Installation fails without mysql password

[compojoom]

I know that one should not run mysql without password, but this is the default setting for both xampp and wampp. And since I've switched from xampp to wampp the other day I did not manage to set the mysql password yet.

So when I tried to install 3.0, the ajax response was - "could not connect to database" After a little debugging it appears that we check if db, username and password fields are empty and stop the installation if that is the case: https://github.com/Joomla3-Admin-template/joomla-cms/blob/template9/installation/models/database.php#L102

And our form doesn't require the password field to be filled: https://github.com/Joomla3-Admin-template/joomla-cms/blob/template9/installation/models/forms/database.xml#L23

I know that the more secure solution would be -> require a password to be set, this way we will force users to fix their localhost installations, but on the other hand - we are going to piss off a lot of people... So I say we remove the empty password check in database.php. If people run insecure installations that is their fault and not ours...

Daniel

[mbabker]

I added it because there's no other mechanism in the installer to check the password, and if you left the field blank when needing a password, the installer would just hang. I'm open for suggestions on what else to try, but that was the problem that check was trying to solve.

[ChokDK]

From a users point ( I'm not into code!) I would suggest that either make a "Continue without password?" question/option so the user get the information that it is not protected - or simply make it default to HAVE a password! :)

I can't see why "we are going to piss of a lot of people" in requiring a password really? If you need to search a lot in database you can put a "remember password" in your program for that. Installing only needs one database, right? You can use the same password in all your databases if you need a lot. I don't see it as an issue to ask for one.. Just my 5 cents Chris

[compojoom]

@ChokDK , Well, I'm mainly thinking about newbies when I say that they are going to be pissed off. Imagine - you just managed to install xampp or wamp or whatever. Now you are going to install this awesome thing called joomla -> and suddenly -> I need a password to proceed? how the heck do I set a password? Now they'll have to look how to set a password on their environment and it is hard for someone who has no idea about that...

@mbabker - why is the installer hanging when you don't provide a password? Don't we check if we can establish a connection and if we can't we return an error?

[ChokDK]

compojoom, I see the concern :) It's just that - yes, it is kind a hard to install your first Joomla!, but so goes with the lot of CMS.

Instead of leaving the newbies in good faith but with a (maybe) big security problem later they might not know of, it could be an idea to link to a video or something - like this http://www.youtube.com/watch?v=eiNt_e2VzQc

I mean - you already have to manage to put up a database - to put in a password too is not that much extra work really (is it even possible to do without using a password?). if you install Joomla! on a "ready to go" platform I guess they send out the database password too..?

[compojoom]

I think that we are going in the wrong direction with this. It is not our responsibility in the installer to teach security.

Our responsibility in the installer is to install on all systems! Now - a system with username and nothing for password is a correct configuration and we should install on that one. And since - username + nothing for password is a situation that you encounter on 99% of all localhost installations we should install there. If you want -> put a warning, but we should be able to install on such a system.

To be able to provide a fix I'll need to know what we want to do :) Do we just set password for required field? Or do we fix the hanging installer? I'm for the second option as again - no password is a unfortunately a valid configuration.

[ChokDK]

That sounds reasonable enough to me after thoughts.. If you add a warning for no password everybody can make their own decision - that would be very Joomla-ish ;)

[mbabker]

Fix the hanging installer definitely. I can try to figure out what was causing the hang and fix that later on.

[mbabker]

I removed the blank password check. I'll test some more to try and replicate what caused me to make that commit to begin with. It might've been me trying to test too many items simultaneously.

[betweenbrain]

+1 about adding the warning / opt-out of using a password. On my local dev machines I don't bother to use a password for mysql as it's not needed and just adds a step.

[RobertVining]

This works great on the current branch9 for me. No password on xampp installed just fine.