AUTH_PASSWORD_VALIDATORS not used when creating new users?
346 views
Skip to first unread message
Farhan Khan
Jun 27, 2016, 9:29:56 PM6/27/16
to Django users
Hi all,
I set the AUTH_PASSWORD_VALIDATORS variable to the standard set here: https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#enabling-password-validation. When I use the `createsuperuser` function in manage.py, my password must conform to the validators. But when I use User.objects.create_user() or the user.set_password() methods, the AUTH_PASSWORD_VALIDATORS is not used. I can literally set my password to 'a' and its accepted.
Is this a bug? It seems like the validators should be used when creating a new user or setting the password.
Is is there an alternative method to validate the password prior to creation?
I am using Django 1.9.7
Thanks!
---
Farhan Khan
PGP Fingerprint: 4A78 F071 5CB6 E771 B8D6 3910 F371 FE22 3B20 B21B
Farhan Khan
PGP Fingerprint: 4A78 F071 5CB6 E771 B8D6 3910 F371 FE22 3B20 B21B
Tim Graham
Jun 28, 2016, 10:00:06 PM6/28/16
to Django users
Validation happens in the management commands (createsuperuser, changepassword) as well as the user creation forms. We assume that if you're creating a user using the command line, you know what you're doing. If you want to open a documentation ticket, we could add a note about this.
Farhan Khan
Jun 28, 2016, 10:33:13 PM6/28/16
to Django users
Even when I use User.objects.create_user() I am still not required to use a strong password. Considering that createsuperuser and changepassword are management commands, it seems odd that require a password that conforms with AUTH_PASSWORD_VALIDATORS there, but not with a function I would use in production code.
Tim Graham
Jul 1, 2016, 7:44:56 PM7/1/16
to Django users
Password validation doesn't run as part of Model.clean(), but Model.save() doesn't run validation (Model.clean()) anyway.
If you're interested, here's the password validation design decisions thread on django-developers: https://groups.google.com/d/topic/django-developers/9GBhgGXmEKs/discussion
If you're interested, here's the password validation design decisions thread on django-developers: https://groups.google.com/d/topic/django-developers/9GBhgGXmEKs/discussion
Farhan Khan
Jul 2, 2016, 9:33:54 PM7/2/16
to Django users
So then, how are password validators used? If its just through the console using the 'createsuperuser' feature, what good is it?
James Schneider
Jul 3, 2016, 6:09:21 AM7/3/16
to django...@googlegroups.com
On Jul 2, 2016 6:33 PM, "Farhan Khan" <kha...@gmail.com> wrote:
>
> So then, how are password validators used? If its just through the console using the 'createsuperuser' feature, what good is it?
>
Primarily for use as validators in contrib.auth forms, which should be the common way you and your users interact with the contrib.auth modules.
-James
Reply all
Reply to author
Forward
0 new messages