Yup. In webservice's models.py, set_new_password currently isn't calling password_policy_compliant to verify the strength of the password, so (if a consumer doesn't validate the password for us) the user could end up with a very weak password or even an empty one.
The only other place where you can set your password via the api is when you register(). The code currently uses a form to validate the parameters you pass in here, and this form calls password_policy_compliant in its validation code. I think ideally we'd do the same in set_new_password. -- Validate password strength and matching when resetting password https://bugs.launchpad.net/bugs/616528 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
