Question

Commit Account without password and without events

1

What happens with the hashed password on ‘User’ when i create an ‘Account’ in a MF without a password, and commit Account without events? The commit works fine in this scenario, but what password is set in the attribute Password on User? I tried logging in locally without password for a created account like this, but this doesnt work. I need to know if this is safe or not.

asked 2021-09-03

Ruud Fleskens

3 answers

Yehoshua Choukroun · Answer 1 · 2021-09-03

Interesting, in my opinion the commit should not work.

If you don’t need to use the password of the account, I would suggest you to create a strong random password just to be sure everything is ok. (you can use the random string java action in the community common module)

Vaishali Karkhile · Answer 2 · 2021-09-03

Hi Ruud,

Why do you want to create Account(User) without password?

In my opinion creation of Account(Inheriting User entity) objects without passwords wont be of much use. If you create Account using page, password attribute is mandatory. Maybe just using microflow you could achieve Account creation without password, but this will not work in any kind of authentication mechanism during logging.

There is an option of Anonymous users which can access pages without regular authentication.

Mohammad Murshed · Answer 3 · 2021-09-05

In the System.User entity the password is mandatory, so creating a record from inside Mendix ex: Microflow is not possible without having a password entered.

However, to create a User record even without a password value is possible since no physical constraint is applied on the DB,

I have created a user with null password from outside Mendix. I can still see it in the accounts_overview I also can change it’s details and save, but no way to login with it.

But interesting ;D