Friday, July 1, 2016

Re: AUTH_PASSWORD_VALIDATORS not used when creating new users?

Password validation doesn't run as part of Model.clean(), but Model.save() doesn't run validation (Model.clean()) anyway.

If you're interested, here's the password validation design decisions thread on django-developers: https://groups.google.com/d/topic/django-developers/9GBhgGXmEKs/discussion

On Tuesday, June 28, 2016 at 10:33:13 PM UTC-4, Farhan Khan wrote:
Even when I use User.objects.create_user() I am still not required to use a strong password. Considering that createsuperuser and changepassword are management commands, it seems odd that require a password that conforms with AUTH_PASSWORD_VALIDATORS there, but not with a function I would use in production code.

On Tuesday, June 28, 2016 at 10:00:06 PM UTC-4, Tim Graham wrote:
Validation happens in the management commands (createsuperuser, changepassword) as well as the user creation forms. We assume that if you're creating a user using the command line, you know what you're doing. If you want to open a documentation ticket, we could add a note about this.

On Monday, June 27, 2016 at 9:29:56 PM UTC-4, Farhan Khan wrote:
Hi all,

I set the AUTH_PASSWORD_VALIDATORS variable to the standard set here: https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#enabling-password-validation. When I use the `createsuperuser` function in manage.py, my password must conform to the validators. But when I use User.objects.create_user() or the user.set_password() methods, the AUTH_PASSWORD_VALIDATORS is not used. I can literally set my password to 'a' and its accepted.

Is this a bug? It seems like the validators should be used when creating a new user or setting the password.
Is is there an alternative method to validate the password prior to creation?

I am using Django 1.9.7

Thanks!
---
Farhan Khan
PGP Fingerprint: 4A78 F071 5CB6 E771 B8D6 3910 F371 FE22 3B20 B21B

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/247fce7f-52a7-4f78-8d4a-21edec75fd86%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment