Opened 9 years ago

Closed 2 years ago

#25617 closed Cleanup/optimization (fixed)

Disallow usernames that differ only in case in UserCreationForm

Reported by: Tim Graham Owned by: Paul Schilling
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: zachborboa@…, nmundar@…, berker.peksag@…, Kye Russell, René Fleschenberg Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Most applications don't treat user names as case sensitive. While we can't treat usernames as case-insensitive everywhere in Django due to backwards compatibility (#2273), by using username__iexact when checking for uniqueness of new usernames in UserCreationForm, we can at least prevent the creation of new usernames that differ only in case from an existing one. This protection won't cover creating a user in the shell or through the createsuperuser management command, but I don't think this is critical.

This wouldn't affect any usernames that already exist, and users will still need to login with the same case that they register with.

Attachments (1)

ticket_25617.patch (2.1 KB ) - added by Neven Munđar 9 years ago.

Download all attachments as: .zip

Change History (21)

comment:1 by Claude Paroz, 9 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Zach Borboa, 9 years ago

Cc: zachborboa@… added

comment:3 by Neven Munđar, 9 years ago

Cc: nmundar@… added
Owner: changed from nobody to Neven Munđar
Status: newassigned

by Neven Munđar, 9 years ago

Attachment: ticket_25617.patch added

comment:4 by Neven Munđar, 9 years ago

It's possible to achieve the effect described in this ticket by raising ValidationError in UserCreationForm.clean_username. However, this introduces one additional side-effect in tests of password validation logic. UserAttributeSimilarityValidator will not be able to check if username is similar to password because previously raised ValidationError will make username attribute None in password validator and "The password is too similar to the username." message will be missing from error list. Since the username in this case has to be changed anyway, omitting this message may not be relevant because password similarity check makes sense only on valid usernames. That's the explanation why auth_tests.test_forms.UserCreationFormTest.test_validates_password has to be tweaked in the patch.

comment:5 by Neven Munđar, 9 years ago

Has patch: set

comment:6 by Tim Graham, 9 years ago

Are you able to convert the patch into a pull request?

comment:8 by Tim Graham, 9 years ago

Patch needs improvement: set

There's a test failure.

comment:9 by Neven Munđar, 9 years ago

Patch needs improvement: unset

It's fixed now, stupid mistake. Previous form data that I've used didn't trigger password length validation.

comment:10 by Tim Graham, 9 years ago

Patch needs improvement: set

comment:11 by Berker Peksag, 9 years ago

Cc: berker.peksag@… added

Looking at https://github.com/django/django/pull/5572 again, I'd suggest the following API:

  • Adding a clean_username method would make UserCreationForm less subclass friendly. I'd suggest rename UserCreationForm to BaseUserCreationForm and document it as a preferred way to extend user creation form
  • Add a clean_username method to UserCreationForm (it will be a subclass of BaseUserCreationForm)

Thoughts?

comment:12 by Kye Russell, 6 years ago

Cc: Kye Russell added

comment:13 by René Fleschenberg, 6 years ago

Cc: René Fleschenberg added

comment:14 by Mariusz Felisiak, 2 years ago

Owner: Neven Munđar removed
Status: assignednew

comment:15 by Paul Schilling, 2 years ago

Owner: set to Paul Schilling
Status: newassigned

comment:16 by Jacob Walls, 2 years ago

Patch needs improvement: unset

comment:17 by Mariusz Felisiak, 2 years ago

Needs documentation: set
Needs tests: set
Patch needs improvement: set

comment:18 by Jacob Walls, 2 years ago

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

comment:19 by Mariusz Felisiak, 2 years ago

Triage Stage: AcceptedReady for checkin

comment:20 by Mariusz Felisiak <felisiak.mariusz@…>, 2 years ago

Resolution: fixed
Status: assignedclosed

In 298d02a7:

Fixed #25617 -- Added case-insensitive unique username validation in UserCreationForm.

Co-Authored-By: Neven Mundar <nmundar@…>

Note: See TracTickets for help on using tickets.
Back to Top