Loading django/contrib/auth/password_validation.py +23 −7 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ from difflib import SequenceMatcher from django.conf import settings from django.core.exceptions import ImproperlyConfigured, ValidationError from django.utils import lru_cache from django.utils._os import upath from django.utils.encoding import force_text from django.utils.html import format_html from django.utils.module_loading import import_string Loading Loading @@ -47,7 +48,7 @@ def validate_password(password, user=None, password_validators=None): try: validator.validate(password, user) except ValidationError as error: errors += error.messages errors.append(error) if errors: raise ValidationError(errors) Loading Loading @@ -95,8 +96,11 @@ class MinimumLengthValidator(object): def validate(self, password, user=None): if len(password) < self.min_length: msg = _("This password is too short. It must contain at least %(min_length)d characters.") raise ValidationError(msg % {'min_length': self.min_length}) raise ValidationError( _("This password is too short. It must contain at least %(min_length)d characters."), code='password_too_short', params={'min_length': self.min_length}, ) def get_help_text(self): return _("Your password must contain at least %(min_length)d characters.") % {'min_length': self.min_length} Loading Loading @@ -131,7 +135,11 @@ class UserAttributeSimilarityValidator(object): for value_part in value_parts: if SequenceMatcher(a=password.lower(), b=value_part.lower()).quick_ratio() > self.max_similarity: verbose_name = force_text(user._meta.get_field(attribute_name).verbose_name) raise ValidationError(_("The password is too similar to the %s." % verbose_name)) raise ValidationError( _("The password is too similar to the %(verbose_name)s."), code='password_too_similar', params={'verbose_name': verbose_name}, ) def get_help_text(self): return _("Your password can't be too similar to your other personal information.") Loading @@ -145,7 +153,9 @@ class CommonPasswordValidator(object): The list Django ships with contains 1000 common passwords, created by Mark Burnett: https://xato.net/passwords/more-top-worst-passwords/ """ DEFAULT_PASSWORD_LIST_PATH = os.path.dirname(os.path.realpath(__file__)) + '/common-passwords.txt.gz' DEFAULT_PASSWORD_LIST_PATH = os.path.join( os.path.dirname(os.path.realpath(upath(__file__))), 'common-passwords.txt.gz' ) def __init__(self, password_list_path=DEFAULT_PASSWORD_LIST_PATH): try: Loading @@ -156,7 +166,10 @@ class CommonPasswordValidator(object): def validate(self, password, user=None): if password.lower().strip() in self.passwords: raise ValidationError(_("This password is too common.")) raise ValidationError( _("This password is too common."), code='password_too_common', ) def get_help_text(self): return _("Your password can't be a commonly used password.") Loading @@ -168,7 +181,10 @@ class NumericPasswordValidator(object): """ def validate(self, password, user=None): if password.isdigit(): raise ValidationError(_("This password is entirely numeric.")) raise ValidationError( _("This password is entirely numeric."), code='password_entirely_numeric', ) def get_help_text(self): return _("Your password can't be entirely numeric.") docs/ref/settings.txt +4 −4 Original line number Diff line number Diff line Loading @@ -2774,11 +2774,11 @@ AUTH_PASSWORD_VALIDATORS .. versionadded:: 1.9 Default: ``[]`` Default: ``[]`` (Empty list) Sets the validators that are used to check the strength of user's passwords. See :ref:`password-validation` for more details. By default, no validation is performed and all passwords are accepted. The list of validators that are used to check the strength of user's passwords. See :ref:`password-validation` for more details. By default, no validation is performed and all passwords are accepted. .. _settings-messages: Loading docs/releases/1.9.txt +3 −3 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ What's new in Django 1.9 Password validation ~~~~~~~~~~~~~~~~~~~ Django now offers password validation, to help prevent the usage of weak Django now offers password validation to help prevent the usage of weak passwords by users. The validation is integrated in the included password change and reset forms and is simple to integrate in any other code. Validation is performed by one or more