#14354: Check password is not None in User.check_password
----------------------------+-----------------------------------------------
Reporter: berryp | Owner: nobody
Status: new | Milestone:
Component: Authentication | Version: 1.2
Keywords: | Stage: Unreviewed
Has_patch: 0 |
----------------------------+-----------------------------------------------
I recently had an unexpected situation where users with no passwords would
receive an error when trying to login. This is due to the fact that the
User.check_password method does not check for missing passwords before
calling get_hexdigest.
It could be argued that all users should either have a password or an
unusable password "!". However, as I am authenticating against a database
that belongs to another system it is not an option to go and change all
empty passwords to unusable ones. I would not expect authentication to
raise an exception in this occasion.
To get around this problem I simply inserted the following two lines at
the top of the check_password function:
{{{
if self.password is None:
return False
}}}
Additionally, would it not be a good idea to check that the password is
not UNUSABLE_PASSWORD before trying to execute the code that checks the
password? This would be a lot more elegant than executing code that is
ultimately going to fail.
--
Ticket URL: <http://code.djangoproject.com/ticket/14354>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
