[Django] #27045: create_user and create_superuser do not enforce AUTH_PASSWORD_VALIDATORS
Django
-------------------------------------+-------------------------------------
Reporter: chris-griffin | Owner: nobody
Type: Bug | Status: new
Component: Core (Management | Version: 1.9
commands) | Keywords:
Severity: Normal | AUTH_PASSWORD_VALIDATORS
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
According to this [https://groups.google.com/forum/#!searchin/django-
users/AUTH_PASSWORD_VALIDATORS$20create_user%7Csort:relevance/django-
users/3nL4cImH1Ls/JPVdlUX9CAAJ thread], the create_user method does not
enforce the password validators which I ran into while trying to unittest
my validation settings. This seems quite dangerous especially since most
validation in django is normally on the model level and many developers
like myself may assume these management commands would enforce these
settings.
--
Ticket URL: <https://code.djangoproject.com/ticket/27045>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
create_superuser()
-------------------------------------+-------------------------------------
Reporter: chris-griffin | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 1.9
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
AUTH_PASSWORD_VALIDATORS |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => assigned
* needs_better_patch: => 0
* component: Core (Management commands) => Documentation
* needs_tests: => 0
* owner: nobody => timgraham
* needs_docs: => 0
* has_patch: 0 => 1
* type: Bug => Cleanup/optimization
* stage: Unreviewed => Accepted
Old description:
> According to this [https://groups.google.com/forum/#!searchin/django-
> users/AUTH_PASSWORD_VALIDATORS$20create_user%7Csort:relevance/django-
> users/3nL4cImH1Ls/JPVdlUX9CAAJ thread], the create_user method does not
> enforce the password validators which I ran into while trying to unittest
> my validation settings. This seems quite dangerous especially since most
> validation in django is normally on the model level and many developers
> like myself may assume these management commands would enforce these
> settings.
New description:
According to this [https://groups.google.com/forum/#!searchin/django-
users/AUTH_PASSWORD_VALIDATORS$20create_user%7Csort:relevance/django-
users/3nL4cImH1Ls/JPVdlUX9CAAJ thread], the `create_user()` method does
not enforce the password validators which I ran into while trying to
unittest my validation settings. This seems quite dangerous especially
since most validation in django is normally on the model level and many
developers like myself may assume these methods would enforce these
settings.
--
Comment:
Here's a documentation [https://github.com/django/django/pull/7057 PR] to
clarify the design decision about this.
--
Ticket URL: <https://code.djangoproject.com/ticket/27045#comment:1>
Django
create_superuser()
-------------------------------------+-------------------------------------
Reporter: chris-griffin | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 1.9
Severity: Normal | Resolution:
AUTH_PASSWORD_VALIDATORS | checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/27045#comment:2>
Django
create_superuser()
-------------------------------------+-------------------------------------
Reporter: chris-griffin | Owner: timgraham
Cleanup/optimization |
Component: Documentation | Version: 1.9
Keywords: | Triage Stage: Ready for
AUTH_PASSWORD_VALIDATORS | checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"796cc620269bcefa36e7bbf5f1a63855f00b8ea8" 796cc62]:
{{{
#!CommitTicketReference repository=""
revision="796cc620269bcefa36e7bbf5f1a63855f00b8ea8"
Fixed #27045 -- Documented that AUTH_PASSWORD_VALIDATORS aren't applied at
the model level.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27045#comment:3>
Django
create_superuser()
-------------------------------------+-------------------------------------
Reporter: chris-griffin | Owner: timgraham
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 1.9
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
AUTH_PASSWORD_VALIDATORS | checkin
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Tim Graham <timograham@…>):
In [changeset:"3fff7d3abb295a7622fa6f4ab6ca6719b48beb9a" 3fff7d3a]:
{{{
#!CommitTicketReference repository=""
revision="3fff7d3abb295a7622fa6f4ab6ca6719b48beb9a"
[1.10.x] Fixed #27045 -- Documented that AUTH_PASSWORD_VALIDATORS aren't
applied at the model level.
Backport of 796cc620269bcefa36e7bbf5f1a63855f00b8ea8 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27045#comment:4>