[Django] #16919: Pass user to set_password_form in GET requests
Django
--------------------------+------------------------------
Reporter: jaimeirurzun | Owner: nobody
Type: New feature | Status: new
Milestone: | Component: contrib.auth
Version: 1.3 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Easy pickings: 0
UI/UX: 0 |
--------------------------+------------------------------
SetPasswordForm is being passed None on GET requests even though there is
always a user available at that point. This patch passes user, so you can
use it in the form constructor for whatever - e.g. populate initial with
values that depend on the user involved.
--
Ticket URL: <https://code.djangoproject.com/ticket/16919>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Type: New feature | Status: new
Milestone: | Component: contrib.auth
Version: 1.3 | Severity: Normal
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------------
Changes (by aaugustin):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Comment:
Technically, the patch works.
However, I can't figure out a practical use case for prepopulating a
password field that doesn't have security issues. I'd like to make sure
this change doesn't encourage bad practices.
Could you explain what you're trying to achieve?
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:1>
Django
Type: New feature | Status: new
Milestone: | Component: contrib.auth
Version: 1.3 | Severity: Normal
UI/UX: 0 |
----------------------------------------+------------------------------
Comment (by jaimeirurzun):
I was also concerned about the security implications that this patch might
have when I wrote it, but given this only applies to the case in which the
token has already been validated, I can't think of any security hole.
Basically I have a custom SetPasswordForm in which I give the user the
opportunity to update a few fields from his profile that will be used in
the password reset logic, so I want to fill the initial values with his
current data, for which I need the user object.
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:2>
Django
Type: New feature | Status: new
Milestone: | Component: contrib.auth
Version: 1.3 | Severity: Normal
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 1
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------------
Changes (by aaugustin):
* needs_tests: 0 => 1
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:3>
Django
Type: New feature | Status: new
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 0
Changes (by ejucovy):
* cc: ethan.jucovy@… (added)
Comment:
I have another use case for this: rendering the user's name in the
`registration/password_reset_confirm.html` template.
Currently the `password_reset_confirm` view does not provide "user" as a
template context variable, nor even "uidb36" and "token". Since the form
also doesn't have the user object stored on a GET request, this means that
there's no way for the template to say "{% if validlink %} Hello, {{
user.username }} -- reset your password here {% endif %}" -- short of
forking the view, or some pretty hacky middleware that re-parses the
request URL and re-fetches the user from the given uid+token.
I see that the "needs_tests" flag is set on this ticket .. what sort of
test would be required for this patch to be merged?
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:4>
Django
Type: New feature | Status: new
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Changes (by ejucovy):
* needs_tests: 1 => 0
Comment:
I've attached a new version of the patch including `auth.views` tests that
double as demonstration of a use case for this behavior.
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:5>
Django
Reporter: jaimeirurzun | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Comment (by anonymous):
Another use case for this:
I can add "security question/answer" that user picks when registering and
extend SetPasswordForm with CharField labeled with question user picked.
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:6>
Django
Reporter: jaimeirurzun | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: 1.3
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by Tim Graham <timograham@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"1285ca67eba96045b4f6fe6f5c7fd6570571f1bd"]:
{{{
#!CommitTicketReference repository=""
revision="1285ca67eba96045b4f6fe6f5c7fd6570571f1bd"
Fixed #16919 -- Passed user to set_password_form in GET requests.
Thanks Jaime Irurzun for the report and initial patch and
ejucovy for the test.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/16919#comment:7>