[Django] #26719: UserCreationForm is not calling normalize_email
Django
-------------------------------+--------------------
Reporter: mitar | Owner: nobody
Type: Uncategorized | Status: new
Component: Forms | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
`UserCreationForm` seems to not be calling `normalize_email`, which is
called otherwise by the `UserManager.create_user`.
--
Ticket URL: <https://code.djangoproject.com/ticket/26719>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: Forms | Version: 1.9
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* needs_docs: => 0
* needs_better_patch: => 0
* type: Uncategorized => Bug
* needs_tests: => 0
* stage: Unreviewed => Accepted
Comment:
Same for `normalize_username` in 1.10. What about applying the
normalization in an `AbstractUser.clean()` method?
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:1>
Django
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: Forms | Version: 1.9
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/6788 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:2>
Django
---------------------------------+------------------------------------
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
* version: 1.9 => 1.10
* severity: Normal => Release blocker
Comment:
Promoting to release blocker in light of Claude's concern of the lack of
`normalize_username` as a possible security issue.
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:3>
Django
---------------------------------+------------------------------------
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Comment (by mitar):
Can you elaborate on the security concern?
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:4>
Django
---------------------------------+------------------------------------
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Comment (by claudep):
The security concern is about unicode username not being normalized, which
could allow a user to create a new account with a visually similar
username as another one.
You can also find more information on this
[https://groups.google.com/forum/#!topic/django-developers/MBSWXcQBP3k
django-developers thread].
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:5>
Django
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Release blocker | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 1 => 0
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:6>
Django
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
* severity: Release blocker => Normal
* stage: Ready for checkin => Accepted
Comment:
I wrote [https://github.com/django/django/pull/6819 a separate patch] for
moving `username` normalization to `AbstractBaseUser.clean()`. I'll
refocus this ticket to moving `email` normalization since this isn't a
blocker for 1.10.
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:7>
Django
------------------------+------------------------------------
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Comment (by Tim Graham <timograham@…>):
In [changeset:"39805686b364358af725b695924a5a6dfa7f5302" 39805686]:
{{{
#!CommitTicketReference repository=""
revision="39805686b364358af725b695924a5a6dfa7f5302"
Refs #21379, #26719 -- Moved username normalization to AbstractBaseUser.
Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:8>
Django
------------------------+------------------------------------
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Comment (by Tim Graham <timograham@…>):
In [changeset:"1b0b6f0342e5ac9e3e789ca522ad64a532602c3f" 1b0b6f03]:
{{{
#!CommitTicketReference repository=""
revision="1b0b6f0342e5ac9e3e789ca522ad64a532602c3f"
[1.10.x] Refs #21379, #26719 -- Moved username normalization to
AbstractBaseUser.
Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review.
Backport of 39805686b364358af725b695924a5a6dfa7f5302 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:9>
Django
------------------------+------------------------------------
Type: Bug | Status: new
Component: Forms | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Comment (by timgraham):
Not sure I understand the premise of the report because `UserCreationForm`
only has `fields = ("username",)` (no `email` field).
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:10>
Django
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Changes (by timgraham):
* component: Forms => contrib.auth
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:11>
Django
------------------------------+------------------------------------
Type: Bug | Status: new
Component: contrib.auth | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Comment (by mitar):
Yes, but you can extend it and add it to fields in Meta. It is a
ModelForm. So the list of fields exposed is just a default.
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:12>
Django
Reporter: mitar | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.10
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 1 => 0
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:13>
Django
-------------------------------------+-------------------------------------
Type: Bug | Status: closed
Component: contrib.auth | Version: 1.10
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"09119dff14ad24d53ac0273e5cd2de24de0b0d81" 09119dff]:
{{{
#!CommitTicketReference repository=""
revision="09119dff14ad24d53ac0273e5cd2de24de0b0d81"
Fixed #26719 -- Normalized email in AbstractUser.clean().
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26719#comment:14>