id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28728	Make validate_password() require a user instance	Jaap Roes	nobody	"While implementing a user registration flow using django-rest-framework and djoser, I noticed that not all the password validators were behaving as expected.

In particular Django's `UserAttributeSimilarityValidator`, (which is in the list of default validators). It turns out this is because `validate_password` is called with just the passwords to be validate, omitting the user instance this password is validated for.

Apparently omitting a user instance is allowed by design, the docs for `validate_password` state:

  The user object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password.

If `validate_password` is unable to properly validate a password without the user instance, then shouldn't that parameter be required? As it stands now the behaviour is wholly unexpected from an end user's point of view. Neither `validate_password` nor `UserAttributeSimilarityValidator` warn about being unable to do their job. This makes it very easy to overlook that some validation is not taking place.

Would adding a warning to `UserAttributeSimilarityValidator` or even a deprecation process for calling `validate_password` without a user instance be warranted?
"	Cleanup/optimization	closed	contrib.auth	dev	Normal	wontfix	password validation requires user		Unreviewed	0	0	0	0	0	0