#20675 closed Bug (fixed)
`ModelBackend.authenticate` raises an assertion error when no password is specified.
Reported by: | Simon Charette | Owned by: | Simon Charette |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Release blocker | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The regression was introduced by 2c4fe761a0e2b28e2c5c3b4bc506ee06824a443d to allow blank passwords (#20593).
Prior to this change authenticate
returned None
when no password was specified.
Note that this affect version 1.6-beta-1 and master but I'm not sure this should be considered a release blocker.
I'm reporting because one of my testcases failed and I thought this change might have other side effects. We should at least raise a ValueError
with a description instead of a non-intuitive assertion error.
I'll write tests and a fix if this gets accepted in order to backport it.
Change History (6)
comment:1 by , 11 years ago
Severity: | Normal → Release blocker |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:4 by , 11 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:5 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
It's perfectly valid not to pass a
password
kwarg toauthenticate
, so I think this is a bug.As you noted, prior to the commit,
authenticate
would just move on to the next backend in the list, eventually returningNone
if no matching user was found.Now, the
ModelBackend
raises anAssertionError
and breaks the chain, rendering non-password-based backends unusable.Consequently, I think it's a release blocker.