#35678 closed Bug (fixed)
BaseUserCreationForm should not have the admin-specific usable_password field
Reported by: | Simon Willison | Owned by: | Natalia Bidart |
---|---|---|---|
Component: | contrib.auth | Version: | 5.1 |
Severity: | Release blocker | Keywords: | |
Cc: | Fabian Braun | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
A bug came up today in django-registration where a new form field for the registration flow suddenly appeared called "Password-based authentication" - it turns out that's because a usable_password
field that was added to the Django UserCreationForm
class in the latest release.
Bug report here: https://github.com/ubernostrum/django-registration/issues/245
It appears that the django.contrib.auth.forms.UserCreationForm
class isn't actually intended for use outside the admin, it would be great if the documentation reflected that.
Attachments (1)
Change History (13)
by , 2 months ago
Attachment: | password-based-authentication.png added |
---|
comment:1 by , 2 months ago
Component: | Documentation → contrib.auth |
---|---|
Severity: | Normal → Release blocker |
Summary: | Documentation should clarify that UserCreationForm is intended just for the Admin → BaseUserCreationForm should not have the admin-specific usable_password field |
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Bug |
comment:2 by , 2 months ago
Forum discussion: https://forum.djangoproject.com/t/the-purpose-of-usercreationform/33836
comment:3 by , 2 months ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:4 by , 2 months ago
Cc: | added |
---|---|
Has patch: | set |
Owner: | changed from | to
comment:5 by , 2 months ago
Needs documentation: | set |
---|
Fabian has started a draft PR and so did I when I assigned the ticket to myself this morning. I think we want to keep the unusable password functionality from the AdminPasswordChangeForm
, so I believe we should follow the approach from PR 18484.
Both PRs needs docs updates.
comment:6 by , 2 months ago
Needs documentation: | unset |
---|---|
Owner: | changed from | to
PR is ready for review, Fabian and I agreed on closing the other one.
comment:7 by , 2 months ago
Just worth copying here from the Forum thread, a workaround for the very short term:
I ran into this and quickly added to following my subclass.
# Remove the option to create an account with an unusable password. usable_password = None
Hopefully that saves someone a cycle.
comment:8 by , 8 weeks ago
Triage Stage: | Accepted → Ready for checkin |
---|
Based on past efforts (e.g. #34438), it's inaccurate to say that
UserCreationForm
is intended only for the admin. The addition of theusable_password
field toUserCreationForm
in #34429 should likely be reverted. This field could be added to a newUserCreationForm
subclass incontrib/admin/forms.py
.