Hi all,
I've noticed that both set_password and check_password methods accept
values other than str as parameters. For example I'm able to set password
to boolean values:
In [1]: u.set_password(True)
In [2]: u.save()
In [3]: u.refresh_from_db()
In [4]: u.check_password(True)
Out[4]: True
In [5]: u.check_password('True')
Out[5]: True
What is even weirder, I'm able to set password as Exception class:
In [1]: u.set_password(Exception)
In [2]: u.save()
In [3]: u.refresh_from_db()
In [4]: u.check_password(repr(Exception))
Out[4]: True
and the User instance itself:
In [1]: u.set_password(u)
In [2]: u.save()
In [3]: u.refresh_from_db()
In [4]: u.check_password(u)
Out[4]: True
In [5]: u.check_password(str(u))
Out[5]: True
IMHO this is not correct behaviour especially because Django documentation
implies that these methods accept strings.
set_password(raw_password)
> Sets the user’s password to the given *raw string*, taking care of the
> password hashing. Doesn’t save the User object.
>
> check_password(raw_password)
> Returns True if the given *raw string* is the correct password for the
> user. (This takes care of the password hashing in making the comparison.)
Please let me know if this is reproducible on your side.
Dawid
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/0429a2cd-a16c-429f-98b5-938629073ca5%40googlegroups.com.
