Hi Claude,

> Le 23 avr. 2016 à 00:04, Claude Paroz <[email protected]> a écrit :
> 
> Le vendredi 22 avril 2016 14:25:59 UTC+2, Here's some code, unpolished, but a 
> base for discussion.
> https://github.com/django/django/pull/6494

This patch looks pretty good. I have a few questions, not necessarily because I 
disagree with your proposal, but to make sure we have considered alternatives. 
Actually I don't think there's exactly one correct solution here; it's more a 
matter of tradeoffs.

You added a username_validator attribute instead of documenting how to override 
the whole username field. Can you elaborate on this decision? I simplifies the 
use case targeted by the patch by introducing a one-off API. As a matter of 
principle I'm a bit skeptical of such special cases. But I understand the 
convenience.

Normalization happens at the form layer. I'm wondering whether it would be 
safer to do it at the model layer. That would extend the security hardening to 
cases where users aren't created with a form — for example if they're created 
through an API or programmatically.

I would keep ASCII usernames as the default because:

- this has always been the intent;
- allowing non ASCII usernames may result in interoperability problems with 
other software e.g. if a Django project is used as SSO server;
- these interoperability issues might escalate into security vulnerabilities — 
there isn't a straightforward connection but (1) non ASCII data can be used for 
breaking out of parsing routines (2) I'm paranoid with anything that 
manipulates authentication credentials;
- I'm afraid this change may result in boilerplate as most custom user models 
will revert to Django's historical (and in my opinion sensible) username 
validation rules.

Finally, I would add a test to check that a username containing a zero-width 
space is rejected, just to make sure we never accidentally make it trivial to 
create usernames that render identically, which this PR aims at preventing. It 
will be rejected because it won't match \w.

Best regards,

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/DCD0DA6C-B366-4602-8823-9E51CB054458%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to