Hi Claude, > Le 23 avr. 2016 à 00:04, Claude Paroz <[email protected]> a écrit : > > Le vendredi 22 avril 2016 14:25:59 UTC+2, Here's some code, unpolished, but a > base for discussion. > https://github.com/django/django/pull/6494
This patch looks pretty good. I have a few questions, not necessarily because I disagree with your proposal, but to make sure we have considered alternatives. Actually I don't think there's exactly one correct solution here; it's more a matter of tradeoffs. You added a username_validator attribute instead of documenting how to override the whole username field. Can you elaborate on this decision? I simplifies the use case targeted by the patch by introducing a one-off API. As a matter of principle I'm a bit skeptical of such special cases. But I understand the convenience. Normalization happens at the form layer. I'm wondering whether it would be safer to do it at the model layer. That would extend the security hardening to cases where users aren't created with a form — for example if they're created through an API or programmatically. I would keep ASCII usernames as the default because: - this has always been the intent; - allowing non ASCII usernames may result in interoperability problems with other software e.g. if a Django project is used as SSO server; - these interoperability issues might escalate into security vulnerabilities — there isn't a straightforward connection but (1) non ASCII data can be used for breaking out of parsing routines (2) I'm paranoid with anything that manipulates authentication credentials; - I'm afraid this change may result in boilerplate as most custom user models will revert to Django's historical (and in my opinion sensible) username validation rules. Finally, I would add a test to check that a username containing a zero-width space is rejected, just to make sure we never accidentally make it trivial to create usernames that render identically, which this PR aims at preventing. It will be rejected because it won't match \w. Best regards, -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/DCD0DA6C-B366-4602-8823-9E51CB054458%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
