Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#35678 closed Bug (fixed)

BaseUserCreationForm should not have the admin-specific usable_password field

Reported by: Simon Willison Owned by: Natalia Bidart
Component: contrib.auth Version: 5.1
Severity: Release blocker Keywords:
Cc: Fabian Braun Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

A bug came up today in django-registration where a new form field for the registration flow suddenly appeared called "Password-based authentication" - it turns out that's because a usable_password field that was added to the Django UserCreationForm class in the latest release.

Bug report here: https://github.com/ubernostrum/django-registration/issues/245

It appears that the django.contrib.auth.forms.UserCreationForm class isn't actually intended for use outside the admin, it would be great if the documentation reflected that.

Attachments (1)

password-based-authentication.png (156.1 KB ) - added by Simon Willison 3 months ago.

Download all attachments as: .zip

Change History (13)

by Simon Willison, 3 months ago

comment:1 by Tim Graham, 3 months ago

Component: Documentationcontrib.auth
Severity: NormalRelease blocker
Summary: Documentation should clarify that UserCreationForm is intended just for the AdminBaseUserCreationForm should not have the admin-specific usable_password field
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Based on past efforts (e.g. #34438), it's inaccurate to say that UserCreationForm is intended only for the admin. The addition of the usable_password field to UserCreationForm in #34429 should likely be reverted. This field could be added to a new UserCreationForm subclass in contrib/admin/forms.py.

comment:3 by Natalia Bidart, 3 months ago

Owner: set to Natalia Bidart
Status: newassigned

comment:4 by Fabian Braun, 3 months ago

Cc: Fabian Braun added
Has patch: set
Owner: changed from Natalia Bidart to Fabian Braun

comment:5 by Natalia Bidart, 3 months ago

Needs documentation: set

Fabian has started a draft PR and so did I when I assigned the ticket to myself this morning. I think we want to keep the unusable password functionality from the AdminPasswordChangeForm, so I believe we should follow the approach from PR 18484.

Both PRs needs docs updates.

comment:6 by Natalia Bidart, 3 months ago

Needs documentation: unset
Owner: changed from Fabian Braun to Natalia Bidart

PR is ready for review, Fabian and I agreed on closing the other one.

comment:7 by Carlton Gibson, 3 months ago

Just worth copying here from the Forum thread, a workaround for the very short term:

I ran into this and quickly added to following my subclass.

# Remove the option to create an account with an unusable password.
usable_password = None

Hopefully that saves someone a cycle.

comment:8 by Sarah Boyce, 3 months ago

Triage Stage: AcceptedReady for checkin

comment:9 by nessita <124304+nessita@…>, 3 months ago

In b60fd87:

Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User model.

This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage.

comment:10 by nessita <124304+nessita@…>, 3 months ago

Resolution: fixed
Status: assignedclosed

In 0ebed5f:

Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.

Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the BaseUserCreationForm and
UserCreationForm were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form AdminUserCreationForm.

Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.

Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.

comment:11 by Natalia <124304+nessita@…>, 3 months ago

In cfad0655:

[5.1.x] Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User model.

This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage.

Backport of b60fd8722f305ec29c87f34d3fea262e56394ebd from main.

comment:12 by Natalia <124304+nessita@…>, 3 months ago

In da22e6cb:

[5.1.x] Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.

Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the BaseUserCreationForm and
UserCreationForm were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form AdminUserCreationForm.

Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.

Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.

Backport of 0ebed5fa95f53b87383901bbd9341ef3c974344f from main.

Note: See TracTickets for help on using tickets.
Back to Top