Opened 9 years ago
Closed 9 years ago
#26719 closed Bug (fixed)
UserCreationForm doesn't call normalize_email
Reported by: | Mitar | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.10 |
Severity: | Normal | Keywords: | |
Cc: | mmitar@… | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
UserCreationForm
seems to not be calling normalize_email
, which is called otherwise by the UserManager.create_user
.
Change History (14)
comment:1 by , 9 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | Uncategorized → Bug |
comment:3 by , 9 years ago
Patch needs improvement: | set |
---|---|
Severity: | Normal → Release blocker |
Summary: | UserCreationForm is not calling normalize_email → UserCreationForm doesn't call normalize_email and normalize_username |
Version: | 1.9 → 1.10 |
Promoting to release blocker in light of Claude's concern of the lack of normalize_username
as a possible security issue.
comment:5 by , 9 years ago
The security concern is about unicode username not being normalized, which could allow a user to create a new account with a visually similar username as another one.
You can also find more information on this django-developers thread.
comment:6 by , 9 years ago
Patch needs improvement: | unset |
---|---|
Triage Stage: | Accepted → Ready for checkin |
comment:7 by , 9 years ago
Patch needs improvement: | set |
---|---|
Severity: | Release blocker → Normal |
Summary: | UserCreationForm doesn't call normalize_email and normalize_username → UserCreationForm doesn't call normalize_email |
Triage Stage: | Ready for checkin → Accepted |
I wrote a separate patch for moving username
normalization to AbstractBaseUser.clean()
. I'll refocus this ticket to moving email
normalization since this isn't a blocker for 1.10.
comment:10 by , 9 years ago
Not sure I understand the premise of the report because UserCreationForm
only has fields = ("username",)
(no email
field).
comment:11 by , 9 years ago
Component: | Forms → contrib.auth |
---|
comment:12 by , 9 years ago
Yes, but you can extend it and add it to fields in Meta. It is a ModelForm. So the list of fields exposed is just a default.
comment:13 by , 9 years ago
Patch needs improvement: | unset |
---|---|
Triage Stage: | Accepted → Ready for checkin |
Same for
normalize_username
in 1.10. What about applying the normalization in anAbstractUser.clean()
method?