Opened 7 years ago
Closed 7 years ago
#28571 closed Cleanup/optimization (fixed)
Allow createsuperuser to bypass password validation
Reported by: | Daniel Hahler | Owned by: | Tom Forbes |
---|---|---|---|
Component: | contrib.auth | Version: | 1.11 |
Severity: | Normal | Keywords: | |
Cc: | Tom Forbes | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When using ./manage.py createsuperuser
on a new local project, you should not get interrupted by some minimal password length.
While I think it is good to have this by default there should at least be an option to override it: it is only meant for local development after all in this case.
So it should either be more smarter when to apply those limits by default (hint: using an SQLite DB is not meant for production), or just provide strong hints in the settings.
Change History (6)
comment:2 by , 7 years ago
Component: | Uncategorized → contrib.auth |
---|---|
Summary: | createsuperuser should not impose password validators (or allow to skip them) → Allow createsuperuser to bypass password validation |
Triage Stage: | Unreviewed → Accepted |
Type: | Bug → Cleanup/optimization |
This was discussed at length on django-developers. I think Carl's suggestion is fine:
My favorite option is for the createsuperuser command specifically (and nothing else) to implement password validation as a confirm dialog rather than a hard block. If your password fails validation, it tells you how and asks you to confirm that you really want to use that password. This makes sense to me because the createsuperuser command (unlike any site web UI) can only ever be used by someone who would also have the ability to set their password directly via shell if they want. So it's good to remind them of the validation fail, but there's no reason to make their life difficult.
comment:3 by , 7 years ago
Thanks!
Asking for confirmation but allow for setting anything would be nice to have.
comment:4 by , 7 years ago
Cc: | added |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:5 by , 7 years ago
PR: https://github.com/django/django/pull/9050/
I was not sure what the prompt message should be or if we should include some kind of warning, so I went with: Bypass validation and create user anyway? [y/n]: '
Is is as easy as conditionally seetting
django.contrib.auth.password_validation.MinimumLengthValidator
(etc) after all.So this might just get wrapped by some
if not DEBUG
?