stripping password

Issue #419 resolved
Maciej Sawicki created an issue

Hi, I find out that rhode strips passwords. It was huge problem for me since my chief has password that begins with space.

If user account is created from rhode panel it's not a (big) problem since password is also striped during creation. Only downside is that user password is shorter i.e. <space>123456 (you cant create <space>12345 due to min length pass policy) is the same as 123456.

Bigger problem occurs when you use LDAP sync. Since ldap do not strips password some valid ldap users can't log in to rhode.

For now I edited rhodecode/model/forms.py and changed all {{{ password = UnicodeString(strip=True (...)) }}} to
{{{ password = UnicodeString(strip=False (...)) }}}

but please consider changing it in main code base since patching it after each release will be very annoying.

Also you can find quite lot of arguments/stories why you shouldn't trim passwords - http://stackoverflow.com/questions/632167/should-users-be-allowed-to-entered-a-password-with-a-space-at-the-beginning-or-e

Comments (4)

  1. Marcin Kuzminski repo owner

    ok so next release will not strip passwords. I prefer to keep to LDAP compatability. thanks

  2. Log in to comment