Contacts: Empty password sent if filled in and removed

ghost commented 4 years ago

open the page to add a new contact
enter the minimum details
enter anything as password
remove the password
Save it -> error message that the password is invalid. The Frontend sends an emty string as password. If the password field is not touched, no password is sent at all (and the process suceeds)

This also makes the software incompatible with password managers' auto fill features

davewood commented 4 years ago

commit d285f82b848c3fe3ca2f42fa1839f07b550afad8
Author: David Schmidt mail@davidschmidt.at
Date: Mon Dec 16 15:05:56 2019 +0100
dont send empty user.password property

"This also makes the software incompatible with password managers' auto fill features"
How so?

certrik commented 4 years ago

@wagner-certat Please comment and close if solved.

ghost commented 4 years ago

"This also makes the software incompatible with password managers' auto fill features" How so?

Because the auto-fill features write the credentials into the password field (which is not a login), then the user removes the filled in password manually.

ghost commented 4 years ago

On the testing instance, at 7928cfcacfa130a2903e5ccd8d730841d5f08e86 I get an error on clicking the Save button for newly created contacts:

And for existing contacts and editing them, same behavior as before.

davewood commented 4 years ago

i repeated these steps:

open the page to add a new contact
enter the minimum details
enter anything as password
remove the password
Save it

this are the request params that were sent:

{
"user":{
   "email":"asdf2@asdf2.at",
   "name":"asdfasdf"
},
"organization_membership":{
   "membership_role_id":7,
   "organization_id":9
}
}

no error and I got a notification that the user was added.

certat / do-portal

Contacts: Empty password sent if filled in and removed #107