Saturday, May 31, 2014

Re: check_password in contrib auth tries to update the database

Hello Suhrid,

On 30 May 2014, at 15:58, suhridsatyal@proteus-tech.com wrote:
> check_password method of AbstractBaseUser in django.contrib.auth.models tries to update the database.
> This causes problems when this code executes on a read-only slave database.
>
> def check_password(self, raw_password):
> def setter(raw_password):
> self.set_password(raw_password)
> self.save(update_fields=["password"])
> return check_password(raw_password, self.password, setter)

Yes, this is a feature, which enables upgrading of password hashing. When Django encounters a password that is hashed with an older hash, the setter will be called, which will save the password with the current preferred hash. This can only be done when the raw password is known, which can only happen while Django is checking the password.

I can see how this is an issue in your scenario. A solution I can come up with is to extend this user model[1], where you override only the model's check_password method. The setter parameter to check_password is optional, and if absent it will simply not upgrade passwords. However, the downside of this is of course, that passwords will not be upgraded if we add better hashers in the future.

[1] https://docs.djangoproject.com/en/dev/topics/auth/customizing/#extending-the-existing-user-model

cheers,
Erik

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/36C9DAD5-F4EF-4EF1-AA22-95997FE6FA3B%40solidlinks.nl.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment