Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Deletion throws error "Password is too weak" #19857

Closed
Starker3 opened this issue Oct 13, 2022 · 5 comments · Fixed by #20048
Closed

User Deletion throws error "Password is too weak" #19857

Starker3 opened this issue Oct 13, 2022 · 5 comments · Fixed by #20048
Assignees
@sgiehl
Labels
Bug For errors / faults / flaws / inconsistencies etc. duplicate For issues that already existed in our issue tracker and were reported previously.
Milestone
4.13.0

Comments

@Starker3
Copy link
Contributor

Starker3 commented Oct 13, 2022
edited

Attempting to delete a user in Matomo 4.12.0 can result in the following error after entering the admin password:
image

This results in the user not being deleted.

Error message text:
This password is too weak, please supply another value or reset it. #0 /var/www/html/plugins/UsersManager/UsersManager.php(190): Piwik\Plugins\UsersManager\UsersManager::checkBasicPasswordStrength('xx') #1 /var/www/html/plugins/Login/Auth.php(188): Piwik\Plugins\UsersManager\UsersManager::getPasswordHash('xx') #2 /var/www/html/plugins/Login/PasswordVerifier.php(53): Piwik\Plugins\Login\Auth->setPassword('xx') #3 /var/www/html/core/Plugin/API.php(134): Piwik\Plugins\Login\PasswordVerifier->isPasswordCorrect('user', 'xx') #4 /var/www/html/plugins/UsersManager/API.php(975): Piwik\Plugin\API->confirmCurrentUserPassword('xx') #5 [internal function]: Piwik\Plugins\UsersManager\API->deleteUser('user_to_delete', 'xx') #6 /var/www/html/core/API/Proxy.php(244): call_user_func_array(Array, Array) #7 /var/www/html/core/Context.php(28): Piwik\API\Proxy->Piwik\API\{closure}() #8 /var/www/html/core/API/Proxy.php(335): Piwik\Context::executeWithQueryParameters(Array, Object(Closure)) #9 /var/www/html/core/API/Request.php(267): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'deleteUser', Array) #10 /var/www/html/plugins/API/API.php(483): Piwik\API\Request->process() #11 [internal function]: Piwik\Plugins\API\API->getBulkRequest(Array) #12 /var/www/html/core/API/Proxy.php(244): call_user_func_array(Array, Array) #13 /var/www/html/core/Context.php(28): Piwik\API\Proxy->Piwik\API\{closure}() #14 /var/www/html/core/API/Proxy.php(335): Piwik\Context::executeWithQueryParameters(Array, Object(Closure)) #15 /var/www/html/core/API/Request.php(267): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'getBulkRequest', Array) #16 /var/www/html/plugins/API/Controller.php(45): Piwik\API\Request->process() #17 [internal function]: Piwik\Plugins\API\Controller->index() #18 /var/www/html/core/FrontController.php(631): call_user_func_array(Array, Array) #19 /var/www/html/core/FrontController.php(169): Piwik\FrontController->doDispatch('API', false, Array) #20 /var/www/html/core/dispatch.php(32): Piwik\FrontController->dispatch() #21 /var/www/html/index.php(25): require_once('/var/www/html/c...') #22 {main}

  • Matomo Version: 4.12.0
  • PHP Version: 8.0.16
  • Server Operating System: Apache/2.4.52 (Debian)
  • Additionally installed plugins: API, Actions, Annotations, BulkTracking, Contents, CoreAdminHome, CoreConsole, CoreHome, CorePluginsAdmin, CoreUpdater, CoreVisualizations, CoreVue, CustomDimensions, CustomJsTracker, CustomReports 4.1.0, CustomVariables 4.1.1, Dashboard, DevicePlugins, DevicesDetection, Diagnostics, Ecommerce, Events, Feedback, GeoIp2, Goals, Heartbeat, HeatmapSessionRecording 4.5.1, ImageGraph, Insights, Installation, Intl, IntranetGeoIP 4.0.1, IntranetMeasurable, InvalidateReports 4.1.1, LanguagesManager, Live, LogViewer 4.1.1, Login, LoginSaml 4.2.0, MarketingCampaignsReporting 4.1.3, Marketplace, MediaAnalytics 4.1.5, MobileMessaging, Modern 1.1.2, Monolog, Morpheus, MultiSites, Overlay, PagePerformance, PrivacyManager, Provider 4.0.5, Proxy, QueuedTracking 4.0.5, Referrers, Resolution, RollUpReporting 4.1.0, RssWidget, SEO, ScheduledReports, SearchEngineKeywordsPerformance 4.4.0, SegmentEditor, SitesManager, TagManager, TrackingCodeCustomizer 4.0.0, Transitions, UserCountry, UserCountryMap, UserId, UserLanguage, UsersFlow 4.1.1, UsersManager, VisitFrequency, VisitTime, VisitorInterest, VisitsSummary, WebsiteMeasurable, Widgetize, ExampleAPI
@Starker3 Starker3 added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Oct 13, 2022
@sgiehl
Copy link
Member

sgiehl commented Oct 14, 2022

Entering a wrong password should always show a wrong password message, even if it's to weak.
I'll prepare a PR to change that.

@sgiehl sgiehl added this to the 4.12.1 milestone Oct 14, 2022
@sgiehl sgiehl added Bug For errors / faults / flaws / inconsistencies etc. and removed Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. labels Oct 14, 2022
@Starker3
Copy link
Contributor Author

Entering a wrong password should always show a wrong password message, even if it's to weak.

I'll prepare a PR to change that.

In this case I don't think it's that the user is typing a wrong password, but the password being used for the password prompt is likely too weak?

@sgiehl
Copy link
Member

sgiehl commented Oct 14, 2022

That would mean that the password the user is using for his account is too weak. Not sure if it is even possible to log in, in that case.

@sgiehl sgiehl mentioned this issue Oct 14, 2022
Merged
11 tasks
@justinvelluppillai justinvelluppillai modified the milestones: 4.12.1, 4.12.2, 4.12.3 Oct 19, 2022
@Starker3
Copy link
Contributor Author

FYI this looks like it's caused by a password encoding/decoding issue. I was able to reproduce it using the same password the user was using, if you need that password to reproduce please PM me.

@justinvelluppillai justinvelluppillai modified the milestones: 4.12.3, 4.12.4 Oct 27, 2022
@justinvelluppillai justinvelluppillai modified the milestones: 4.12.4, 4.12.5 Nov 6, 2022
@heurteph-ei heurteph-ei mentioned this issue Nov 16, 2022
Closed
@sgiehl
Copy link
Member

sgiehl commented Nov 23, 2022

Closing this one in favor of #20021, as it contains some detailed information where the exact problem is.

@sgiehl sgiehl closed this as completed Nov 23, 2022
@sgiehl sgiehl added the duplicate For issues that already existed in our issue tracker and were reported previously. label Nov 23, 2022
@sgiehl sgiehl mentioned this issue Nov 25, 2022
Merged
11 tasks
@justinvelluppillai justinvelluppillai modified the milestones: 4.12.5, 4.13.0 Nov 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgiehl sgiehl

Labels
Bug For errors / faults / flaws / inconsistencies etc. duplicate For issues that already existed in our issue tracker and were reported previously.
Projects
None yet
Milestone
4.13.0
Development

Successfully merging a pull request may close this issue.

Make Matomo compatible with passwords containing certain special characters matomo-org/matomo
3 participants
@justinvelluppillai @sgiehl @Starker3