Opened 8 years ago

Closed 8 years ago

#28127 closed Bug (fixed)

Allow UserCreationForm's password validation to check all user fields

Reported by: jambonrose Owned by: jambonrose
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

I started a discussion on the developer mailing list for this topic: https://groups.google.com/d/topic/django-developers/glrLyuPkiKs/discussion

Effectively, the user creation form and the password change form use the UserAttributeSimilarityValidator differently. It is possible to create a user via a subclass of Django's UserCreationForm with a password that would be denied by the password change form. This is because the user creation form only checks similarity agains the username field. When changing a password, the password is validated in similarity to username, first_name, last_name, and email.

This seems highly undesirable.

The central cause is that the ModelForm superclass (of UserCreationForm) hasn't yet created the User instance. UserCreationForm manually adds username to the empty User instance on line 105 to allow for user attribute validation. In the event a developer subclasses UserCreationForm, then the form will still only validate against the username, rather than all of the fields in the field.

I will have a PR with a proposed fix (discussed in the mailing list) shortly.

Change History (4)

comment:1 by jambonrose, 8 years ago

Has patch: set
Version 0, edited 8 years ago by jambonrose (next)

comment:2 by Tim Graham, 8 years ago

Triage Stage: UnreviewedAccepted

comment:3 by Tim Graham, 8 years ago

Patch needs improvement: set
Summary: Inconsistent Behavior in Auth with UserAttributeSimilarityValidatorAllow UserCreationForm's password validation to check all user fields

comment:4 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In a96b981d:

Fixed #28127 -- Allowed UserCreationForm's password validation to check all user fields.

Note: See TracTickets for help on using tickets.
Back to Top