--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/746795c5-7009-48c4-8065-9d5c1997033c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
For what it’s worth, I’m in favor of restoring the intended behavior of restricting usernames to ASCII on Python 3 and letting developers who want something more elaborate implement their own requirements.
One last anecdote: I live in a country where many people have non-ASCII names and no one would ask for a non-ASCII username because everyone knows it would cause problems at some point, even if IT thinks otherwise! :-)
I'll see if I can find the time to work on something acceptable, allowing people to choose either policy without too much hassle and backwards incompatibility. Of course, anyone else could try it, too.
> https://github.com/django/django/pull/6494
This patch looks pretty good. I have a few questions, not necessarily because I disagree with your proposal, but to make sure we have considered alternatives. Actually I don't think there's exactly one correct solution here; it's more a matter of tradeoffs.
You added a username_validator attribute instead of documenting how to override the whole username field. Can you elaborate on this decision? I simplifies the use case targeted by the patch by introducing a one-off API. As a matter of principle I'm a bit skeptical of such special cases. But I understand the convenience.
Normalization happens at the form layer. I'm wondering whether it would be safer to do it at the model layer. That would extend the security hardening to cases where users aren't created with a form — for example if they're created through an API or programmatically.
I would keep ASCII usernames as the default because:
- this has always been the intent;
- allowing non ASCII usernames may result in interoperability problems with other software e.g. if a Django project is used as SSO server;
- these interoperability issues might escalate into security vulnerabilities — there isn't a straightforward connection but (1) non ASCII data can be used for breaking out of parsing routines (2) I'm paranoid with anything that manipulates authentication credentials;
- I'm afraid this change may result in boilerplate as most custom user models will revert to Django's historical (and in my opinion sensible) username validation rules.
Finally, I would add a test to check that a username containing a zero-width space is rejected, just to make sure we never accidentally make it trivial to create usernames that render identically, which this PR aims at preventing. It will be rejected because it won't match \w.
Le samedi 23 avril 2016 14:33:56 UTC+2, Aymeric Augustin a écrit :
You added a username_validator attribute instead of documenting how to override the whole username field. Can you elaborate on this decision? I simplifies the use case targeted by the patch by introducing a one-off API. As a matter of principle I'm a bit skeptical of such special cases. But I understand the convenience.
My preoccupation here was not to force users to create a custom user model just to change the username validation, especially as the migration system doesn't seem to support yet upgrading from the standard auth User to a custom user. I thought that creating a proxy custom user is easier migration-wise, as no new table is required. But I may be wrong.
Globally, I totally understand your opinion, and I agree there is no "right" or "wrong" solution. Eventually, this might be a decision to be brought to the technical broad.
Rather than change the behavior of Python 2 near its last supported version of Django, I would make the default validator ASCII on Python 2 and Unicode on Python 3.
Just to be sure, do you mean django.db.migrations (referencing the appropriate validator in the migration file, I guess?) or some problem a project would face when migrating from Python 2 to 3?
- I'm afraid this change may result in boilerplate as most custom user models will revert to Django's historical (and in my opinion sensible) username validation rules.
That's a tough question to estimate. This might be true for most English monolingual web sites, but not necessarily for the majority of Django sites. Hopefully we'll get some more user inputs in this thread.
A Django user who is trying to save time and get a product out the door isn't going to focus on finer details such as Unicode usernames, and will be in for a shock when he finds out a bunch of his users have registered themselves with Egyptian hieroglyphics. He may be very frustrated, eventually figuring out that he must subclass the User model and setusername_validator = ASCIIUsernameValidator() to get the functionality he expected. And what is he to do with the existing Unicode users, delete all their accounts?
Whereas a technologically forward user might be friendlier towards Unicode usernames, and would be well-informed on these capabilities within Django. Furthermore, the technologically forward user will be more likely to already have a custom user model, and won't find it cumbersome to explicitly enable Unicode usernames. Enabling Unicode usernames isn't destructive like disabling it would be (no need to figure out what to do with the existing users offending the validation), so users can simply start using it immediately.