I was looking at the sample https://github.com/cuba-platform/sample-user-registration/blob/master/modules/web/src/com/company/sample/web/screens/restorepassword/RestorePasswordScreen.java
and I think there is a toLowerCase() missing when checking for login (and a trim to help users with Android Keyboards adding spaces ).
should likely be
Is there a reason (other than “it is a sample” ) to not have moved the user existence check to the service (I even suspect this already exists somewhere in the platform)?
Also note that when I use the “register” feature, I cannot open the user in the admin section because one of the 2 roles is linked to a “null” role and this results in a Null Pointer Exception - tested with 7.2.7 release. (this is odd that it is even possible to create such a link).
Caused by: java.lang.NullPointerException: null
at com.haulmont.cuba.gui.app.security.user.edit.UserEditor.filterRolesDs(UserEditor.java:296) ~[cuba-gui-7.2.7.jar:7.2.7]
at com.haulmont.cuba.gui.app.security.user.edit.UserEditor.postInit(UserEditor.java:257) ~[cuba-gui-7.2.7.jar:7.2.7]
So Probably something to improve in the Users detail screen (prevent NPE), maybe datamodel (do not allow null roles) and maybe in the register (to check if the default hardcoded role exists?)
Also maybe useful to draw attention in the readme about the security remark in app.configabout"cuba.rest.anonymousEnabled = true" and explain which access needs to be granted (I have so far the sec$User create, read and update)