Context Navigation

← Previous Ticket
Next Ticket →

#34429 closed New feature (fixed)

Allow to set unusable password via admin UI

Reported by:	Tobias Bengfort	Owned by:	Fabian Braun
Component:	contrib.auth	Version:	dev
Severity:	Normal	Keywords:
Cc:	Carlton Gibson, Sarah Boyce	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	yes

Description (last modified by Fabian Braun)

Django allows to have user accounts with unusable passwords, either because authentication uses a different mechanism (e.g. LDAP) or because the User object is still needed (e.g. because it is referenced by a ForeignKey) but the user should no longer be allowed to log in.

However, this functionality is not available from the admin UI. When creating a user or changing the password I am forced to enter a password.

I propose to make the password fields optional in the Admin UI and set an unusable password if they are blank.

I am sorry if this has been discussed before. I looked before posting this but could not find anything.

Change History (17)

comment:1 by Mariusz Felisiak, 14 months ago

Triage Stage:	Unreviewed → Accepted
Version:	4.1 → dev

Thanks for the ticket. I agree that it would nice to add an option to create users with an unusable password in the admin, however, any implicit logic can be confusing here (see comment). Therefore, I'm not in favor of your proposal to:

... make the password fields optional in the Admin UI and set an unusable password if they are blank.

Maybe a checkbox in the "Add user" form e.g. "Usable password" (checked by default) that would hide password fields when unchecked 🤔, or sth similar.

Tentatively accepted.

comment:2 by Mariusz Felisiak, 14 months ago

Cc:	Carlton Gibson Sarah Boyce added

comment:3 by SAHIL SANJAY CHALKE, 13 months ago

Owner:	changed from nobody to SAHIL SANJAY CHALKE
Status:	new → assigned

comment:4 by SAHIL SANJAY CHALKE, 13 months ago

i am starting to work on the project

comment:5 by Fabian Braun, 11 months ago

Owner:	changed from SAHIL SANJAY CHALKE to Fabian Braun

comment:6 by Fabian Braun, 11 months ago

Have a working solution. Will add tests and create a PR.

The checkbox field is called "Allow login" to clearly indicate that users w/o password will not be able to log in. Please let me know if "Usable password" is deemed a better label.

The password fields are only visible and validated if the checkbox is set.

comment:7 by Fabian Braun, 11 months ago

Description:	modified (diff)
Has patch:	set

Patch here: https://github.com/django/django/pull/16942

comment:8 by Nick Pope, 11 months ago

Needs documentation:	set
Patch needs improvement:	set

comment:9 by Fabian Braun, 11 months ago

Needs documentation:	unset
Patch needs improvement:	unset

comment:10 by Fabian Braun, 11 months ago

UI/UX:	set

comment:11 by Mariusz Felisiak, 10 months ago

Needs tests:	set
Patch needs improvement:	set

comment:12 by Sarah Boyce, 9 months ago

Needs tests:	unset
Patch needs improvement:	unset

comment:13 by Natalia Bidart, 6 months ago

Patch needs improvement:	set

Made many rounds of reviews, including a great conversation about UX of this feature (see Discord chat).

comment:14 by Natalia Bidart, 3 months ago

Triage Stage:	Accepted → Ready for checkin

Multiple round of reviews later, and some further UI/UX, tests and docs tweaks, this is ready for checkin! \o/

comment:15 by Natalia <124304+nessita@…>, 3 months ago

In f64c528:

Refs #34429 -- Created SetPasswordMixin to reuse password validation logic in auth forms.

Co-authored-by: Natalia <124304+nessita@…>

comment:16 by Natalia <124304+nessita@…>, 3 months ago

In 8a75724:

Refs #34429 -- Defined test user with unusable password for auth forms tests.

comment:17 by Natalia <124304+nessita@…>, 3 months ago

Resolution:	→ fixed
Status:	assigned → closed

In e626716c:

Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.