Opened 7 years ago

Closed 6 years ago

Last modified 5 years ago

#13316 closed (fixed)

AuthenticationForm shouldn't prefill user's password on failure

Reported by: Wil Clouser Owned by: Russell Keith-Magee
Component: contrib.auth Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

contrib.auth.forms.AuthenticationForm should be passing render_value=False to the PasswordInput widget to prevent incorrect passwords from being passed back to the page. I'm attaching a patch.

Attachments (2)

authform.diff (581 bytes) - added by Wil Clouser 7 years ago.
pass render_value=False to PasswordInput
forms_test.patch (1.1 KB) - added by Brandon M Height 7 years ago.
patch for django/contrib/auth/tests/forms.py

Download all attachments as: .zip

Change History (11)

Changed 7 years ago by Wil Clouser

Attachment: authform.diff added

pass render_value=False to PasswordInput

comment:1 Changed 7 years ago by Russell Keith-Magee

Needs tests: set
Owner: changed from nobody to Russell Keith-Magee
Status: newassigned

comment:2 Changed 7 years ago by Russell Keith-Magee

milestone: 1.3
Triage Stage: UnreviewedAccepted

Changed 7 years ago by Brandon M Height

Attachment: forms_test.patch added

patch for django/contrib/auth/tests/forms.py

comment:3 Changed 7 years ago by Brandon M Height

Needs tests: unset

comment:4 Changed 7 years ago by Chris Beaven

Triage Stage: AcceptedReady for checkin

comment:5 Changed 7 years ago by Russell Keith-Magee

Resolution: fixed
Status: assignedclosed

(In [13178]) Fixed #13316 -- Added clarifying note about cross-database relations.

comment:6 Changed 7 years ago by Russell Keith-Magee

Resolution: fixed
Status: closedreopened

Fat fingers - [13178] closed #13216, not this ticket.

comment:7 Changed 6 years ago by Russell Keith-Magee

Resolution: fixed
Status: reopenedclosed

(In [13498]) Fixed #13316 -- Modified the default behavior of PasswordInput to prevent reflecting passwords on form failure. Thanks to clouserw for the report.

Although this changes nothing at a functional level, this is BACKWARDS INCOMPATIBLE from a UX perspective for anyone that wants passwords to be reflected to the user on form failure. See the 1.3 release notes for details.

comment:8 Changed 6 years ago by Robert Lujo

Is ticket #10777 duplicate?

comment:9 Changed 5 years ago by Jacob

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top