id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26909	Allow UserAttributeSimilarityValidator to validate against properties	Kieren Pitts	Andrew Nester	"The UserAttributeSimilarityValidator class (in contrib/auth/password_validation.py) has a hardcoded reference to 'username'  in it:

DEFAULT_USER_ATTRIBUTES = ('username', 'first_name', 'last_name', 'email')

These attributes are looped through to check new passwords for similarity with existing information on the user. However, if you use a custom user model then you may not have a 'username' (especially if using 'email' as the username) and this then results in an error on line 147 when resetting passwords (using a password that is similar to, say, the email):

verbose_name = force_text(user._meta.get_field(attribute_name).verbose_name)

In some cases you can use built-in auth forms with a custom user model. These use-cases have some restrictions and are outlined in the docs here:

https://docs.djangoproject.com/en/1.9/topics/auth/customizing/#custom-users-and-the-built-in-auth-forms

However, given the hard-coded attributes in the UserAttributeSimilarityValidator class the below statement from the above page is not correct because the missing 'username' field causes an error and using a property does not work with _meta.get_field:

""PasswordResetForm: Assumes that the user model has a field named email that can be used to identify the user and a boolean field named is_active to prevent password resets for inactive users.""

This issue only comes to light if the password is similar to the data in one of the other fields (i.e. the SequenceMatcher check suggests they are similar). For example, if you have a custom user model using 'email' as the username field and a user with a username of 'somespecialname@example.com' tries to set a password of 'somespecialname'.

It's not clear if the problem is with the code which shouldn't have the hardcoded values (perhaps they could be overridden by a setting instead) or if it's a mistake/omission in the docs.

Apologies if I've missed something obvious here."	Cleanup/optimization	closed	contrib.auth	1.9	Normal	fixed			Accepted	1	0	0	1	0	0