[Django] #25617: Disallow usernames that differ only in case in UserCreationForm
Django
------------------------------------------------+------------------------
Reporter: timgraham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Most applications don't treat user names as case sensitive. While we can't
treat usernames as case-insensitive everywhere in Django due to backwards
compatibility (#2273), by using `username__iexact` when checking for
uniqueness of new usernames in `UserCreationForm`, we can at least prevent
the creation of new usernames that differ only in case from an existing
one. This protection won't cover creating a user in the shell or through
the `createsuperuser` management command, but I don't think this is
critical.
This wouldn't affect any usernames that already exist, and users will
still need to login with the same case that they register with.
--
Ticket URL: <https://code.djangoproject.com/ticket/25617>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: timgraham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:1>
Django
Reporter: timgraham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by zachborboa):
* cc: zachborboa@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:2>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by nmundar):
* owner: nobody => nmundar
* cc: nmundar@… (added)
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:3>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by nmundar):
* Attachment "ticket_25617.patch" added.
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by nmundar):
It's possible to achieve the effect described in this ticket by raising
ValidationError in UserCreationForm.clean_username. However, this
introduces one additional side-effect in tests of password validation
logic. UserAttributeSimilarityValidator will not be able to check if
username is similar to password because previously raised ValidationError
will make username attribute None in password validator and "The password
is too similar to the username." message will be missing from error list.
Since the username in this case has to be changed anyway, omitting this
message may not be relevant because password similarity check makes sense
only on valid usernames. That's the explanation why
auth_tests.test_forms.UserCreationFormTest.test_validates_password has to
be tweaked in the patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:4>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by nmundar):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:5>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
Are you able to convert the patch into a pull request?
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:6>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by nmundar):
PR: https://github.com/django/django/pull/5572
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:7>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
Comment:
There's a test failure.
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:8>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by nmundar):
* needs_better_patch: 1 => 0
Comment:
It's fixed now, stupid mistake. Previous form data that I've used didn't
trigger password length validation.
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:9>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:10>
Django
Reporter: timgraham | Owner: nmundar
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by berkerpeksag):
* cc: berker.peksag@… (added)
Comment:
Looking at https://github.com/django/django/pull/5572 again, I'd suggest
the following API:
* Adding a `clean_username` method would make `UserCreationForm` less
subclass friendly. I'd suggest rename `UserCreationForm` to
`BaseUserCreationForm` and document it as a preferred way to extend user
creation form
* Add a `clean_username` method to `UserCreationForm` (it will be a
subclass of `BaseUserCreationForm`)
Thoughts?
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:11>
Django
Reporter: Tim Graham | Owner: Neven
Type: | Munđar
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Kye Russell):
* cc: Kye Russell (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:12>
Django
Reporter: Tim Graham | Owner: Neven
Type: | Munđar
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by René Fleschenberg):
* cc: René Fleschenberg (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:13>
Django
Reporter: Tim Graham | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* owner: Neven Munđar => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:14>
Django
Reporter: Tim Graham | Owner: Paul
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Paul Schilling):
* owner: (none) => Paul Schilling
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:15>
Django
Reporter: Tim Graham | Owner: Paul
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:16>
Django
Reporter: Tim Graham | Owner: Paul
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* needs_better_patch: 0 => 1
* needs_tests: 0 => 1
* needs_docs: 0 => 1
Comment:
[https://github.com/django/django/pull/16103 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:17>
Django
Reporter: Tim Graham | Owner: Paul
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* needs_better_patch: 1 => 0
* needs_tests: 1 => 0
* needs_docs: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:18>
Django
Reporter: Tim Graham | Owner: Paul
Type: | Schilling
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:19>
Django
Reporter: Tim Graham | Owner: Paul
Type: | Schilling
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"298d02a77a69321af8c0023df3250663e9d1362d" 298d02a7]:
{{{
#!CommitTicketReference repository=""
revision="298d02a77a69321af8c0023df3250663e9d1362d"
Fixed #25617 -- Added case-insensitive unique username validation in
UserCreationForm.
Co-Authored-By: Neven Mundar <nmu...@gmail.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/25617#comment:20>