On 09/07/2015 06:31 PM, Tim Graham wrote: > The extra complexity of varying validation logic based on DEBUG doesn't > seem quite right to me, but I guess I won't oppose it if that's the > consensus.
I'm strongly -1 on anything that automatically turns off password validation everywhere based on DEBUG, especially if there's no way to override. Django should always be _very_ cautious about introducing more automatic variance in behavior between development and production modes. (Not to mention that I don't think DEBUG should be used as a proxy for "development vs production" anyway, but that ship sailed a long time ago.) If people want this behavior, they should do it themselves in their settings file. My favorite option is for the createsuperuser command specifically (and nothing else) to implement password validation as a confirm dialog rather than a hard block. If your password fails validation, it tells you how and asks you to confirm that you really want to use that password. This makes sense to me because the createsuperuser command (unlike any site web UI) can only ever be used by someone who would also have the ability to set their password directly via shell if they want. So it's good to remind them of the validation fail, but there's no reason to make their life difficult. > Another option could be this in the generated settings file: > > AUTH_PASSWORD_VALIDATORS = [ > { > 'NAME': > 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', > }, > ... > ] if not DEBUG else [] > > Of course this depends on whether or not you expect other places like > the admin's change password form to do validation in debug mode. I'm -0.5 on this. I don't think varying behavior based on DEBUG is really something we should push that strongly. People can still do it if they want, of course. Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/55EEF114.8070704%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature