Check password is not None in User.check_password
|Reported by:||berryp||Owned by:||laurentluce|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I recently had an unexpected situation where users with no passwords would receive an error when trying to login. This is due to the fact that the User.check_password method does not check for missing passwords before calling get_hexdigest.
It could be argued that all users should either have a password or an unusable password "!". However, as I am authenticating against a database that belongs to another system it is not an option to go and change all empty passwords to unusable ones. I would not expect authentication to raise an exception in this occasion.
To get around this problem I simply inserted the following two lines at the top of the check_password function:
if self.password is None: return False
Additionally, would it not be a good idea to check that the password is not UNUSABLE_PASSWORD before trying to execute the code that checks the password? This would be a lot more elegant than executing code that is ultimately going to fail.
Change History (13)
comment:1 Changed 3 years ago by gabrielhurley
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted
comment:2 Changed 3 years ago by laurentluce
- milestone set to 1.3
- Owner changed from nobody to laurentluce
comment:8 Changed 3 years ago by russellm
- Resolution set to fixed
- Status changed from assigned to closed