> For testing, Django provides force_login(). This method skips password hashing > and logs a user in for a test. For tests that want a logged in user and do not > care about how the password was verified, this seems like a good choice. > Assuming this was used throughout, would this be sufficient for handling this > performance concern?
I didn't know about that force_login() method. I see that a lot of admin tests have been converted to use it so far which is great but there's still a couple of occurence of login() that looks like they could be converted. > Tests that verify the password hasher will need to run the hash algorithm > regardless. I'm aware of that but this only represents a small fraction of the tests. Le mardi 2 février 2016 13:49:31 UTC-5, Jon Dufresne a écrit : > > On Tue, Feb 2, 2016 at 10:35 AM, charettes <chare...@gmail.com > <javascript:>> wrote: > >> That hasher, being the fastest non-plaintext hasher around, is quite > >> useful > >> when running tests: it allows login checks to be performed much faster. > > > > This argument came up a couple of time in the past and from what I > remember > > the Django test suite itself spends a significant amount of time hashing > > passwords. > > > > I understand that we want to avoid shipping a plaintext password hasher > in > > `django.contrib.auth.hashers` for the sake of not exposing a footgun-API > but > > what if we shipped one in the `django.contrib.auth.test` package > instead? > > > > We could document its use for testing purposes only and would make the > > complete deprecation of unsafe hashers easier. > > For testing, Django provides force_login(). This method skips password > hashing and logs a user in for a test. For tests that want a logged in > user and do not care about how the password was verified, this seems > like a good choice. Assuming this was used throughout, would this be > sufficient for handling this performance concern? > > Tests that verify the password hasher will need to run the hash > algorithm regardless. > > > https://docs.djangoproject.com/en/1.9/topics/testing/tools/#django.test.Client.force_login > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/38defa26-4380-4890-ba48-bbc822856a72%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
