[Bug] system.security.validateUser makes user lose access when password is blank

When executing system.security.validateUser with password parameter blank, the user loses access.


Ignition 8.1.5

What if you secure the password field checking if password is blank.

password = '1234'
validate = False
if password.strip() != '':
     validate = system.security.validateUser('user',password)

Yes… but it’s kind of dangerous for those who don’t know, i had tested it with my designer account and lost it, on our server we only have access to the designer, someone can get locked in the future

I don’t think the use of a blank password made you “lose access”. What probably happened is: you triggered the validateUser scripting function with the incorrect credentials too many times and triggered a lockout for that user. See lockout settings described here: Classic Authentication Strategy - Ignition User Manual 8.1 - Ignition Documentation

In your Gateway logs, do you see any messages like User 'Teste01' is locked out or User 'Teste01' is now locked out? Especially around the time where you think you lost access? That would confirm my theory…

It seems like it was a coincidence, every time i get locked out was after I had tested the blank password, but before that I had tested the theory of failing many times, maybe I still hadn’t reached the limit and the blank password was the last one

as you said, on the gateway:

1 Like