Opened 8 years ago
Closed 8 years ago
#26951 closed Bug (fixed)
AuthenticationForm bug when USERNAME_FIELD is an IntegerField
Reported by: | Gavin Wahl | Owned by: | Olexander Yermakov |
---|---|---|---|
Component: | contrib.auth | Version: | 1.9 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
In my custom user model, my USERNAME field is an IntegerField (the users log in with their account number). I also subclass AuthenticationForm to make the username a forms.IntegerField.
django.contrib.auth.forms.AuthenticationForm.clean
attempts to check if the username field was filled out by using the truthiness of the submitted value:
def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password') if username and password: self.user_cache = authenticate(username=username, password=password)
So, if someone attempts to log in with a username of 0
, authentication is never even attempted (but the form passes validation!), and the login view fails when triying to call auth.login.
The code should explicitly check for None as a sentinel value (if username is not None and password is not None:
, rather than the truthiness of the submitted value.
Change History (5)
comment:1 by , 8 years ago
Easy pickings: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 8 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 8 years ago
comment:4 by , 8 years ago
Has patch: | set |
---|
Please review the PR