#15371: createsuperuser with --noinput creates users with empty password
------------------------------------------+---------------------------------
Reporter: yishaibeeri | Owner: nobody
Status: new | Milestone: 1.3
Component: Authentication | Version: SVN
Resolution: | Keywords: createsuperuser
blocker
Triage Stage: Accepted | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 |
------------------------------------------+---------------------------------
Comment (by anonymous):
Replying to [comment:1 russellm]:
> As was discussed at the time, there's no particular reason to reject ""
(empty string) as a password -- in fact, that very point is made in the
mailing list thread you reference.
I agree - explicitly setting an empty password should be allowed.
However, currently in createsuperuser the empty password is created
implicitly, as there is no way to provide a password in --noinput mode.
I see three options (maybe more that I'm missing):
1. Allow empty passwords, but have createsuperuser create users with
UNUSABLE_PASSWORD when run in --noinput mode - as documented in the usage
string (this is the current patch).
1. Add the option to provide a password (including the empty one) to the
createsuperuser command line. If not provided, fall back to the behavior
in (1) above. I think this would be a useful addition - but perhaps there
is good reason this option was not added to createsuperuser?
1. Keep the current behavior (default to empty password) - in which case
the patch is simply to fix the usage string. I find this the most
problematic solution - as it gives no way to automatically create a
superuser with any kind of secure password. This would force users to
write their custom script or management command that additionally (re)sets
the password.
>
> Accepting, but with a different patch required.
I'll be happy to write one - which of the above should it be? or yet
something else?
>
> It's also a blocker, because this is a recent change that requires
tweaking.
--
Ticket URL: <http://code.djangoproject.com/ticket/15371#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
