id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14354	Check password is not None in User.check_password	berryp	laurentluce	"I recently had an unexpected situation where users with no passwords would receive an error when trying to login. This is due to the fact that the User.check_password method does not check for missing passwords before calling get_hexdigest. 

It could be argued that all users should either have a password or an unusable password ""!"". However, as I am authenticating against a database that belongs to another system it is not an option to go and change all empty passwords to unusable ones. I would not expect authentication to raise an exception in this occasion.

To get around this problem I simply inserted the following two lines at the top of the check_password function:

{{{
if self.password is None:
    return False
}}}

Additionally, would it not be a good idea to check that the password is not UNUSABLE_PASSWORD before trying to execute the code that checks the password? This would be a lot more elegant than executing code that is ultimately going to fail."		closed	contrib.auth	1.2		fixed			Accepted	1	0	0	0	0	0