Skip to content

fix(forms): clamp password minimum length to 6#3187

Open
faisalahammad wants to merge 1 commit into
gocodebox:devfrom
faisalahammad:fix/3045-password-min-length
Open

fix(forms): clamp password minimum length to 6#3187
faisalahammad wants to merge 1 commit into
gocodebox:devfrom
faisalahammad:fix/3045-password-min-length

Conversation

@faisalahammad

@faisalahammad faisalahammad commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Issue #3045 reported that the password field minimum length could be set to a value lower than 6, which left users unable to submit a password because the strength meter and validator still enforce a 6-character floor. This change clamps the configured minimum length to 6 everywhere it is read so the UI and backend agree.

Fixes #3045

Changes

includes/forms/class-llms-form-validator.php

Before:

if ( strlen( $posted_value ) < $minlength ) {

After:

$minlength = max( 6, absint( $minlength ) );

if ( strlen( $posted_value ) < $minlength ) {

Why: The server-side validator now enforces the same absolute minimum as the strength meter, so a saved value below 6 cannot produce a mismatch.

includes/forms/class-llms-forms-dynamic-fields.php

Before:

'min_length'      => ! empty( $block['attrs']['html_attrs']['minlength'] ) ? $block['attrs']['html_attrs']['minlength'] : '',

After:

'min_length'      => ! empty( $block['attrs']['html_attrs']['minlength'] ) ? max( 6, absint( $block['attrs']['html_attrs']['minlength'] ) ) : '',

Why: The dynamic strength meter block reads the raw block attribute. Clamping it here keeps the meter in sync with the validator.

tests/phpunit/unit-tests/forms/class-llms-test-form-validator.php

Updated the existing minlength test to expect the 6-character floor, and added test_validate_field_attribute_minlength_clamps_to_six() to verify a configured minlength of 1 is treated as 6.

Testing

Test 1: Manual form validation

  1. Edit the registration form and set the password Minimum Password Length to 1.
  2. Save the form.
  3. Submit a 5-character password on the front end.
  4. Confirm the form is rejected with a message saying at least 6 characters are required.
  5. Submit a 6-character password.
  6. Confirm it is accepted.

Result: Works as expected.

The password field allowed admins to set a minimum length below the
absolute floor of 6. When saved, the password strength meter and server
validation still rejected passwords under 6 characters, creating a
confusing mismatch between the UI setting and actual behavior.

- Clamp minlength to 6 in the form validator.
- Clamp the dynamic strength meter's min_length to 6.
- Update existing tests to expect the 6-character floor and add a new
  test for the clamping behavior.

Fixes gocodebox#3045
@faisalahammad faisalahammad requested a review from brianhogg as a code owner June 16, 2026 09:31
@brianhogg brianhogg moved this to Awaiting Review in Development Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Awaiting Review

Development

Successfully merging this pull request may close these issues.

2 participants