Opened 15 years ago

Closed 14 years ago

Last modified 13 years ago

#13316 closed (fixed)

AuthenticationForm shouldn't prefill user's password on failure

Reported by: Wil Clouser Owned by: Russell Keith-Magee
Component: contrib.auth Version: dev
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

contrib.auth.forms.AuthenticationForm should be passing render_value=False to the PasswordInput widget to prevent incorrect passwords from being passed back to the page. I'm attaching a patch.

Attachments (2)

authform.diff (581 bytes ) - added by Wil Clouser 15 years ago.
pass render_value=False to PasswordInput
forms_test.patch (1.1 KB ) - added by Brandon M Height 15 years ago.
patch for django/contrib/auth/tests/forms.py

Download all attachments as: .zip

Change History (11)

by Wil Clouser, 15 years ago

Attachment: authform.diff added

pass render_value=False to PasswordInput

comment:1 by Russell Keith-Magee, 15 years ago

Needs tests: set
Owner: changed from nobody to Russell Keith-Magee
Status: newassigned

comment:2 by Russell Keith-Magee, 15 years ago

milestone: 1.3
Triage Stage: UnreviewedAccepted

by Brandon M Height, 15 years ago

Attachment: forms_test.patch added

patch for django/contrib/auth/tests/forms.py

comment:3 by Brandon M Height, 15 years ago

Needs tests: unset

comment:4 by Chris Beaven, 15 years ago

Triage Stage: AcceptedReady for checkin

comment:5 by Russell Keith-Magee, 15 years ago

Resolution: fixed
Status: assignedclosed

(In [13178]) Fixed #13316 -- Added clarifying note about cross-database relations.

comment:6 by Russell Keith-Magee, 15 years ago

Resolution: fixed
Status: closedreopened

Fat fingers - [13178] closed #13216, not this ticket.

comment:7 by Russell Keith-Magee, 14 years ago

Resolution: fixed
Status: reopenedclosed

(In [13498]) Fixed #13316 -- Modified the default behavior of PasswordInput to prevent reflecting passwords on form failure. Thanks to clouserw for the report.

Although this changes nothing at a functional level, this is BACKWARDS INCOMPATIBLE from a UX perspective for anyone that wants passwords to be reflected to the user on form failure. See the 1.3 release notes for details.

comment:8 by Robert Lujo, 14 years ago

Is ticket #10777 duplicate?

comment:9 by Jacob, 13 years ago

milestone: 1.3

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top