[Django] #28127: Inconsistent Behavior in Auth with UserAttributeSimilarityValidator

6 views
Skip to first unread message

Django

unread,
Apr 25, 2017, 3:11:08 PM4/25/17
to django-...@googlegroups.com
#28127: Inconsistent Behavior in Auth with UserAttributeSimilarityValidator
----------------------------------------+----------------------------
Reporter: jambonrose | Owner: jambonrose
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+----------------------------
I started a discussion on the developer mailing list for this topic:
https://groups.google.com/d/topic/django-developers/glrLyuPkiKs/discussion

Effectively, the user creation form and the password change form use the
`UserAttributeSimilarityValidator` differently. It is possible to create a
user via a subclass of Django's `UserCreationForm` with a password that
would be denied by the password change form. This is because the user
creation form only checks similarity agains the `username` field. When
changing a password, the password is validated in similarity to
`username`, `first_name`, `last_name`, and `email`.

This seems highly undesirable.

The central cause is that the `ModelForm` superclass (of
`UserCreationForm`) hasn't yet created the `User` instance.
`UserCreationForm` manually adds `username` to the empty `User` instance
on line 105 to allow for user attribute validation. In the event a
developer subclasses `UserCreationForm`, then the form will still only
validate against the `username`, rather than all of the fields in the
field.

I will have a PR with a proposed fix (discussed in the mailing list)
shortly.

--
Ticket URL: <https://code.djangoproject.com/ticket/28127>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Apr 25, 2017, 5:00:25 PM4/25/17
to django-...@googlegroups.com
#28127: Inconsistent Behavior in Auth with UserAttributeSimilarityValidator
------------------------------+--------------------------------------

Reporter: jambonrose | Owner: jambonrose
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by jambonrose):

* has_patch: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/28127#comment:1>

Django

unread,
Apr 25, 2017, 5:01:03 PM4/25/17
to django-...@googlegroups.com
#28127: Inconsistent Behavior in Auth with UserAttributeSimilarityValidator
------------------------------+--------------------------------------

Reporter: jambonrose | Owner: jambonrose
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------

Comment (by jambonrose):

Opened PR: https://github.com/django/django/pull/8408

--
Ticket URL: <https://code.djangoproject.com/ticket/28127#comment:2>

Django

unread,
Apr 25, 2017, 6:31:52 PM4/25/17
to django-...@googlegroups.com
#28127: Inconsistent Behavior in Auth with UserAttributeSimilarityValidator
------------------------------+--------------------------------------

Reporter: jambonrose | Owner: jambonrose
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by Tim Graham):

* stage: Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/28127#comment:2>

Django

unread,
Jun 14, 2017, 2:52:22 PM6/14/17
to django-...@googlegroups.com
#28127: Allow UserCreationForm's password validation to check all user fields
------------------------------+--------------------------------------

Reporter: jambonrose | Owner: jambonrose
Type: Bug | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by Tim Graham):

* needs_better_patch: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/28127#comment:3>

Django

unread,
Jun 21, 2017, 9:44:42 AM6/21/17
to django-...@googlegroups.com
#28127: Allow UserCreationForm's password validation to check all user fields
------------------------------+--------------------------------------
Reporter: jambonrose | Owner: jambonrose
Type: Bug | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"a96b981d84367fd41b1df40adf3ac9ca71a741dd" a96b981d]:
{{{
#!CommitTicketReference repository=""
revision="a96b981d84367fd41b1df40adf3ac9ca71a741dd"
Fixed #28127 -- Allowed UserCreationForm's password validation to check
all user fields.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28127#comment:4>

Reply all
Reply to author
Forward
0 new messages