Make validate_password() require a user instance

[Jaap Roes]

While implementing a user registration flow using django-rest-framework and djoser, I noticed that not all the password validators were behaving as expected.

In particular Django's UserAttributeSimilarityValidator, (which is in the list of default validators). It turns out this is because validate_password is called with just the passwords to be validate, omitting the user instance this password is validated for.

Apparently omitting a user instance is allowed by design, the docs for validate_password state:

The user object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password.

If validate_password is unable to properly validate a password without the user instance, then shouldn't that parameter be required? As it stands now the behaviour is wholly unexpected from an end user's point of view. Neither validate_password nor UserAttributeSimilarityValidator warn about being unable to do their job. This makes it very easy to overlook that some validation is not taking place.

Would adding a warning to UserAttributeSimilarityValidator or even a deprecation process for calling validate_password without a user instance be warranted?

[Tim Graham]

You can write to the DevelopersMailingList to revisit the design decision but I don't see a compelling reason to change the behavior. There may be use cases for validating a password where a user instance isn't available.