Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#13316 closed (fixed)

AuthenticationForm shouldn't prefill user's password on failure

Reported by: clouserw Owned by: russellm
Component: contrib.auth Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

contrib.auth.forms.AuthenticationForm should be passing render_value=False to the PasswordInput widget to prevent incorrect passwords from being passed back to the page. I'm attaching a patch.

Attachments (2)

authform.diff (581 bytes) - added by clouserw 5 years ago.
pass render_value=False to PasswordInput
forms_test.patch (1.1 KB) - added by lasko 5 years ago.
patch for django/contrib/auth/tests/forms.py

Download all attachments as: .zip

Change History (11)

Changed 5 years ago by clouserw

pass render_value=False to PasswordInput

comment:1 Changed 5 years ago by russellm

  • Needs documentation unset
  • Needs tests set
  • Owner changed from nobody to russellm
  • Patch needs improvement unset
  • Status changed from new to assigned

comment:2 Changed 5 years ago by russellm

  • milestone set to 1.3
  • Triage Stage changed from Unreviewed to Accepted

Changed 5 years ago by lasko

patch for django/contrib/auth/tests/forms.py

comment:3 Changed 5 years ago by lasko

  • Needs tests unset

comment:4 Changed 5 years ago by SmileyChris

  • Triage Stage changed from Accepted to Ready for checkin

comment:5 Changed 5 years ago by russellm

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [13178]) Fixed #13316 -- Added clarifying note about cross-database relations.

comment:6 Changed 5 years ago by russellm

  • Resolution fixed deleted
  • Status changed from closed to reopened

Fat fingers - [13178] closed #13216, not this ticket.

comment:7 Changed 5 years ago by russellm

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [13498]) Fixed #13316 -- Modified the default behavior of PasswordInput to prevent reflecting passwords on form failure. Thanks to clouserw for the report.

Although this changes nothing at a functional level, this is BACKWARDS INCOMPATIBLE from a UX perspective for anyone that wants passwords to be reflected to the user on form failure. See the 1.3 release notes for details.

comment:8 Changed 5 years ago by trebor74hr

Is ticket #10777 duplicate?

comment:9 Changed 4 years ago by jacob

  • milestone 1.3 deleted

Milestone 1.3 deleted

Note: See TracTickets for help on using tickets.
Back to Top