDispatch('API', false, Array) <a href='/20'>#20</a> /var/www/html/core/dispatch.php(32): Piwik\FrontController->dispatch() <a href='/21'>#21</a> /var/www/html/index.php(25): require_once('/var/www/html/c...') <a href='/22'>#22</a> {main}

  • Matomo Version: 4.12.0
  • PHP Version: 8.0.16
  • Server Operating System: Apache/2.4.52 (Debian)
  • Additionally installed plugins: API, Actions, Annotations, BulkTracking, Contents, CoreAdminHome, CoreConsole, CoreHome, CorePluginsAdmin, CoreUpdater, CoreVisualizations, CoreVue, CustomDimensions, CustomJsTracker, CustomReports 4.1.0, CustomVariables 4.1.1, Dashboard, DevicePlugins, DevicesDetection, Diagnostics, Ecommerce, Events, Feedback, GeoIp2, Goals, Heartbeat, HeatmapSessionRecording 4.5.1, ImageGraph, Insights, Installation, Intl, IntranetGeoIP 4.0.1, IntranetMeasurable, InvalidateReports 4.1.1, LanguagesManager, Live, LogViewer 4.1.1, Login, LoginSaml 4.2.0, MarketingCampaignsReporting 4.1.3, Marketplace, MediaAnalytics 4.1.5, MobileMessaging, Modern 1.1.2, Monolog, Morpheus, MultiSites, Overlay, PagePerformance, PrivacyManager, Provider 4.0.5, Proxy, QueuedTracking 4.0.5, Referrers, Resolution, RollUpReporting 4.1.0, RssWidget, SEO, ScheduledReports, SearchEngineKeywordsPerformance 4.4.0, SegmentEditor, SitesManager, TagManager, TrackingCodeCustomizer 4.0.0, Transitions, UserCountry, UserCountryMap, UserId, UserLanguage, UsersFlow 4.1.1, UsersManager, VisitFrequency, VisitTime, VisitorInterest, VisitsSummary, WebsiteMeasurable, Widgetize, ExampleAPI
@sgiehl commented on October 14th 2022 Member

Entering a wrong password should always show a wrong password message, even if it's to weak.
I'll prepare a PR to change that.

@Starker3 commented on October 14th 2022 Contributor

Entering a wrong password should always show a wrong password message, even if it's to weak.

I'll prepare a PR to change that.

In this case I don't think it's that the user is typing a wrong password, but the password being used for the password prompt is likely too weak?

@sgiehl commented on October 14th 2022 Member

That would mean that the password the user is using for his account is too weak. Not sure if it is even possible to log in, in that case.

@Starker3 commented on October 24th 2022 Contributor

FYI this looks like it's caused by a password encoding/decoding issue. I was able to reproduce it using the same password the user was using, if you need that password to reproduce please PM me.

@sgiehl commented on November 23rd 2022 Member

Closing this one in favor of #20021, as it contains some detailed information where the exact problem is.

This Issue was closed on November 23rd 2022
Powered by GitHub Issue Mirror