id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28127	Allow UserCreationForm's password validation to check all user fields	jambonrose	jambonrose	"I started a discussion on the developer mailing list for this topic: https://groups.google.com/d/topic/django-developers/glrLyuPkiKs/discussion

Effectively, the user creation form and the password change form use the `UserAttributeSimilarityValidator` differently. It is possible to create a user via a subclass of Django's `UserCreationForm` with a password that would be denied by the password change form. This is because the user creation form only checks similarity agains the  `username` field. When changing a password, the password is validated in  similarity to `username`, `first_name`, `last_name`, and `email`.

This seems highly undesirable.

The central cause is that the `ModelForm` superclass (of `UserCreationForm`) hasn't yet created the `User` instance. `UserCreationForm` manually adds `username` to the empty `User` instance on line 105 to allow for user attribute validation. In the event a developer subclasses `UserCreationForm`, then the form will still only validate against the `username`, rather than all of the fields in the field.

I will have a PR with a proposed fix (discussed in the mailing list) shortly."	Bug	closed	contrib.auth	dev	Normal	fixed			Accepted	1	0	0	1	0	0