Opened 8 years ago
Closed 7 years ago
#28016 closed Bug (duplicate)
Command createsuperuser does not validate username when using --username
Reported by: | Ricardo S. A. Silva | Owned by: | Ricardo S. A. Silva |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
It is possible to create a new user with invalid characters on username by running createsuperuser with only --username parameter. The username validation is only executed when the --noinput parameter is used.
Example:
manage.py createsuperuser --username %invalid%username
The problem also occurs for fields on REQUIRED_FIELDS (e.g. email):
manage.py createsuperuser --username test --email invalid_email
This can be fixed by adding some validation:
--- a/django/contrib/auth/management/commands/createsuperuser.py +++ b/django/contrib/auth/management/commands/createsuperuser.py @@ -94,6 +94,24 @@ class Command(BaseCommand): if hasattr(self.stdin, 'isatty') and not self.stdin.isatty(): raise NotRunningInTTYException("Not running in a TTY") + # Validate username provided by --username parameter + if username: + try: + self.UserModel._meta.get_field(self.UserModel.USERNAME_FIELD).clean(username, None) + except exceptions.ValidationError as e: + raise CommandError('; '.join(e.messages)) + + # Validate data inputted by --< field_name > + for field_name in self.UserModel.REQUIRED_FIELDS: + try: + if options[field_name]: + field = self.UserModel._meta.get_field(field_name) + user_data[field_name] = field.clean(options[field_name], None) + else: + user_data[field_name] = None + except exceptions.ValidationError as e: + raise CommandError('; '.join(e.messages)) + # Get a username verbose_field_name = self.username_field.verbose_name while username is None: @@ -122,7 +140,6 @@ class Command(BaseCommand): for field_name in self.UserModel.REQUIRED_FIELDS: field = self.UserModel._meta.get_field(field_name) - user_data[field_name] = options[field_name] while user_data[field_name] is None: message = '%s%s: ' % ( capfirst(field.verbose_name),
Change History (11)
comment:2 by , 8 years ago
Component: | Uncategorized → Core (Management commands) |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 8 years ago
Has patch: | set |
---|---|
Needs tests: | set |
Can you also add tests for this ? Here should be the new test added
comment:6 by , 8 years ago
Needs tests: | unset |
---|
comment:8 by , 8 years ago
comment:9 by , 7 years ago
Patch needs improvement: | set |
---|
As Markus noted, the current PR seems to duplicate more code which doesn't seem ideal.
comment:10 by , 7 years ago
Component: | Core (Management commands) → contrib.auth |
---|
comment:11 by , 7 years ago
Resolution: | → duplicate |
---|---|
Status: | assigned → closed |
Tests for this issue have been added to the PR for #28044.
Fix available at https://github.com/ricardosasilva/django/tree/ticket_28016.