T94774 changed the minimal password length for admins to 8, but the installer was not updated and still allows creating a password of any length. When you try to log in to your new wiki, you're immediately greeted with a password reset form complaining about your tiny password.
|Resolved||demon||T115700 Installer allows creating an admin password which is too short|
|Resolved||csteipp||T94774 Password policies by group|
From my point of understand, does it mean that wiki password before(earlier versions) could take varying length of password but now the minimum length is 8 chars. So if someones password was say less than 8 chars (<8 chars) if he/she wants to login to the new release (1.26) he/she will be asked to reset the password?
If my understanding of this task is true, then i will like to work on this task :)
User::checkPasswordValidity is called in the WebInstallerPage.php, but at that time the user group is not set, because setting the user group needs a database, which is not created yet. Therefore the password policy for sysop user group cannot be checked at this point.
I don't understand clearly what this task is to do. I can see that some policies are set to 8 for MinimulPasswordLength so i am kind of confused which of them should be used. I know that the check is done when the submit() function is called in WebInstallerPage.php. So i don't know which policy is check and also the check of the password length.
This was fixed by @csteipp in rMW66147c798aaf: Check install user's password as sysop/bureaucrat, then effectively reverted, for slightly unclear reasons, in rMW6a69a4eb733b: Add "purpose" to password validity check. That latter patch was in response to T104615, which didn't seem to have anything to do with the installer, so I'm a bit puzzled.