[Django] #36140: UserCreationForm doesn't allow empty password even if password fields are specified as "not required"
68 views
Skip to first unread message
Django
Jan 26, 2025, 12:11:09 PM1/26/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Type: Bug
Status: new | Component: Forms
Version: 5.1 | Severity: Normal
Keywords: form | Triage Stage:
usercreationform validation | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
There was a change made to UserCreationForm (django.contrib.auth.forms) in
Django 5.1 which seems to require a password to be provided even if the
password1 / password2 fields are explicitly marked as required = False.
It looks like the validate_passwords() method is still being called even
if the fields are marked as required = False.
Please see this issue for the details:
https://stackoverflow.com/questions/79387857/django-5-1-usercreationform-
wont-allow-empty-passwords
--
Ticket URL: <https://code.djangoproject.com/ticket/36140>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Type: Bug
Status: new | Component: Forms
Version: 5.1 | Severity: Normal
Keywords: form | Triage Stage:
usercreationform validation | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
There was a change made to UserCreationForm (django.contrib.auth.forms) in
Django 5.1 which seems to require a password to be provided even if the
password1 / password2 fields are explicitly marked as required = False.
It looks like the validate_passwords() method is still being called even
if the fields are marked as required = False.
Please see this issue for the details:
https://stackoverflow.com/questions/79387857/django-5-1-usercreationform-
wont-allow-empty-passwords
--
Ticket URL: <https://code.djangoproject.com/ticket/36140>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jan 27, 2025, 4:25:22 PM1/27/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
specified as "not required"
-------------------------------------+-------------------------------------
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
* cc: Fabian Braun (added)
* component: Forms => contrib.auth
* easy: 1 => 0
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
Hello buffgecko12, thank you for your report. I think you are correct,
this is a bug introduced in e626716c28b6286f8cf0f8174077f3d2244f3eb3 that
should be addressed. Would you like to work on a PR?
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:1>
Django
Jan 27, 2025, 10:49:25 PM1/27/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by buffgecko12):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Hi Natalia!! This is exciting, I have never modified the Django code
before.
Do I just clone the Django Git repository, create / push my own branch to
it, and submit a pull request?
https://github.com/django/django.git
What is the general procedure?
Chris
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:2>
Django
Jan 28, 2025, 12:47:06 AM1/28/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
I think these documents will be helpful for you.
[https://docs.djangoproject.com/en/dev/intro/contributing/ Writing your
first contribution for Django]
[https://docs.djangoproject.com/en/dev/internals/contributing/writing-code
/submitting-patches/ Submitting contributions]
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:3>
Django
Jan 28, 2025, 11:41:45 PM1/28/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by buffgecko12):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Thank you. Is there a timeline for when this bug needs to be fixed and a
PR submitted? Just to gauge if I am able to take this on or not.
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:4>
Django
Jan 29, 2025, 1:59:43 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:4 buffgecko12]:
> Thank you. Is there a timeline for when this bug needs to be fixed and
a PR submitted? Just to gauge if I am able to take this on or not.
I'm not sure about the deadline. However, since this bug is a release
a PR submitted? Just to gauge if I am able to take this on or not.
blocker, I assume it might be a priority. (This is just my guess.)
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:5>
Django
Jan 29, 2025, 1:59:50 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Antoliny):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Antoliny (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:6>
Django
Jan 29, 2025, 4:11:53 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
I looked into this issue.
I think this issue occurs because when usable_password key is not present
in cleaned_data, the usable_password variable is set to True, causing the
validation to be performed.
{{{#!diff
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index cd177fa5b6..caddd6a672 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -200,7 +200,8 @@ class SetUnusablePasswordMixin:
**kwargs,
):
usable_password = (
- self.cleaned_data.pop(usable_password_field_name, None) !=
"false"
+ (self.cleaned_data.get("password2", "") != "")
+ or (self.cleaned_data.pop(usable_password_field_name,
"false") != "false")
)
self.cleaned_data["set_usable_password"] = usable_password
}}}
I modified the default value as above and adjusted the usable_password
assignment value based on the presence of password2. I'm not sure if this
is the best solution, but I hope it helps you.
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:7>
Django
Jan 29, 2025, 4:28:13 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
This issue is related to passwords, I believe it should be designed as
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
defensively as possible.
Unless there is a clear intention from the user (such as having
usable_password set to None in the author's form), usable_password should
remain True. This aspect is not covered in the above changes.
{{{
if hasattr(self, "usable_password") and self.usable_password == None:
...
}}}
I think there might be another condition needed as well.
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:8>
Django
Jan 29, 2025, 6:41:55 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Gregory Mariani):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
test in test_forms.UserCreationFormTest could be something like that:
{{{
def test_empty_passwords_with_required_false(self):
form_data = {
"username": "testuser",
# 'password1' et 'password2' are not given
}
form = self.form_class(data=form_data)
self.assertFalse(form.is_valid())
self.assertNotIn("password1", form.errors)
self.assertNotIn("password2", form.errors)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:9>
Django
Jan 29, 2025, 6:57:53 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:4 buffgecko12]:
> Thank you. Is there a timeline for when this bug needs to be fixed and
a PR submitted? Just to gauge if I am able to take this on or not.
ready by next week, when we have planned the next patch release for Django
5.1.
It's completely fine if you don't have time, me or someone else would grab
this since it's a priority to get solved. Let me know so I start working
on this!
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:10>
Django
Jan 29, 2025, 8:05:25 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Description changed by buffgecko12:
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> There was a change made to UserCreationForm (django.contrib.auth.forms)
> in Django 5.1 which seems to require a password to be provided even if
> the password1 / password2 fields are explicitly marked as required =
> False. It looks like the validate_passwords() method is still being
> called even if the fields are marked as required = False.
>
> Please see this issue for the details:
>
> https://stackoverflow.com/questions/79387857/django-5-1-usercreationform-
> wont-allow-empty-passwords
There was a change made to UserCreationForm (django.contrib.auth.forms) in
Django 5.1 which seems to require a password to be provided even if the
password1 / password2 fields are explicitly marked as required = False.
It looks like the validate_passwords() method is still being called even
if the fields are marked as required = False.
Please see this issue for the details:
https://stackoverflow.com/questions/79387857/django-5-1-usercreationform-
wont-allow-empty-passwords
I tried responding to your comment but the webpage won't let me submit my
reply -- it says my submission is probably spam. Here's my response to
your comment:
''I would love to work on it, but I don't want to hold up the release.
Please go ahead.''
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:11>
Django
Jan 29, 2025, 8:11:24 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
If it's okay, can I work on this ticket?
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:12>
Django
Jan 29, 2025, 9:01:05 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:12 Antoliny]:
> If it's okay, can I work on this ticket?
> Nessita, if you want to work on it, please feel free to do so. I'd be
happy to follow your lead!
I'm taking a look to have an idea of the fix but you I would love if you
work on this. Otherwise I could use another pair of eyes for what I'll
propose. Right now I'm inclined to change the `required=False` in
`create_usable_password_field` to be `required=True` and then tweak the
checks in `AdminPasswordChangeForm` and `AdminUserCreationForm`. With
that, which would be an "isolated" refactoring, there would be a second
commit considering the `required` in password validation.
What do you think?
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:13>
Django
Jan 29, 2025, 9:15:19 AM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Antoliny):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: (none)
Type: Bug | Status: new
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:13 Natalia Bidart]:
> Replying to [comment:12 Antoliny]:
> > If it's okay, can I work on this ticket?
> > Nessita, if you want to work on it, please feel free to do so. I'd be
happy to follow your lead!
>
> I'm taking a look to have an idea of the fix but you I would love if you
work on this. Otherwise I could use another pair of eyes for what I'll
propose. Right now I'm inclined to change the `required=False` in
`create_usable_password_field` to be `required=True` and then tweak the
checks in `AdminPasswordChangeForm` and `AdminUserCreationForm`. With
that, which would be an "isolated" refactoring, there would be a second
commit considering the `required` in password validation.
>
> What do you think?
I think it's a good approach. By changing `required` to `True`, the user
> > If it's okay, can I work on this ticket?
> > Nessita, if you want to work on it, please feel free to do so. I'd be
happy to follow your lead!
