Disallow usernames that differ only in case in UserCreationForm
Most applications don't treat user names as case sensitive. While we can't treat usernames as case-insensitive everywhere in Django due to backwards compatibility (#2273), by using username__iexact when checking for uniqueness of new usernames in UserCreationForm, we can at least prevent the creation of new usernames that differ only in case from an existing one. This protection won't cover creating a user in the shell or through the createsuperuser management command, but I don't think this is critical.
This wouldn't affect any usernames that already exist, and users will still need to login with the same case that they register with.
Change History
(21)
| Triage Stage: |
Unreviewed → Accepted
|
| Cc: |
nmundar@… added
|
| Owner: |
changed from nobody to Neven Munđar
|
| Status: |
new → assigned
|
| Patch needs improvement: |
set
|
| Patch needs improvement: |
unset
|
| Patch needs improvement: |
set
|
| Cc: |
berker.peksag@… added
|
| Cc: |
René Fleschenberg added
|
| Owner: |
Neven Munđar removed
|
| Status: |
assigned → new
|
| Owner: |
set to Paul Schilling
|
| Status: |
new → assigned
|
| Patch needs improvement: |
unset
|
| Needs documentation: |
set
|
| Needs tests: |
set
|
| Patch needs improvement: |
set
|
| Needs documentation: |
unset
|
| Needs tests: |
unset
|
| Patch needs improvement: |
unset
|
| Triage Stage: |
Accepted → Ready for checkin
|
| Resolution: |
→ fixed
|
| Status: |
assigned → closed
|
It's possible to achieve the effect described in this ticket by raising ValidationError in UserCreationForm.clean_username. However, this introduces one additional side-effect in tests of password validation logic. UserAttributeSimilarityValidator will not be able to check if username is similar to password because previously raised ValidationError will make username attribute None in password validator and "The password is too similar to the username." message will be missing from error list. Since the username in this case has to be changed anyway, omitting this message may not be relevant because password similarity check makes sense only on valid usernames. That's the explanation why auth_tests.test_forms.UserCreationFormTest.test_validates_password has to be tweaked in the patch.