fix(security): validate demo user password against project policy

engalar · engalar · commit 25c9fccdfeb5 · 2026-04-08T21:34:48.000+08:00
CREATE DEMO USER now checks the password against the project's PasswordPolicy before writing to MPR. Previously, non-compliant passwords were accepted silently but the Mendix runtime would skip creating the user, leading to confusing "unknown user" login errors. Closes #137
diff --git a/mdl/executor/cmd_security_write.go b/mdl/executor/cmd_security_write.go
@@ -947,6 +947,11 @@ func (e *Executor) execCreateDemoUser(s *ast.CreateDemoUserStmt) error {
 		return fmt.Errorf("failed to read project security: %w", err)
 	}
 
+	// Validate password against project password policy
+	if err := ps.PasswordPolicy.ValidatePassword(s.Password); err != nil {
+		return fmt.Errorf("password policy violation for demo user '%s': %w\nhint: check your project's password policy with SHOW PROJECT SECURITY", s.UserName, err)
+	}
+
 	// Check if user already exists
 	for _, du := range ps.DemoUsers {
 		if du.UserName == s.UserName {
