JoaoJandre commented on PR #8370: URL: https://github.com/apache/cloudstack/pull/8370#issuecomment-1860496605
> is it wise to allow for empty passwords? I may be misinterpreting this code, but I would not want this in a default install. Or is this only applicable for LDAP logins? As the password is a required field when creating users using createAccount and createUser APIs, blank passwords are not allowed. Furthermore, on the updateUser API the password we check if the password is blank as well. The password policies were created on #6567 with the intention of being optional to keep backwards compatibility; therefore, I'd say that it makes sense to not block the operation using the default regex. > BTW, the update is not necessary if the workaround is mentioned in the release notes. To my knowledge this fix is directed only at installations using LDAP, as mentioned in https://lists.apache.org/thread/tqtcwsfb0knmvqct1hlow4ty2nc2w2j2, is it? Yes this fix is directed only on installations using LDAP, from the code inspection that I did, the only instance of an empty password is on that method I mentioned on the description, the rest of the code will not allow a password that does not have at least one character. Anyway, do you think that a note on the release notes is all that is needed on this case @DaanHoogland @weizhouapache @shwstppr ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
