[Bug] system.security.validateUser makes user lose access when password is blank

pedropalmeira68 · November 26, 2021, 4:07pm

When executing system.security.validateUser with password parameter blank, the user loses access.

Example:

Ignition 8.1.5

jespinmartin1 · November 26, 2021, 10:35pm

What if you secure the password field checking if password is blank.

password = '1234'
validate = False
if password.strip() != '':
     validate = system.security.validateUser('user',password)

pedropalmeira68 · November 27, 2021, 1:54am

Yes… but it’s kind of dangerous for those who don’t know, i had tested it with my designer account and lost it, on our server we only have access to the designer, someone can get locked in the future

jspecht · November 29, 2021, 4:34pm

I don’t think the use of a blank password made you “lose access”. What probably happened is: you triggered the validateUser scripting function with the incorrect credentials too many times and triggered a lockout for that user. See lockout settings described here: Classic Authentication Strategy - Ignition User Manual 8.1 - Ignition Documentation

In your Gateway logs, do you see any messages like User 'Teste01' is locked out or User 'Teste01' is now locked out? Especially around the time where you think you lost access? That would confirm my theory…

pedropalmeira68 · November 30, 2021, 11:00am

It seems like it was a coincidence, every time i get locked out was after I had tested the blank password, but before that I had tested the theory of failing many times, maybe I still hadn’t reached the limit and the blank password was the last one

as you said, on the gateway: