Opened 7 years ago

Closed 7 years ago

#28571 closed Cleanup/optimization (fixed)

Allow createsuperuser to bypass password validation

Reported by: Daniel Hahler Owned by: Tom Forbes
Component: contrib.auth Version: 1.11
Severity: Normal Keywords:
Cc: Tom Forbes Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using ./manage.py createsuperuser on a new local project, you should not get interrupted by some minimal password length.

While I think it is good to have this by default there should at least be an option to override it: it is only meant for local development after all in this case.

So it should either be more smarter when to apply those limits by default (hint: using an SQLite DB is not meant for production), or just provide strong hints in the settings.

Change History (6)

comment:1 by Daniel Hahler, 7 years ago

It is as easy as conditionally settting django.contrib.auth.password_validation.MinimumLengthValidator (etc) after all.

So this might just get wrapped by some if not DEBUG?

Last edited 7 years ago by Daniel Hahler (previous) (diff)

comment:2 by Tim Graham, 7 years ago

Component: Uncategorizedcontrib.auth
Summary: createsuperuser should not impose password validators (or allow to skip them)Allow createsuperuser to bypass password validation
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

This was discussed at length on django-developers. I think Carl's suggestion is fine:

My favorite option is for the createsuperuser command specifically (and nothing else) to implement password validation as a confirm dialog rather than a hard block. If your password fails validation, it tells you how and asks you to confirm that you really want to use that password. This makes sense to me because the createsuperuser command (unlike any site web UI) can only ever be used by someone who would also have the ability to set their password directly via shell if they want. So it's good to remind them of the validation fail, but there's no reason to make their life difficult.

comment:3 by Daniel Hahler, 7 years ago

Thanks!
Asking for confirmation but allow for setting anything would be nice to have.

comment:4 by Tom Forbes, 7 years ago

Cc: Tom Forbes added
Owner: changed from nobody to Tom Forbes
Status: newassigned

comment:5 by Tom Forbes, 7 years ago

PR: https://github.com/django/django/pull/9050/

I was not sure what the prompt message should be or if we should include some kind of warning, so I went with: Bypass validation and create user anyway? [y/n]: '

comment:6 by Tim Graham <timograham@…>, 7 years ago

Resolution: fixed
Status: assignedclosed

In b81905bf:

Fixed #28571 -- Added a prompt to bypass password validation in createsuperuser.

Note: See TracTickets for help on using tickets.
Back to Top