validators, configured in the new Loading @@ -36,10 +36,10 @@ Validation is performed by one or more validators, configured in the new Four validators are included in Django, which can enforce a minimum length, compare the password to the user's attributes like their name, ensure passwords aren't entirely numeric or check against an included list of common passwords aren't entirely numeric, or check against an included list of common passwords. You can combine multiple validators, and some validators have custom configuration options. For example, you can choose to provide a custom list of common passwords. Each validator provides a help text to explain their list of common passwords. Each validator provides a help text to explain its requirements to the user. By default, no validation is performed and all passwords are accepted, so if Loading docs/topics/auth/passwords.txt +19 −11 Original line number Diff line number Diff line Loading @@ -242,6 +242,10 @@ from the ``User`` model. Password validation =================== .. module:: django.contrib.auth.password_validation .. versionadded:: 1.9 Users often choose poor passwords. To help mitigate this problem, Django offers pluggable password validation. You can configure multiple password validators at the same time. A few validators are included in Django, but it's Loading @@ -254,14 +258,14 @@ Validators can also have optional settings to fine tune their behavior. Validation is controlled by the :setting:`AUTH_PASSWORD_VALIDATORS` setting. By default, validators are used in the forms to reset or change passwords. The default for setting is an empty list, which means no validators are The default for the setting is an empty list, which means no validators are applied. In new projects created with the default :djadmin:`startproject` template, a simple set of validators is enabled. .. note:: Password validation can prevent the use of many types of weak passwords. However, the fact that a password passes all the validators, doesn't However, the fact that a password passes all the validators doesn't guarantee that it is a strong password. There are many factors that can weaken a password that are not detectable by even the most advanced password validators. Loading Loading @@ -344,7 +348,7 @@ Django includes four validators: `Mark Burnett <https://xato.net/passwords/more-top-worst-passwords/>`_. The ``password_list_path`` can be set to the path of a custom file of common passwords. This file should contain one password per line, and common passwords. This file should contain one password per line and may be plain text or gzipped. .. class:: NumericPasswordValidator() Loading @@ -354,8 +358,6 @@ Django includes four validators: Integrating validation ----------------------- .. module:: django.contrib.auth.password_validation There are a few functions in ``django.contrib.auth.password_validation`` that you can call from your own forms or other code to integrate password validation. This can be useful if you use custom forms for password setting, Loading @@ -368,14 +370,14 @@ or if you have API calls that allow passwords to be set, for example. :exc:`~django.core.exceptions.ValidationError` with all the error messages from the validators. The user object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password. The ``user`` object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password. .. function:: password_changed(password, user=None, password_validators=None) Informs all validators that the password has been changed. This can be used by some validators, e.g. a validator that prevents password reuse. This should be called once the password has been successfully changed. by validators such as one that prevents password reuse. This should be called once the password has been successfully changed. .. function:: password_validators_help_texts(password_validators=None) Loading Loading @@ -440,11 +442,17 @@ Here's a basic example of a validator, with one optional setting:: def validate(self, password, user=None): if len(password) < self.min_length: raise ValidationError(_("This password is too short.")) raise ValidationError( _("This password must contain at least %(min_length)d characters."), code='password_too_short', params={'min_length': self.min_length}, ) def get_help_text(self): return _("Your password must contain at least %(min_length)d characters.") return _( "Your password must contain at least %(min_length)d characters." % {'min_length': self.min_length} ) You can also implement ``password_changed(password, user=None``), which will be called after a successful password change. That can be used to prevent Loading tests/auth_tests/test_forms.py +5 −2 Original line number Diff line number Diff line Loading @@ -278,8 +278,11 @@ class SetPasswordFormTest(TestDataMixin, TestCase): form = SetPasswordForm(user, data) self.assertFalse(form.is_valid()) self.assertEqual(len(form["new_password2"].errors), 2) self.assertTrue('The password is too similar to the username.' in form["new_password2"].errors) self.assertTrue('This password is too short. It must contain at least 12 characters.' in form["new_password2"].errors) self.assertIn('The password is too similar to the username.', form["new_password2"].errors) self.assertIn( 'This password is too short. It must contain at least 12 characters.', form["new_password2"].errors ) @override_settings(USE_TZ=False, PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher']) Loading Loading
django/contrib/auth/password_validation.py +23 −7 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ from difflib import SequenceMatcher from django.conf import settings from django.core.exceptions import ImproperlyConfigured, ValidationError from django.utils import lru_cache from django.utils._os import upath from django.utils.encoding import force_text from django.utils.html import format_html from django.utils.module_loading import import_string Loading Loading @@ -47,7 +48,7 @@ def validate_password(password, user=None, password_validators=None): try: validator.validate(password, user) except ValidationError as error: errors += error.messages errors.append(error) if errors: raise ValidationError(errors) Loading Loading @@ -95,8 +96,11 @@ class MinimumLengthValidator(object): def validate(self, password, user=None): if len(password) < self.min_length: msg = _("This password is too short. It must contain at least %(min_length)d characters.") raise ValidationError(msg % {'min_length': self.min_length}) raise ValidationError( _("This password is too short. It must contain at least %(min_length)d characters."), code='password_too_short', params={'min_length': self.min_length}, ) def get_help_text(self): return _("Your password must contain at least %(min_length)d characters.") % {'min_length': self.min_length} Loading Loading @@ -131,7 +135,11 @@ class UserAttributeSimilarityValidator(object): for value_part in value_parts: if SequenceMatcher(a=password.lower(), b=value_part.lower()).quick_ratio() > self.max_similarity: verbose_name = force_text(user._meta.get_field(attribute_name).verbose_name) raise ValidationError(_("The password is too similar to the %s." % verbose_name)) raise ValidationError( _("The password is too similar to the %(verbose_name)s."), code='password_too_similar', params={'verbose_name': verbose_name}, ) def get_help_text(self): return _("Your password can't be too similar to your other personal information.") Loading @@ -145,7 +153,9 @@ class CommonPasswordValidator(object): The list Django ships with contains 1000 common passwords, created by Mark Burnett: https://xato.net/passwords/more-top-worst-passwords/ """ DEFAULT_PASSWORD_LIST_PATH = os.path.dirname(os.path.realpath(__file__)) + '/common-passwords.txt.gz' DEFAULT_PASSWORD_LIST_PATH = os.path.join( os.path.dirname(os.path.realpath(upath(__file__))), 'common-passwords.txt.gz' ) def __init__(self, password_list_path=DEFAULT_PASSWORD_LIST_PATH): try: Loading @@ -156,7 +166,10 @@ class CommonPasswordValidator(object): def validate(self, password, user=None): if password.lower().strip() in self.passwords: raise ValidationError(_("This password is too common.")) raise ValidationError( _("This password is too common."), code='password_too_common', ) def get_help_text(self): return _("Your password can't be a commonly used password.") Loading @@ -168,7 +181,10 @@ class NumericPasswordValidator(object): """ def validate(self, password, user=None): if password.isdigit(): raise ValidationError(_("This password is entirely numeric.")) raise ValidationError( _("This password is entirely numeric."), code='password_entirely_numeric', ) def get_help_text(self): return _("Your password can't be entirely numeric.")
