No error message displayed when create new user fails due to weak password

[SeeSpotRun]

Steps to reproduce

1. Add new user with weak password in Users page
2. Click "Create"

Expected behaviour

Error message "Password is within the 1,000,000..."

Actual behaviour

Fails silently; user not added

Server configuration

Operating system: Arch

Web server: nginx

Database: mysql

PHP version: 7.1.2

Nextcloud version: 11.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Fresh

Where did you install Nextcloud from: arch repository

Are you using encryption: no

Note: problem appears to be fixed by SeeSpotRun@f0aa41f but not sure if that is the appropriate fix...

[nickvergessen]

Works pretty fine here:

Error creating user: Password is within the 1,000,000 most common passwords. Please choose another one.

Is there something in your nextcloud.log, error.log or your browsers console?

[SeeSpotRun]

I can't find anything in the logs.

It seems I'm not alone: #3914

[nickvergessen]

Can you please do the following before creating the user:

1. Press F12 and change to the tab "Network"
2. Create the user
3. Check the Networks tab again.

It should look like this in Firefox:

And like this in Chrome:

If not, please make a screenshot and change to the "Console" tab and also paste the content of that tab into a comment here.

[SeeSpotRun]

@nickvergessen:
With return value set to Http::STATUS_CONFLICT as per SeeSpotRun@f0aa41f then I see correct message under Network/Response as per your post above (and as pop-up at top of screen), and nothing under Console.

With return value set to original value of Http::STATUS_FORBIDDEN, the console tab shows TypeError: result.responseJSON is undefined and Network/Response shows about 10 pages of html which renders to

Nextcloud

    Access forbidden

Nextcloud – a safe home for all your data

Let me know if you want the full html.

[nickvergessen]

Can you please post your nginx config?

[nickvergessen]

Can you please remove

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

from the nginx config. I think we don't want to do that anymore.

[SeeSpotRun]

nginx.conf:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    include conf.d/*.conf;

}

conf.d/nextcloud.conf:

upstream php-handler {
    server unix:/run/php-fpm/php-fpm.sock;
}

server {
   listen 80;
   server_name nc.redacted.tld.com;

   # enforce https
   return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name nc.redacted.tld.com;

    ssl_certificate /etc/letsencrypt/live/redacted.tld.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/redacted.tld.com/privkey.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Path to the root of your installation
    root /usr/share/webapps/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       fastcgi_param HTTPS on;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass php-handler;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

[nickvergessen]

Can you please remove

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

from the nginx config. I think we don't want to do that anymore.

[SeeSpotRun]

Done.

Unfortunately behaviour unchanged. That fixed it!

Note to self: don't change 2 things at the same time!

Thanks for your help.

I have updated the sample config in the Arch wiki page at https://wiki.archlinux.org/index.php/Nextcloud#Running_ownCloud_in_a_subdirectory accordingly.