I just want to summarize the password handling changes before and after this patch.
before: - create_user() with empty password or None -> password set to '!' unusable - set_password() accepts everything - has_usable_password() returning False for password equal to '!' after: - create_user() with password None -> password set to '!' unusable - set_password() with None -> password set to '!' unusable - has_usable_password() returning False for password equal to '!' or None Laurent On Oct 8, 4:47 pm, Laurent Luce <[email protected]> wrote: > Thanks for your feedback. I attached a new patch with the following > changes: > > * allow empty string in set_password() > * has_usable_password() returns false if password is '!' or None > * add unit test set_password(None) > * add verbosity option to createsuperuser command + unit test > * output msg to stdout in createsuperuser command + update unit tests > > Let me know if the patch still needs improvement. > > Laurent Luce > > On Oct 7, 11:17 pm, Russell Keith-Magee <[email protected]> > wrote: > > > On Fri, Oct 8, 2010 at 11:28 AM, Laurent Luce <[email protected]> > > wrote: > > > I noticed that create_user() is currently setting password to unusable > > > if it is None or empty. However, set_password() is accepting an empty > > > password. I decided to follow the first rule in the patch I submitted > > > but I am kind of confused now. Can someone indicate what we should > > > accept as a password? > > > An empty string isn't a *good* password, but then neither is a single > > character or a dictionary word, and we don't reject those. Policy > > decisions like this aren't the domain of a web framework. > > > I'm sure there are also people using an empty password as the "I don't > > actually want security" password. Plus, there's a history in the free > > software community of using empty passwords as a protest [1] :-) > > > We can use None to mark an unusable password. Absent of a good > > technical reason, I don't see why we should reject empty string. > > > As for the remainder of the patch on #14354 -- on the whole, it looks > > good. I've put some review comments on the ticket. > > > [1]http://en.wikipedia.org/wiki/Richard_Stallman#Early_years > > > Yours, > > Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
