[Django] #34429: Allow to set unusable password via admin UI
Django
-------------------------------------------+------------------------
Reporter: Tobias Bengfort | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
Django allows to have user accounts with unusable passwords, either
because authentication uses a different mechanism (e.g. LDAP) or because
the User object is still needed (e.g. because it is referenced by a
ForeignKey) but the user should no longer be allowed to log in.
However, this functionality is not available from the admin UI. When
creating a user or changing the password I am forced to enter a password.
I propose to make the password fields optional in the Admin UI and set an
unusable password if they are blank.
I am sorry if this has been discussed before. I looked before posting this
but could not find anything.
--
Ticket URL: <https://code.djangoproject.com/ticket/34429>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Tobias Bengfort | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* version: 4.1 => dev
* stage: Unreviewed => Accepted
Comment:
Thanks for the ticket. I agree that it would nice to add an option to
create users with an unusable password in the admin, however, any implicit
logic can be confusing here (see
[https://code.djangoproject.com/ticket/4170#comment:4 comment]).
Therefore, I'm not in favor of your proposal to:
> ''... make the password fields optional in the Admin UI and set an
unusable password if they are blank.''
Maybe a checkbox in the "Add user" form e.g. ''"Usable password"''
(checked by default) that would hide password fields when unchecked 🤔, or
sth similar.
Tentatively accepted.
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:1>
Django
---------------------------------+------------------------------------
Reporter: Tobias Bengfort | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Changes (by Mariusz Felisiak):
* cc: Carlton Gibson, Sarah Boyce (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:2>
Django
Reporter: Tobias Bengfort | Owner: Sahilll15
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Sahilll15):
* owner: nobody => Sahilll15
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:3>
Django
---------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Sahilll15
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+-------------------------------------
Comment (by Sahilll15):
i am starting to work on the project
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:4>
Django
Reporter: Tobias Bengfort | Owner: fsbraun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
* owner: SAHIL SANJAY CHALKE => fsbraun
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:5>
Django
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Fabian Braun):
Have a working solution. Will add tests and create a PR.
The checkbox field is called "Allow login" to clearly indicate that users
w/o password will not be able to log in. Please let me know if "Usable
password" is deemed a better label.
The password fields are only visible and validated if the checkbox is set.
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:6>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+----------------------------------------
* has_patch: 0 => 1
Old description:
> Django allows to have user accounts with unusable passwords, either
> because authentication uses a different mechanism (e.g. LDAP) or because
> the User object is still needed (e.g. because it is referenced by a
> ForeignKey) but the user should no longer be allowed to log in.
>
> However, this functionality is not available from the admin UI. When
> creating a user or changing the password I am forced to enter a password.
>
> I propose to make the password fields optional in the Admin UI and set an
> unusable password if they are blank.
>
> I am sorry if this has been discussed before. I looked before posting
> this but could not find anything.
New description:
Django allows to have user accounts with unusable passwords, either
because authentication uses a different mechanism (e.g. LDAP) or because
the User object is still needed (e.g. because it is referenced by a
ForeignKey) but the user should no longer be allowed to log in.
However, this functionality is not available from the admin UI. When
creating a user or changing the password I am forced to enter a password.
I propose to make the password fields optional in the Admin UI and set an
unusable password if they are blank.
I am sorry if this has been discussed before. I looked before posting this
but could not find anything.
[https://github.com/django/django/pull/16942 PR]
--
Comment:
Patch here: https://github.com/django/django/pull/16942
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:7>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+----------------------------------------
* needs_better_patch: 0 => 1
* needs_docs: 0 => 1
Comment:
[https://github.com/django/django/pull/16942 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:8>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+----------------------------------------
* needs_better_patch: 1 => 0
* needs_docs: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:9>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
---------------------------------+----------------------------------------
Changes (by Fabian Braun):
* ui_ux: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:10>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 1
---------------------------------+----------------------------------------
* needs_better_patch: 0 => 1
* needs_tests: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:11>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
---------------------------------+----------------------------------------
* needs_better_patch: 1 => 0
* needs_tests: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:12>
Django
---------------------------------+----------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 1
---------------------------------+----------------------------------------
* needs_better_patch: 0 => 1
Comment:
Made many rounds of reviews, including a great conversation about UX of
this feature
([https://discord.com/channels/856567261900832808/859997770274045954/1174701788000178217
see Discord chat]).
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:13>
Django
| Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
| checkin
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
Changes (by Natalia Bidart):
* stage: Accepted => Ready for checkin
Comment:
Multiple round of reviews later, and some further UI/UX, tests and docs
tweaks, this is ready for checkin! \o/
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:14>
Django
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian
| Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
In [changeset:"f64c528c17af91333fc6e96d91b5f13c0fb647d8" f64c528]:
{{{#!CommitTicketReference repository=""
revision="f64c528c17af91333fc6e96d91b5f13c0fb647d8"
Refs #34429 -- Created `SetPasswordMixin` to reuse password validation
logic in auth forms.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:15>
Django
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian
| Braun
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):
{{{#!CommitTicketReference repository=""
revision="8a757244f9e50c4d076e559e4b74b9d83ab089b6"
Refs #34429 -- Defined test user with unusable password for auth forms
tests.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:16>
Django
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian
| Braun
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"e626716c28b6286f8cf0f8174077f3d2244f3eb3" e626716c]:
{{{#!CommitTicketReference repository=""
revision="e626716c28b6286f8cf0f8174077f3d2244f3eb3"
Fixed #34429 -- Allowed setting unusable passwords for users in the auth
forms.
Co-authored-by: Natalia <124304+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:17>
Django
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian
| Braun
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
In [changeset:"0ebed5fa95f53b87383901bbd9341ef3c974344f" 0ebed5f]:
{{{#!CommitTicketReference repository=""
revision="0ebed5fa95f53b87383901bbd9341ef3c974344f"
Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.
Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:18>
Django
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian
| Braun
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
{{{#!CommitTicketReference repository=""
revision="da22e6cb3cdb51f2f7ca45e1591d2c6a8be458e0"
[5.1.x] Fixed #35678 -- Removed "usable_password" field from
Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:19>
Django
-------------------------------------+-------------------------------------
Reporter: Tobias Bengfort | Owner: Fabian
| Braun
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 1
-------------------------------------+-------------------------------------
{{{#!CommitTicketReference repository=""
revision="65bbdbd10b25700d1166b1a698e672a4695281bc"
Fixed #36354 -- Removed JavaScript workaround for browsers lacking
`:has()` CSS support.
This branch removes the JavaScript fallback added in the admin for the
add user and change password templates/flows (Refs #34429).
Django documents suport for "modern, web standards compliant browsers".
See https://caniuse.com/css-has for info on browser support per version.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/34429#comment:20>