Opened 3 days ago
Last modified 2 days ago
#36711 assigned Bug
createsuperuser in non-interactive mode bypasses AUTH_PASSWORD_VALIDATORS
| Reported by: | stan shaw | Owned by: | stan shaw |
|---|---|---|---|
| Component: | contrib.auth | Version: | 5.2 |
| Severity: | Normal | Keywords: | |
| Cc: | stan shaw, Markus Holtermann, Hasan Ramezani | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Component: django.contrib.auth
Description
The createsuperuser management command behaves inconsistently when running in interactive mode versus non-interactive mode (--noinput).
Interactive Mode: When run interactively, the command correctly prompts for a password and validates it against the AUTH_PASSWORD_VALIDATORS defined in settings.py.
Non-Interactive Mode: When run with --noinput, the command pulls the password from the DJANGO_SUPERUSER_PASSWORD environment variable. However, it fails to run this password through the validators. It passes the password directly to the create_superuser method.
This allows a weak, non-compliant password to be set in automated environments (like CI/CD pipelines, Dockerfiles, or deployment scripts), completely bypassing the project's configured password security policy.
How to Reproduce
Configure Validators: In your project's settings.py, add a strict password validator:
AUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', 'OPTIONS': { 'min_length': 20, # Set a long minimum length } }, ]
Apply Migrations: Ensure the database is set up.
python manage.py migrate
Test Interactive Mode (Works Correctly):
Run the command interactively and try to enter a short password.
$ python manage.py createsuperuser Username: testuser Email address: test@example.com Password: 123 Password (again): 123 This password is too short. It must contain at least 20 characters. Bypass password validation and create user anyway? [y/N]: ...
This fails as expected.
Test Non-Interactive Mode (The Bug):
Set the environment variable to the same short, invalid password and run with --noinput.
export DJANGO_SUPERUSER_PASSWORD="123" python manage.py createsuperuser --noinput --username admin --email admin@example.com
Expected Result
The command should fail with a CommandError stating, "This password is too short."
Actual Result
The command succeeds, and the superuser is created with the non-compliant password "123".
Superuser created successfully.
Change History (3)
comment:2 by , 3 days ago
I've opened a Pull Request for this ticket on GitHub here: https://github.com/django/django/pull/20062/commits/
This PR includes the necessary fix and corresponding tests, and is now ready for review.
comment:3 by , 2 days ago
| Has patch: | set |
|---|
cc'ing folks from #27801