docs/ref/settings.txt +4 −4 Original line number Diff line number Diff line Loading @@ -2774,11 +2774,11 @@ AUTH_PASSWORD_VALIDATORS .. versionadded:: 1.9 Default: ``[]`` Default: ``[]`` (Empty list) Sets the validators that are used to check the strength of user's passwords. See :ref:`password-validation` for more details. By default, no validation is performed and all passwords are accepted. The list of validators that are used to check the strength of user's passwords. See :ref:`password-validation` for more details. By default, no validation is performed and all passwords are accepted. .. _settings-messages: Loading
docs/releases/1.9.txt +3 −3 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ What's new in Django 1.9 Password validation ~~~~~~~~~~~~~~~~~~~ Django now offers password validation, to help prevent the usage of weak Django now offers password validation to help prevent the usage of weak passwords by users. The validation is integrated in the included password change and reset forms and is simple to integrate in any other code. Validation is performed by one or more validators, configured in the new Loading @@ -36,10 +36,10 @@ Validation is performed by one or more validators, configured in the new Four validators are included in Django, which can enforce a minimum length, compare the password to the user's attributes like their name, ensure passwords aren't entirely numeric or check against an included list of common passwords aren't entirely numeric, or check against an included list of common passwords. You can combine multiple validators, and some validators have custom configuration options. For example, you can choose to provide a custom list of common passwords. Each validator provides a help text to explain their list of common passwords. Each validator provides a help text to explain its requirements to the user. By default, no validation is performed and all passwords are accepted, so if Loading
docs/topics/auth/passwords.txt +19 −11 Original line number Diff line number Diff line Loading @@ -242,6 +242,10 @@ from the ``User`` model. Password validation =================== .. module:: django.contrib.auth.password_validation .. versionadded:: 1.9 Users often choose poor passwords. To help mitigate this problem, Django offers pluggable password validation. You can configure multiple password validators at the same time. A few validators are included in Django, but it's Loading @@ -254,14 +258,14 @@ Validators can also have optional settings to fine tune their behavior. Validation is controlled by the :setting:`AUTH_PASSWORD_VALIDATORS` setting. By default, validators are used in the forms to reset or change passwords. The default for setting is an empty list, which means no validators are The default for the setting is an empty list, which means no validators are applied. In new projects created with the default :djadmin:`startproject` template, a simple set of validators is enabled. .. note:: Password validation can prevent the use of many types of weak passwords. However, the fact that a password passes all the validators, doesn't However, the fact that a password passes all the validators doesn't guarantee that it is a strong password. There are many factors that can weaken a password that are not detectable by even the most advanced password validators. Loading Loading @@ -344,7 +348,7 @@ Django includes four validators: `Mark Burnett <https://xato.net/passwords/more-top-worst-passwords/>`_. The ``password_list_path`` can be set to the path of a custom file of common passwords. This file should contain one password per line, and common passwords. This file should contain one password per line and may be plain text or gzipped. .. class:: NumericPasswordValidator() Loading @@ -354,8 +358,6 @@ Django includes four validators: Integrating validation ----------------------- .. module:: django.contrib.auth.password_validation There are a few functions in ``django.contrib.auth.password_validation`` that you can call from your own forms or other code to integrate password validation. This can be useful if you use custom forms for password setting, Loading @@ -368,14 +370,14 @@ or if you have API calls that allow passwords to be set, for example. :exc:`~django.core.exceptions.ValidationError` with all the error messages from the validators. The user object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password. The ``user`` object is optional: if it's not provided, some validators may not be able to perform any validation and will accept any password. .. function:: password_changed(password, user=None, password_validators=None) Informs all validators that the password has been changed. This can be used by some validators, e.g. a validator that prevents password reuse. This should be called once the password has been successfully changed. by validators such as one that prevents password reuse. This should be called once the password has been successfully changed. .. function:: password_validators_help_texts(password_validators=None) Loading Loading @@ -440,11 +442,17 @@ Here's a basic example of a validator, with one optional setting:: def validate(self, password, user=None): if len(password) < self.min_length: raise ValidationError(_("This password is too short.")) raise ValidationError( _("This password must contain at least %(min_length)d characters."), code='password_too_short', params={'min_length': self.min_length}, ) def get_help_text(self): return _("Your password must contain at least %(min_length)d characters.") return _( "Your password must contain at least %(min_length)d characters." % {'min_length': self.min_length} ) You can also implement ``password_changed(password, user=None``), which will be called after a successful password change. That can be used to prevent Loading
tests/auth_tests/test_forms.py +5 −2 Original line number Diff line number Diff line Loading @@ -278,8 +278,11 @@ class SetPasswordFormTest(TestDataMixin, TestCase): form = SetPasswordForm(user, data) self.assertFalse(form.is_valid()) self.assertEqual(len(form["new_password2"].errors), 2) self.assertTrue('The password is too similar to the username.' in form["new_password2"].errors) self.assertTrue('This password is too short. It must contain at least 12 characters.' in form["new_password2"].errors) self.assertIn('The password is too similar to the username.', form["new_password2"].errors) self.assertIn( 'This password is too short. It must contain at least 12 characters.', form["new_password2"].errors ) @override_settings(USE_TZ=False, PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher']) Loading
