On 09/07/2015 06:31 PM, Tim Graham wrote: > The extra complexity of varying validation logic based on DEBUG doesn't > seem quite right to me, but I guess I won't oppose it if that's the > consensus.
I'm strongly -1 on anything that automatically turns off password
validation everywhere based on DEBUG, especially if there's no way to
override. Django should always be _very_ cautious about introducing more
automatic variance in behavior between development and production modes.
(Not to mention that I don't think DEBUG should be used as a proxy for
"development vs production" anyway, but that ship sailed a long time
ago.) If people want this behavior, they should do it themselves in
their settings file.
My favorite option is for the createsuperuser command specifically (and
nothing else) to implement password validation as a confirm dialog
rather than a hard block. If your password fails validation, it tells
you how and asks you to confirm that you really want to use that
password. This makes sense to me because the createsuperuser command
(unlike any site web UI) can only ever be used by someone who would also
have the ability to set their password directly via shell if they want.
So it's good to remind them of the validation fail, but there's no
reason to make their life difficult.
> Another option could be this in the generated settings file:
>
> AUTH_PASSWORD_VALIDATORS = [
> {
> 'NAME':
> 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
> },
> ...
> ] if not DEBUG else []
>
> Of course this depends on whether or not you expect other places like
> the admin's change password form to do validation in debug mode.
I'm -0.5 on this. I don't think varying behavior based on DEBUG is
really something we should push that strongly. People can still do it if
they want, of course.
Carl
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/55EEF114.8070704%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
