Opened 8 years ago

Closed 8 years ago

#26133 closed Uncategorized (invalid)

AbstractBaseUser missing password validaton

Reported by: Fernando Miranda Owned by: nobody
Component: contrib.auth Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Fernando Miranda)

Using the new password validation framework, it looks like AbstractBaseUser does not call password validators defined in settings.py:

# django.contrib.auth.models.py

class AbstractBaseUser(models.Model):
    password = models.CharField(_('password'), max_length=128)  
    ...

I'd expect something like this in the above line:

class AbstractBaseUser(models.Model):
    password = models.CharField(_('password'), max_length=128, validators=validators_list())  

This issue is related to #25052, but I'm not sure.

Change History (3)

comment:1 by Fernando Miranda, 8 years ago

Description: modified (diff)

comment:2 by Tim Graham, 8 years ago

I'm not sure how/if that would work because the final value for password is the hashed password and that's not the one we want to validate. Can you describe or give example code of the case where you're seeing validation is missing?

comment:3 by Fernando Miranda, 8 years ago

Resolution: invalid
Status: newclosed

You are right Tim, I got confused by the fact that validation is made not only in Models but also in Forms and other places. Sorry for the noise.

Note: See TracTickets for help on using tickets.
Back to Top