id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36711	Make createsuperuser in non-interactive mode observe AUTH_PASSWORD_VALIDATORS	stan shaw	stan shaw	"'''Component:''' django.contrib.auth

== Description ==
The createsuperuser management command behaves inconsistently when running in interactive mode versus non-interactive mode (--noinput).

'''Interactive Mode:''' When run interactively, the command correctly prompts for a password and validates it against the AUTH_PASSWORD_VALIDATORS defined in settings.py.

'''Non-Interactive Mode:''' When run with --noinput, the command pulls the password from the DJANGO_SUPERUSER_PASSWORD environment variable. However, it '''fails to run this password through the validators'''. It passes the password directly to the create_superuser method.

This allows a weak, non-compliant password to be set in automated environments (like CI/CD pipelines, Dockerfiles, or deployment scripts), completely bypassing the project's configured password security policy.

== How to Reproduce ==

'''Configure Validators:''' In your project's settings.py, add a strict password validator:
{{{#!python
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {
'min_length': 20, # Set a long minimum length
}
},
]
}}}

'''Apply Migrations:''' Ensure the database is set up.
{{{#!bash
python manage.py migrate
}}}

'''Test Interactive Mode (Works Correctly):'''
Run the command interactively and try to enter a short password.
{{{#!bash
$ python manage.py createsuperuser
Username: testuser
Email address: test@example.com
Password: 123
Password (again): 123
This password is too short. It must contain at least 20 characters.
Bypass password validation and create user anyway? [y/N]:
...
}}}
This fails as expected.

'''Test Non-Interactive Mode (The Bug):'''
Set the environment variable to the same short, invalid password and run with --noinput.
{{{#!bash
export DJANGO_SUPERUSER_PASSWORD=""123""
python manage.py createsuperuser --noinput --username admin --email admin@example.com
}}}

== Expected Result ==
The command should fail with a CommandError stating, ""This password is too short.""

== Actual Result ==
The command succeeds, and the superuser is created with the non-compliant password ""123"".
{{{
Superuser created successfully.
}}}"	New feature	closed	contrib.auth	5.2	Normal	wontfix		stan shaw Markus Holtermann Hasan Ramezani	Unreviewed	1	0	0	0	0	0