Opened 8 years ago

Closed 8 years ago

#26951 closed Bug (fixed)

AuthenticationForm bug when USERNAME_FIELD is an IntegerField

Reported by: Gavin Wahl Owned by: Olexander Yermakov
Component: contrib.auth Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

In my custom user model, my USERNAME field is an IntegerField (the users log in with their account number). I also subclass AuthenticationForm to make the username a forms.IntegerField.

django.contrib.auth.forms.AuthenticationForm.clean attempts to check if the username field was filled out by using the truthiness of the submitted value:

    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if username and password:
            self.user_cache = authenticate(username=username,
                                           password=password)

So, if someone attempts to log in with a username of 0, authentication is never even attempted (but the form passes validation!), and the login view fails when triying to call auth.login.

The code should explicitly check for None as a sentinel value (if username is not None and password is not None:, rather than the truthiness of the submitted value.

Change History (5)

comment:1 by Tim Graham, 8 years ago

Easy pickings: set
Triage Stage: UnreviewedAccepted

comment:2 by Olexander Yermakov, 8 years ago

Owner: changed from nobody to Olexander Yermakov
Status: newassigned

comment:3 by Olexander Yermakov, 8 years ago

Please review the PR

comment:4 by Tim Graham, 8 years ago

Has patch: set

comment:5 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 975a76a9:

Fixed #26951 -- Allowed AuthenticationForm to work with a username of 0.

Note: See TracTickets for help on using tickets.
Back to Top