[hotfix] Password strength fix (#3420)

* [fix] password min-score loophole

* [minor] cleanup message

* [fix] test

frappe/core/doctype/user/test_user.py

@@ -220,22 +220,26 @@ class TestUser(unittest.TestCase):
 		clear_limit('users')
 
 	def test_password_strength(self):
-		#Test Password without Password Strenth Policy
+		# Test Password without Password Strenth Policy
 		frappe.db.set_value("System Settings", "System Settings", "enable_password_policy", 0)
 		frappe.db.set_value("System Settings", "System Settings", "minimum_password_score", "")
 
-		# Should pass password strength test
+		# Score 0; should fail
 		result = test_password_strength("test_password")
+		self.assertEqual(result['feedback']['password_policy_validation_passed'], False)
+
+		# Score 1; should pass
+		result = test_password_strength("bee2ve")
 		self.assertEqual(result['feedback']['password_policy_validation_passed'], True)
 
 		# Test Password with Password Strenth Policy Set
 		frappe.db.set_value("System Settings", "System Settings", "enable_password_policy", 1)
 		frappe.db.set_value("System Settings", "System Settings", "minimum_password_score", 2)
 
-		#Should fail password strength test
-		result = test_password_strength("test_password")
+		# Score 1; should now fail
+		result = test_password_strength("bee2ve")
 		self.assertEqual(result['feedback']['password_policy_validation_passed'], False)
 
-		# Should pass password strength test
+		# Score 4; should pass
 		result = test_password_strength("Eastern_43A1W")
-		self.assertEqual(result['feedback']['password_policy_validation_passed'], True)
+		self.assertEqual(result['feedback']['password_policy_validation_passed'], True)

frappe/core/doctype/user/user.py

@@ -545,9 +545,9 @@ def test_password_strength(new_password, key=None, old_password=None, user_data=
 		enable_password_policy = cint(frappe.db.get_single_value("System Settings", "enable_password_policy")) and True or False
 		minimum_password_score = cint(frappe.db.get_single_value("System Settings", "minimum_password_score")) or 0
 
-		password_policy_validation_passed = True
-		if enable_password_policy and result['score'] < minimum_password_score:
-			password_policy_validation_passed = False
+		password_policy_validation_passed = False
+		if result['score'] > minimum_password_score:
+			password_policy_validation_passed = True
 
 		result['feedback']['password_policy_validation_passed'] = password_policy_validation_passed
 

frappe/www/update-password.html

@@ -148,28 +148,24 @@ frappe.ready(function() {
 		var message = [];
 		feedback.help_msg = "";
 		if(!feedback.password_policy_validation_passed){
-			feedback.help_msg = __("Hint: Include symbols, numbers and capital letters in the password");
+			feedback.help_msg = "<br>" + __("Hint: Include symbols, numbers and capital letters in the password");
 		}
 		if (feedback) {
 			if(!feedback.password_policy_validation_passed){
 				if (feedback.suggestions && feedback.suggestions.length) {
-					feedback.suggestions = feedback.suggestions + ' ' + feedback.help_msg;
 					message = message.concat(feedback.suggestions);
 				} else if (feedback.warning) {
-					feedback.warning = feedback.warning + ' ' + feedback.help_msg;
 					message.push(feedback.warning);
 				}
+				message.push(feedback.help_msg);
 
-				if (!message.length) {
-					message.push(feedback.help_msg);
-				}
-			}else{
+			} else {
 				message.push(__('Success! You are good to go 👍'));
 			}
 		}
 
 		strength_indicator.removeClass().addClass('password-strength-indicator indicator ' + color);
-		strength_message.text(message.join(' ') || '').removeClass('hidden');
+		strength_message.html(message.join(' ') || '').removeClass('hidden');
 		// strength_indicator.attr('title', message.join(' ') || '');
 	}