Switch off using blank passwords for login

There is now a config.ini setting [web] login_empty_passwords to
enable logins for users without a password set. By default it's off
and every user must have a password.

Author: rouilj

CHANGES.txt

@@ -94,6 +94,9 @@ Fixed:
 - issue2551205 - Add support for specifying valid origins
   for api: xmlrpc/rest. Allows CORS to work with roundup
   backend. (John Rouillard)
+- new option added to config.ini: login_empty_passwords set to
+  no by default. Setting this to yes allows a user with an
+  empty password to login.
 
 Features:
 

doc/upgrading.txt

@@ -69,6 +69,15 @@ backends. You may want to run ``roundup-admin -i tracker_home
 reindex`` if you want to index or search for longer words in your full
 text searches. Re-indexing make take some time.
 
+Check new login_empty_passwords setting
+---------------------------------------
+
+In this version of Roundup, users with a blank password are not
+allowed to login. Blank passwords have been allowed since 2002, but
+2022 is a different time. If you have a use case that requires a user
+to login without a password, set the ``login_empty_passwords`` setting
+in the ``web`` section of ``config.ini`` to ``yes``.
+
 Check compression settings (optional)
 -------------------------------------
 

roundup/cgi/actions.py

@@ -1398,7 +1398,8 @@ def verifyPassword(self, userid, givenpw):
                 db.user.set(userid, password=newpw)
                 db.commit()
             return 1
-        if not givenpw and not stored:
+        # allow blank password
+        if db.config.WEB_LOGIN_EMPTY_PASSWORDS and not givenpw and not stored:
             return 1
         return 0
 

roundup/configuration.py

@@ -1260,6 +1260,9 @@ def str2value(self, value):
             "Setting this option makes Roundup display error tracebacks\n"
             "in the user's browser rather than emailing them to the\n"
             "tracker admin."),
+        (BooleanOption, "login_empty_passwords", "no",
+            "Setting this option to yes/true allows users with an empty/blank\n"
+            "password to login to the web/http interfaces."),
         (BooleanOption, "migrate_passwords", "yes",
             "Setting this option makes Roundup migrate passwords with\n"
             "an insecure password-scheme to a more secure scheme\n"

test/test_actions.py

@@ -27,6 +27,7 @@ def setUp(self):
         self.client.db.Otk.getall = self.data_get
         self.client.db.Otk.set = self.data_set
         self.client.db.config.WEB_LOGIN_ATTEMPTS_MIN = 20
+        self.client.db.config.WEB_LOGIN_EMPTY_PASSWORDS = 0
         self.client._ok_message = []
         self.client._error_message = []
         self.client.add_error_message = lambda x, escape=True: add_message(
@@ -371,6 +372,27 @@ def opendb(username):
 
         self.assertLoginLeavesMessages([], 'foo', 'right')
 
+    def testBlankPasswordLogin(self):
+        self.client.db.security.hasPermission = lambda *args, **kwargs: True
+
+        self.client.db.user.get = lambda a,b: None
+
+        def opendb(username):
+            self.assertEqual(username, 'blank')
+        self.client.opendb = opendb
+
+        self.assertEqual(self.client.db.config.WEB_LOGIN_EMPTY_PASSWORDS, 0)
+        self.assertLoginLeavesMessages(['Invalid login'], 'blank', '' )
+
+        self.client.db.config.WEB_LOGIN_EMPTY_PASSWORDS = 1
+        self.form.value[:] = []  # reset form
+        self.client._error_message = [] # reset errors
+        self.assertLoginLeavesMessages([], 'blank', '' )
+
+        # reset
+        self.client.db.user.get = lambda a,b: 'right'
+        self.client.db.config.WEB_LOGIN_EMPTY_PASSWORDS = 0
+
     def testCorrectLoginRedirect(self):
         self.client.db.security.hasPermission = lambda *args, **kwargs: True
         def opendb(username):
@@ -431,7 +453,8 @@ def testLoginRateLimit(self):
         '''
         # Do the first login setting an invalid login name
         self.assertLoginLeavesMessages(['Invalid login'], 'nouser')
-        # use up the rest of the 20 login attempts
+        # use up the rest of the 20 login attempts. Login name
+        # persists.
         for i in range(19):
             self.client._error_message = []
             self.assertLoginLeavesMessages(['Invalid login'])