Opened 7 years ago
Closed 6 years ago
#28016 closed Bug (duplicate)
Command createsuperuser does not validate username when using --username
| Reported by: | Ricardo S. A. Silva | Owned by: | Ricardo S. A. Silva |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
It is possible to create a new user with invalid characters on username by running createsuperuser with only --username parameter. The username validation is only executed when the --noinput parameter is used.
Example:
manage.py createsuperuser --username %invalid%username
The problem also occurs for fields on REQUIRED_FIELDS (e.g. email):
manage.py createsuperuser --username test --email invalid_email
This can be fixed by adding some validation:
--- a/django/contrib/auth/management/commands/createsuperuser.py
+++ b/django/contrib/auth/management/commands/createsuperuser.py
@@ -94,6 +94,24 @@ class Command(BaseCommand):
if hasattr(self.stdin, 'isatty') and not self.stdin.isatty():
raise NotRunningInTTYException("Not running in a TTY")
+ # Validate username provided by --username parameter
+ if username:
+ try:
+ self.UserModel._meta.get_field(self.UserModel.USERNAME_FIELD).clean(username, None)
+ except exceptions.ValidationError as e:
+ raise CommandError('; '.join(e.messages))
+
+ # Validate data inputted by --< field_name >
+ for field_name in self.UserModel.REQUIRED_FIELDS:
+ try:
+ if options[field_name]:
+ field = self.UserModel._meta.get_field(field_name)
+ user_data[field_name] = field.clean(options[field_name], None)
+ else:
+ user_data[field_name] = None
+ except exceptions.ValidationError as e:
+ raise CommandError('; '.join(e.messages))
+
# Get a username
verbose_field_name = self.username_field.verbose_name
while username is None:
@@ -122,7 +140,6 @@ class Command(BaseCommand):
for field_name in self.UserModel.REQUIRED_FIELDS:
field = self.UserModel._meta.get_field(field_name)
- user_data[field_name] = options[field_name]
while user_data[field_name] is None:
message = '%s%s: ' % (
capfirst(field.verbose_name),
Change History (11)
comment:2 by , 7 years ago
| Component: | Uncategorized → Core (Management commands) |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:3 by , 7 years ago
| Has patch: | set |
|---|---|
| Needs tests: | set |
Can you also add tests for this ? Here should be the new test added
comment:6 by , 7 years ago
| Needs tests: | unset |
|---|
comment:8 by , 7 years ago
comment:9 by , 7 years ago
| Patch needs improvement: | set |
|---|
As Markus noted, the current PR seems to duplicate more code which doesn't seem ideal.
comment:10 by , 7 years ago
| Component: | Core (Management commands) → contrib.auth |
|---|
comment:11 by , 6 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | assigned → closed |
Tests for this issue have been added to the PR for #28044.
Note:
See TracTickets
for help on using tickets.
PR