Opened 8 years ago
Closed 8 years ago
#26951 closed Bug (fixed)
AuthenticationForm bug when USERNAME_FIELD is an IntegerField
| Reported by: | Gavin Wahl | Owned by: | Olexander Yermakov |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.9 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
In my custom user model, my USERNAME field is an IntegerField (the users log in with their account number). I also subclass AuthenticationForm to make the username a forms.IntegerField.
django.contrib.auth.forms.AuthenticationForm.clean attempts to check if the username field was filled out by using the truthiness of the submitted value:
def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password') if username and password: self.user_cache = authenticate(username=username, password=password)
So, if someone attempts to log in with a username of 0, authentication is never even attempted (but the form passes validation!), and the login view fails when triying to call auth.login.
The code should explicitly check for None as a sentinel value (if username is not None and password is not None:, rather than the truthiness of the submitted value.
Change History (5)
comment:1 by , 8 years ago
| Easy pickings: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 8 years ago
comment:4 by , 8 years ago
| Has patch: | set |
|---|
Note:
See TracTickets
for help on using tickets.
Please review the PR