Allow createsuperuser to bypass password validation

[Daniel Hahler]

When using ./manage.py createsuperuser on a new local project, you should not get interrupted by some minimal password length.

While I think it is good to have this by default there should at least be an option to override it: it is only meant for local development after all in this case.

So it should either be more smarter when to apply those limits by default (hint: using an SQLite DB is not meant for production), or just provide strong hints in the settings.

[Daniel Hahler]

It is as easy as conditionally settting django.contrib.auth.password_validation.MinimumLengthValidator (etc) after all.

So this might just get wrapped by some if not DEBUG?

[Tim Graham]

This was discussed at length on django-developers. I think ​Carl's suggestion is fine:

My favorite option is for the createsuperuser command specifically (and nothing else) to implement password validation as a confirm dialog rather than a hard block. If your password fails validation, it tells you how and asks you to confirm that you really want to use that password. This makes sense to me because the createsuperuser command (unlike any site web UI) can only ever be used by someone who would also have the ability to set their password directly via shell if they want. So it's good to remind them of the validation fail, but there's no reason to make their life difficult.

[Daniel Hahler]

Thanks!
Asking for confirmation but allow for setting anything would be nice to have.

[Tom Forbes]

PR: ​https://github.com/django/django/pull/9050/

I was not sure what the prompt message should be or if we should include some kind of warning, so I went with: Bypass validation and create user anyway? [y/n]: '

[Tim Graham <timograham@…>]

In b81905bf:

Fixed #28571 -- Added a prompt to bypass password validation in createsuperuser.