Check password is not None in User.check_password
|Reported by:||berryp||Owned by:||laurentluce|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I recently had an unexpected situation where users with no passwords would receive an error when trying to login. This is due to the fact that the User.check_password method does not check for missing passwords before calling get_hexdigest.
It could be argued that all users should either have a password or an unusable password "!". However, as I am authenticating against a database that belongs to another system it is not an option to go and change all empty passwords to unusable ones. I would not expect authentication to raise an exception in this occasion.
To get around this problem I simply inserted the following two lines at the top of the check_password function:
if self.password is None: return False
Additionally, would it not be a good idea to check that the password is not UNUSABLE_PASSWORD before trying to execute the code that checks the password? This would be a lot more elegant than executing code that is ultimately going to fail.
Change History (13)
comment:1 Changed 6 years ago by
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Accepted|