Opened 2 years ago

Closed 2 years ago

#28728 closed Cleanup/optimization (wontfix)

Make validate_password() require a user instance

Reported by: Jaap Roes Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords: password validation requires user
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


While implementing a user registration flow using django-rest-framework and djoser, I noticed that not all the password validators were behaving as expected.

In particular Django's UserAttributeSimilarityValidator, (which is in the list of default validators). It turns out this is because validate_password is called with just the passwords to be validate, omitting the user instance this password is validated for.

Apparently omitting a user instance is allowed by design, the docs for validate_password state:

The user object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password.

If validate_password is unable to properly validate a password without the user instance, then shouldn't that parameter be required? As it stands now the behaviour is wholly unexpected from an end user's point of view. Neither validate_password nor UserAttributeSimilarityValidator warn about being unable to do their job. This makes it very easy to overlook that some validation is not taking place.

Would adding a warning to UserAttributeSimilarityValidator or even a deprecation process for calling validate_password without a user instance be warranted?

Change History (1)

comment:1 Changed 2 years ago by Tim Graham

Resolution: wontfix
Status: newclosed
Summary: validate_password silently allows invalid passwords if no user instance is givenMake validate_password() require a user instance

You can write to the DevelopersMailingList to revisit the design decision but I don't see a compelling reason to change the behavior. There may be use cases for validating a password where a user instance isn't available.

Note: See TracTickets for help on using tickets.
Back to Top