Opened 9 years ago
Closed 23 months ago
#25617 closed Cleanup/optimization (fixed)
Disallow usernames that differ only in case in UserCreationForm
Reported by: | Tim Graham | Owned by: | Paul Schilling |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | zachborboa@…, nmundar@…, berker.peksag@…, Kye Russell, René Fleschenberg | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Most applications don't treat user names as case sensitive. While we can't treat usernames as case-insensitive everywhere in Django due to backwards compatibility (#2273), by using username__iexact
when checking for uniqueness of new usernames in UserCreationForm
, we can at least prevent the creation of new usernames that differ only in case from an existing one. This protection won't cover creating a user in the shell or through the createsuperuser
management command, but I don't think this is critical.
This wouldn't affect any usernames that already exist, and users will still need to login with the same case that they register with.
Attachments (1)
Change History (21)
comment:1 by , 9 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 9 years ago
Cc: | added |
---|
comment:3 by , 9 years ago
Cc: | added |
---|---|
Owner: | changed from | to
Status: | new → assigned |
by , 9 years ago
Attachment: | ticket_25617.patch added |
---|
comment:4 by , 9 years ago
comment:5 by , 9 years ago
Has patch: | set |
---|
comment:9 by , 9 years ago
Patch needs improvement: | unset |
---|
It's fixed now, stupid mistake. Previous form data that I've used didn't trigger password length validation.
comment:10 by , 9 years ago
Patch needs improvement: | set |
---|
comment:11 by , 9 years ago
Cc: | added |
---|
Looking at https://github.com/django/django/pull/5572 again, I'd suggest the following API:
- Adding a
clean_username
method would makeUserCreationForm
less subclass friendly. I'd suggest renameUserCreationForm
toBaseUserCreationForm
and document it as a preferred way to extend user creation form - Add a
clean_username
method toUserCreationForm
(it will be a subclass ofBaseUserCreationForm
)
Thoughts?
comment:12 by , 6 years ago
Cc: | added |
---|
comment:13 by , 6 years ago
Cc: | added |
---|
comment:14 by , 2 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:15 by , 2 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:16 by , 2 years ago
Patch needs improvement: | unset |
---|
comment:17 by , 2 years ago
Needs documentation: | set |
---|---|
Needs tests: | set |
Patch needs improvement: | set |
comment:18 by , 2 years ago
Needs documentation: | unset |
---|---|
Needs tests: | unset |
Patch needs improvement: | unset |
comment:19 by , 23 months ago
Triage Stage: | Accepted → Ready for checkin |
---|
It's possible to achieve the effect described in this ticket by raising ValidationError in UserCreationForm.clean_username. However, this introduces one additional side-effect in tests of password validation logic. UserAttributeSimilarityValidator will not be able to check if username is similar to password because previously raised ValidationError will make username attribute None in password validator and "The password is too similar to the username." message will be missing from error list. Since the username in this case has to be changed anyway, omitting this message may not be relevant because password similarity check makes sense only on valid usernames. That's the explanation why auth_tests.test_forms.UserCreationFormTest.test_validates_password has to be tweaked in the patch.