#35678 closed Bug (fixed)
BaseUserCreationForm should not have the admin-specific usable_password field
| Reported by: | Simon Willison | Owned by: | Natalia Bidart |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.1 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Fabian Braun | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
A bug came up today in django-registration where a new form field for the registration flow suddenly appeared called "Password-based authentication" - it turns out that's because a usable_password field that was added to the Django UserCreationForm class in the latest release.
Bug report here: https://github.com/ubernostrum/django-registration/issues/245
It appears that the django.contrib.auth.forms.UserCreationForm class isn't actually intended for use outside the admin, it would be great if the documentation reflected that.
Attachments (1)
Change History (13)
by , 3 months ago
| Attachment: | password-based-authentication.png added |
|---|
comment:1 by , 3 months ago
| Component: | Documentation → contrib.auth |
|---|---|
| Severity: | Normal → Release blocker |
| Summary: | Documentation should clarify that UserCreationForm is intended just for the Admin → BaseUserCreationForm should not have the admin-specific usable_password field |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Bug |
comment:2 by , 3 months ago
Forum discussion: https://forum.djangoproject.com/t/the-purpose-of-usercreationform/33836
comment:3 by , 3 months ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:4 by , 3 months ago
| Cc: | added |
|---|---|
| Has patch: | set |
| Owner: | changed from to |
comment:5 by , 3 months ago
| Needs documentation: | set |
|---|
Fabian has started a draft PR and so did I when I assigned the ticket to myself this morning. I think we want to keep the unusable password functionality from the AdminPasswordChangeForm, so I believe we should follow the approach from PR 18484.
Both PRs needs docs updates.
comment:6 by , 3 months ago
| Needs documentation: | unset |
|---|---|
| Owner: | changed from to |
PR is ready for review, Fabian and I agreed on closing the other one.
comment:7 by , 3 months ago
Just worth copying here from the Forum thread, a workaround for the very short term:
I ran into this and quickly added to following my subclass.
# Remove the option to create an account with an unusable password. usable_password = None
Hopefully that saves someone a cycle.
comment:8 by , 3 months ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Based on past efforts (e.g. #34438), it's inaccurate to say that
UserCreationFormis intended only for the admin. The addition of theusable_passwordfield toUserCreationFormin #34429 should likely be reverted. This field could be added to a newUserCreationFormsubclass incontrib/admin/forms.py.