Unable to access to User record in the admin if the user has a unmanageable password
If the user has a unmanageable password (ie no hashers found) ReadOnlyPasswordHashWidget reraise ValueError up to the UI, this prevents to access to the user record if the form contains ReadOnlyPasswordHashWidget ( admin ), this happen also for blank password. If the system use a custom backend with external authentication there is no reason for django to known the password algorithm, but should be still possible to access to the user record.
The patch simply surround the involved lined into the ReadOnlyPasswordHashWidget.render() and display a 'Unknown password hashing algorithm' message instead.
Not sure if the message could be improved/changed.
Change History
(17)
| Type: |
Uncategorized → Bug
|
| Needs tests: |
set
|
| Severity: |
Normal → Release blocker
|
| Triage Stage: |
Unreviewed → Accepted
|
| Owner: |
changed from nobody to Stefano Apostolico
|
| Version: |
1.4-beta-1 → 1.4-rc-2
|
| Triage Stage: |
Accepted → Ready for checkin
|
| Resolution: |
→ fixed
|
| Status: |
new → closed
|
| Has patch: |
unset
|
| Resolution: |
fixed
|
| Status: |
closed → reopened
|
| Triage Stage: |
Ready for checkin → Accepted
|
| Owner: |
changed from Stefano Apostolico to Aymeric Augustin
|
| Status: |
reopened → new
|
| Owner: |
changed from Aymeric Augustin to nobody
|
| Severity: |
Release blocker → Normal
|
| Owner: |
changed from nobody to Aymeric Augustin
|
| Severity: |
Normal → Release blocker
|
| Owner: |
changed from Aymeric Augustin to Claude Paroz
|
| Resolution: |
→ fixed
|
| Status: |
new → closed
|
This is definitely a release-blocking regression, thanks for the report.
Patch looks good to me except that the "except" clause captures the exception when it has no use for it (and uses the old syntax to do so); the ",e" should just be removed.
And it needs a test.
This violates the string freeze, but I don't see any good alternative. Having this fixed with an untranslated message in 1.4 is better than not having it fixed.