The extra complexity of varying validation logic based on DEBUG doesn't
seem quite right to me, but I guess I won't oppose it if that's the
consensus.
Another option could be this in the generated settings file:
AUTH_PASSWORD_VALIDATORS = [
{
'NAME':
'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
...
] if not DEBUG else []
Of course this depends on whether or not you expect other places like the
admin's change password form to do validation in debug mode.
On Monday, September 7, 2015 at 8:09:00 PM UTC-4, Aron Podrigal wrote:
>
> I started using django-classy-settings and it works very well for me.
> On Sep 7, 2015 8:04 PM, "Josh Smeaton" <[email protected] <javascript:>>
> wrote:
>
>> I don't think removing the default list from the template is the right
>> idea. We'd be sacrificing some production users that don't go through
>> security options on deployment checklists to better support development
>> environments where the security issue (probably) isn't present. I do think
>> we need some kind of solution though, because I don't want these validators
>> in development either. Personally, I have no issue with adding a SETTING=[]
>> to my local_settings. It would be nicer to drive a solution based on DEBUG
>> though.
>>
>> Cheers
>>
>>
>> On Tuesday, 8 September 2015 09:26:36 UTC+10, Tim Graham wrote:
>>>
>>> I think the simplest solution could be to remove the default list of
>>> AUTH_PASSWORD_VALIDATORS that have been added to the project template
>>> settings file and let the user add it to their own production settings
>>> instead. Do you think this reduces the usefulness of the feature? We could
>>> add a deployment check for an empty AUTH_PASSWORD_VALIDATORS as an
>>> alternate way of encouraging its use.
>>>
>>> On Monday, September 7, 2015 at 5:40:58 PM UTC-4, Aron Podrigal wrote:
>>>>
>>>> +1
>>>> On Sep 7, 2015 4:56 PM, "Shai Berger" <[email protected]> wrote:
>>>>
>>>>> On Monday 07 September 2015 20:09:06 Marc Tamlyn wrote:
>>>>> > I agree with Aymeric and Markus that createsuperuser should not
>>>>> validate
>>>>> > strength of passwords when DEBUG is on. Having to use a secure
>>>>> password for
>>>>> > development/test accounts is an unnecessary level of interference for
>>>>> > users.
>>>>> >
>>>>> > I agree its safer to prevent using admin/admin in production and
>>>>> this is a
>>>>> > good thing, but there's no reason to prevent this for development.
>>>>> In fact,
>>>>> > I'd argue enforcing it for development will encourage teams to have a
>>>>> > "standard" secure password for their sites, which is also used in
>>>>> > production. By allowing admin/admin in development, and enforcing
>>>>> something
>>>>> > better in production we are more helpfully enforcing best practice.
>>>>> >
>>>>> +1.
>>>>>
>>>>> Shai.
>>>>>
>>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> Visit this group at http://groups.google.com/group/django-developers.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/1aba1352-89ba-4cfe-a789-77430c504026%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/django-developers/1aba1352-89ba-4cfe-a789-77430c504026%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/ce56e16c-38d4-49c4-be45-68e2948d627c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
