Opened 7 years ago
Closed 7 years ago
#28127 closed Bug (fixed)
Allow UserCreationForm's password validation to check all user fields
| Reported by: | jambonrose | Owned by: | jambonrose |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
I started a discussion on the developer mailing list for this topic: https://groups.google.com/d/topic/django-developers/glrLyuPkiKs/discussion
Effectively, the user creation form and the password change form use the UserAttributeSimilarityValidator differently. It is possible to create a user via a subclass of Django's UserCreationForm with a password that would be denied by the password change form. This is because the user creation form only checks similarity agains the username field. When changing a password, the password is validated in similarity to username, first_name, last_name, and email.
This seems highly undesirable.
The central cause is that the ModelForm superclass (of UserCreationForm) hasn't yet created the User instance. UserCreationForm manually adds username to the empty User instance on line 105 to allow for user attribute validation. In the event a developer subclasses UserCreationForm, then the form will still only validate against the username, rather than all of the fields in the field.
I will have a PR with a proposed fix (discussed in the mailing list) shortly.
Change History (4)
comment:2 by , 7 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 7 years ago
| Patch needs improvement: | set |
|---|---|
| Summary: | Inconsistent Behavior in Auth with UserAttributeSimilarityValidator → Allow UserCreationForm's password validation to check all user fields |