Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.6.x] Fixed #20675 -- `check_password` should work when no password…

… is specified.

The regression was introduced by 2c4fe76. refs #20593.

Backport of 8759778 from master.
  • Loading branch information...
commit 2de0d4c4523ca3d1d6744ba0f22b8ef33bedfa03 1 parent 75041d5
@charettes charettes authored
View
5 django/contrib/auth/hashers.py
@@ -22,6 +22,7 @@
HASHERS = None # lazily loaded from PASSWORD_HASHERS
PREFERRED_HASHER = None # defaults to first item in PASSWORD_HASHERS
+
@receiver(setting_changed)
def reset_hashers(**kwargs):
if kwargs['setting'] == 'PASSWORD_HASHERS':
@@ -34,7 +35,7 @@ def is_password_usable(encoded):
if encoded is None or encoded.startswith(UNUSABLE_PASSWORD_PREFIX):
return False
try:
- hasher = identify_hasher(encoded)
+ identify_hasher(encoded)
except ValueError:
return False
return True
@@ -48,7 +49,7 @@ def check_password(password, encoded, setter=None, preferred='default'):
If setter is specified, it'll be called when you need to
regenerate the password.
"""
- if not is_password_usable(encoded):
+ if password is None or not is_password_usable(encoded):
return False
preferred = get_hasher(preferred)
View
7 django/contrib/auth/tests/test_hashers.py
@@ -186,6 +186,13 @@ def test_unusable(self):
# This might fail one day due to a hash collision.
self.assertNotEqual(encoded, make_password(None), "Random password collision?")
+ def test_unspecified_password(self):
+ """
+ Makes sure specifying no plain password with a valid encoded password
+ returns `False`.
+ """
+ self.assertFalse(check_password(None, make_password('lètmein')))
+
def test_bad_algorithm(self):
with self.assertRaises(ValueError):
make_password('lètmein', hasher='lolcat')
Please sign in to comment.
Something went wrong with that request. Please try again.