Opened 14 years ago
Closed 13 years ago
#14674 closed Bug (fixed)
ResetPasswordForm doesn't consider unusable_password setting
Reported by: | Ivan Gromov | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | unusable_password, authorization, reset password, sprintnov13 |
Cc: | Łukasz Rekucki | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
For example, users, who been logged in by LDAP, can change their password with django.contrib.auth.forms.PasswordResetForm
and become independent from LDAP server.
Attachments (4)
Change History (17)
by , 14 years ago
Attachment: | 14674.patch added |
---|
comment:1 by , 14 years ago
Has patch: | set |
---|
comment:2 by , 14 years ago
Owner: | changed from | to
---|
comment:3 by , 14 years ago
Component: | Uncategorized → Authentication |
---|---|
Needs tests: | set |
Owner: | changed from | to
Patch needs improvement: | set |
Triage Stage: | Unreviewed → Accepted |
The patch needs to also provide unit tests.
comment:4 by , 14 years ago
Patch is more or less the same as nessita's with the exception that it shows an error that the password cannot be changed for this account. Adds a test as an addition.
Doesn't have the docs of nessita's patch.
comment:5 by , 14 years ago
Needs tests: | unset |
---|
comment:6 by , 14 years ago
Keywords: | sprintnov13 added |
---|
comment:7 by , 14 years ago
The current patch changes a single query that populates self.user_cache
into to 2 queries that don't. I would suggest something in lines of:
if len(self.users_cache) == 0: raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?")) if any((user.password == UNUSABLE_PASSWORD) for user in self.users_cache): raise forms.ValidationError(_("The user account associated with this email address cannot reset it's password."))
comment:8 by , 14 years ago
Cc: | added |
---|
comment:9 by , 14 years ago
lrekucki,
I like your patch but the 'any' function is part of python 2.5 and later.
I am not sure if 2 'count' queries or evaluating the queryset is recommended.
by , 14 years ago
Attachment: | ticket14674.diff added |
---|
follow-up: 11 comment:10 by , 14 years ago
Here's a patch. Lack of "any" isn't a problem, 'cause you can just turn in into 3 line loop... or add it to django.utils.itercompat
like I did (we have all(), so I don't see a reason why we shouldn't have any()). Anyway, after giving this more thought, this can cause trouble if someone used the PasswordResetForm as part of his registration process. I know at least one application that would be affected, but this may just be a misuse of this form.
comment:11 by , 14 years ago
Replying to lrekucki:
Lack of "any" isn't a problem, 'cause you can just turn in into 3 line loop... or add it to
django.utils.itercompat
like I did
FYI, I already added any() in r14563/r14565 with a simple and uncontroversial modification, feel free to pursue proposal of the bigger changes mods to itercompat you had implemented in your patch.
comment:12 by , 14 years ago
milestone: | 1.3 |
---|---|
Severity: | → Normal |
Type: | → Bug |
Excluded users with unusable password from ResetPasswordForm