Do I need to use set_unusable_password() when creating new users in my Django application?
Question
I have an application where users are authenticated using active directory. This means that there is no need to store passwords in our application database. We store each users details such as username etc in a users table in our application database.
I am working on implementing functionality to allow users to be added to the application. I am using a ModelForm to generate the form.
The model form looks like this:
class GeminiUserAccessForm(ModelForm):
class Meta:
model = GeminiUser
fields = ['email', 'is_authorised']
labels = {
'is_authorised': 'Is authorised?'
}
The method in the view to handle requests from the form page:
def manage_user_access_view(request):
template_name = 'gemini_users/manage_access.html'
if request.method == 'POST':
form = GeminiUserAccessForm(request.POST)
if form.is_valid():
new_user = form.save()
pass
else:
form = GeminiUserAccessForm()
return render(request, template_name, {'form': form})
Everything works as expected, a user with the given email and is authorised value is saved to the database. The password is left blank.
Do I also need to use set_unusable_password() before saving the user?
1 answers
solution1
0 ACCPTED 2019-04-30 11:18:46
It'd be good form and security-in-depth, just in case someone enables authentication that looks at the password field for one reason or another.
set_unusable_password() calls make_password(None) , which returns
UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)
when password is None , ie a password hash that is never considered valid by any of the out-of-the-box hash algorithms.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.