Opened 8 years ago
Closed 8 years ago
#28127 closed Bug (fixed)
Allow UserCreationForm's password validation to check all user fields
Reported by: | jambonrose | Owned by: | jambonrose |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
I started a discussion on the developer mailing list for this topic: https://groups.google.com/d/topic/django-developers/glrLyuPkiKs/discussion
Effectively, the user creation form and the password change form use the UserAttributeSimilarityValidator
differently. It is possible to create a user via a subclass of Django's UserCreationForm
with a password that would be denied by the password change form. This is because the user creation form only checks similarity agains the username
field. When changing a password, the password is validated in similarity to username
, first_name
, last_name
, and email
.
This seems highly undesirable.
The central cause is that the ModelForm
superclass (of UserCreationForm
) hasn't yet created the User
instance. UserCreationForm
manually adds username
to the empty User
instance on line 105 to allow for user attribute validation. In the event a developer subclasses UserCreationForm
, then the form will still only validate against the username
, rather than all of the fields in the field.
I will have a PR with a proposed fix (discussed in the mailing list) shortly.
Change History (4)
comment:2 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:3 by , 8 years ago
Patch needs improvement: | set |
---|---|
Summary: | Inconsistent Behavior in Auth with UserAttributeSimilarityValidator → Allow UserCreationForm's password validation to check all user fields |