Nextcloud version (eg, 20.0.5): 21.0.3
Operating system and version (eg, Ubuntu 20.04): Debian GNU/Linux 10 (buster)
Apache or nginx version (eg, Apache 2.4.25): Apache HTTP 2.4.38-3+deb10u5
PHP version (eg, 7.4): 7.3.29-1~deb10u1
Hello,
First of all, thank you for this great tool that is NextCloud!
We wish to create new user accounts without defining passwords, so the mail sent to new users contains a link for them to set their password themselves.
According to this topic, it should be possible to do so if we create a user without a password:
But when we do it, the request is sent to the server and we get a bad request from the API because the password is empty.
Is this the first time you’ve seen this error? (Y/N): Yes (first time tried)
Steps to replicate it:
Connect to the web Front-End of NextCloud
Go to: Users > New user
Try to create a user with a login, username and mail but no password
The output of the Nextcloud log in Admin > Logging:
[ocs_api] Error: InvalidArgumentException: Un mot de passe valide doit être saisi at <<closure>>
0. /var/www/nextcloud/lib/private/User/Manager.php line 396
OC\User\Manager->createUserFromBackend("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***", OC\User\Database {})
1. /var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.php line 412
OC\User\Manager->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
2. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 218
OCA\Provisioning_API\Controller\UsersController->addUser("*** sensitive parameters replaced ***")
3. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 127
OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisioning ... {}, "addUser")
4. /var/www/nextcloud/lib/private/AppFramework/App.php line 157
OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisioning ... {}, "addUser")
5. /var/www/nextcloud/lib/private/Route/Router.php line 302
OC\AppFramework\App::main("OCA\\Provisioni ... r", "addUser", OC\AppFramework\ ... {}, {_route: "ocs.pr ... "})
6. /var/www/nextcloud/ocs/v1.php line 63
OC\Route\Router->match("/ocsapp/cloud/users")
7. /var/www/nextcloud/ocs/v2.php line 24
require_once("/var/www/nextcloud/ocs/v1.php")
POST /ocs/v2.php/cloud/users
from 157.26.87.163 by ncadmin at 2021-12-03T11:05:24+00:00
When I look in lib/private/User/Manager.php, it seems that a password is always required no matter what.
Are you referring to this part of the documentation:
Set the Send email to new user-checkbox allows you to leave the Password field empty. The user will get an activation-email to set their own password.
If that is the case, it is in this setup that I get the bad request error (with an empty password field), even though I checked Send email to new user.
By the way, I don’t have this message “When the password of a new user is left empty…” in the settings dialog. Am I missing a configuration variable?
At first, a password is generated with GenerateSecurePasswordEvent, as seen here:
If null, it will fallback to a 10 characters password generation.
But if in Settings > Security > Minimal password length we have 0 configured, the generated password is an empty string, which is then passed to UserManager which considers an empty string as “no password” and throws an exception.
To fix it, you have to set a minimal password length greater than 0.
I will open a GitHub issue for the test to see if it should include || $password === '' (link).
As to why we can no longer see the “When the password of a new user is left empty…” message, it is because the documentation page is based on NextCloud 13- (before the PHP → Vue switch).