>
> I'm taking a look to have an idea of the fix but you I would love if you
work on this. Otherwise I could use another pair of eyes for what I'll
propose. Right now I'm inclined to change the `required=False` in
`create_usable_password_field` to be `required=True` and then tweak the
checks in `AdminPasswordChangeForm` and `AdminUserCreationForm`. With
that, which would be an "isolated" refactoring, there would be a second
commit considering the `required` in password validation.
>
> What do you think?
will be able to clearly express their intent regarding the
`unusable_password`.
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:14>
Django
Jan 29, 2025, 1:28:10 PM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
specified as "not required"
-------------------------------------+-------------------------------------
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: (none) => Natalia Bidart
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:15>
Django
Jan 29, 2025, 5:11:10 PM1/29/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 1 | Needs documentation: 0
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:16>
Django
Jan 30, 2025, 5:06:14 PM1/30/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Accepted
usercreationform validation |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
@buffgecko12, could you please confirm if the proposed solution in
[https://github.com/django/django/pull/19119 this PR] solves your issue?
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:17>
Django
Jan 31, 2025, 7:09:25 AM1/31/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Ready for
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:18>
Django
Jan 31, 2025, 8:20:31 AM1/31/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by buffgecko12):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Yes, from a visual inspection it looks good.
How do I test the fix in my application? Do I just copy the new
`django/contrib/auth/forms.py` file into my django directory?
I already have code in my application to work around the bug, so I'd need
a little time to update the code and test as well.
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:19>
Django
Feb 1, 2025, 8:45:05 PM2/1/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia Bidart):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Replying to [comment:19 buffgecko12]:
> Yes, from a visual inspection it looks good.
>
> How do I test the fix in my application? Do I just copy the new
`django/contrib/auth/forms.py` file into my django directory?
You can use a virtual env with Django installed via `pip install -e`, see
>
> How do I test the fix in my application? Do I just copy the new
`django/contrib/auth/forms.py` file into my django directory?
further docs in
[https://docs.djangoproject.com/en/dev/intro/contributing/#getting-a-copy-
of-django-s-development-version this link].
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:20>
Django
Feb 1, 2025, 8:49:16 PM2/1/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by GitHub <noreply@…>):
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"d15454a6e84a595ffc8dc1b926282f484f782a8f" d15454a]:
{{{#!CommitTicketReference repository=""
revision="d15454a6e84a595ffc8dc1b926282f484f782a8f"
Fixed #36140 -- Allowed BaseUserCreationForm to define non required
password fields.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks buffgecko12 for the report and Sarah Boyce for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:21>
Django
Feb 1, 2025, 8:50:52 PM2/1/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"affad13d0c56184e2089cd7e8ecd80dd4217f6c4" affad13]:
{{{#!CommitTicketReference repository=""
revision="affad13d0c56184e2089cd7e8ecd80dd4217f6c4"
[5.2.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non
required password fields.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks buffgecko12 for the report and Sarah Boyce for the review.
Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks buffgecko12 for the report and Sarah Boyce for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:22>
Django
Feb 1, 2025, 8:51:42 PM2/1/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
In [changeset:"8552eef95e400d5bad3261b28ad2500b57070d57" 8552eef]:
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
{{{#!CommitTicketReference repository=""
revision="8552eef95e400d5bad3261b28ad2500b57070d57"
[5.1.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non
required password fields.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks buffgecko12 for the report and Sarah Boyce for the review.
Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:23>
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks buffgecko12 for the report and Sarah Boyce for the review.
Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
}}}
--
Django
Feb 2, 2025, 3:02:09 PM2/2/25
to django-...@googlegroups.com
#36140: UserCreationForm doesn't allow empty password even if password fields are
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by GitHub <noreply@…>):
specified as "not required"
-------------------------------------+-------------------------------------
Reporter: buffgecko12 | Owner: Natalia
| Bidart
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: form | Triage Stage: Ready for
usercreationform validation | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"328d54f0b164fccbbecd67111040f6ef55760900" 328d54f]:
{{{#!CommitTicketReference repository=""
revision="328d54f0b164fccbbecd67111040f6ef55760900"
[5.1.x] Refs #36140 -- Added missing import in
django/contrib/auth/forms.py.
Follow up to 8552eef95e400d5bad3261b28ad2500b57070d57.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36140#comment:24>
Reply all
Reply to author
Forward
0 new messages