Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.

[fsbraun]

ticket-34429

Feature added

This PR introduces a new functionality to the admin change password form: the checkbox (on by default) "Allow login"

If unchecked, the password field disappears and the form sets an unusable password upon submission. The user is warned before.

Tests

Existing tests have been changed to contain the new form field.

A new test was added to test the functionality.

Other effects

This PR adds three new strings which will have to be translated.

[github-actions]

Hello! Thank you for your contribution 💪

As it's your first contribution be sure to check out the patch review checklist.

If you're fixing a ticket from Trac make sure to set the "Has patch" flag and include a link to this PR in the ticket!

If you have any design or process questions then you can ask in the Django forum.

Welcome aboard ⛵️!

[ngnpope]

Thanks for this, I've made some comments.

Please can you update the PR title to match the format in the contributing guidelines:

Fixed #34429 -- Allowed setting unusable password via admin UI.

This will also need documentation changes and release notes adding.

When you've done this you can uncheck Needs documentation and Patch needs improvement on ticket-34429.

[fsbraun]

@ngnpope Thank you for the suggestions! Let me briefly comment and ask one more question:

• Probably we do not need to wait for DOMContentLoaded since the script is loaded as async. It would probably miss the event (which might be fired before it is loaded). I'll remove the event in total.
• Using the hidden property might clash with custom css which might set something like .form-row { display: block } effectively disabling the hidden property. OK, if I stay with style.display? I believe it is more robust.

Will, of course, also make the other changes.

[fsbraun]

One more thing to add: I did use function () { ... } instead of () => { ... } since otherwise this is not defined properly.

[shangxiao]

I have a remark about the wording

Allow login?
If unchecked, the user will not be able to log in.

I think people are going to be confused about what the difference is between this and the active flag on the edit screen:

Active.
Designates whether this user should be treated as active. Unselect this instead of deleting accounts.

Nick I know you requested the addition of ? and I'm not saying it's good or bad but it is now inconsistent with other checkboxes (I'd just leave it off personally) 😛

[shangxiao]

Can anything be done to stop the jumping checkbox? 🤔

moving-checkbox.mov

[shangxiao]

Anyhoo nice work so far fsbraun! 🏆

[fsbraun]

@shangxiao Thanks very much for the comments:

• The jumping can be stopped by putting the warning below the checkbox and above the submit button
• Thanks for pointing out the "active" alternative. Really, an unusable password only prevents login using username and password (as @xi probably also pointed out). I tried to better name those.

[knyghty]

I didn't check locally, but:

I have a feeling that we should add aria-describedby="id_unusable_warning" when the warning is shown. However I'm not sure how that would interact with #16920 - there is still some ongoing discussion here around what to do when aria-describedby has multiple IDs set.

Just from a usability point of view as well, I am concerned that it's not clear to the user that this isn't reversible - that they cannot simply recheck the box after submission to revert to the user's old password.

[xi]

should be gender neutral "their" instead of "his" like in other places

[fsbraun]

Right! I try to pay attention to those things but they still slip through 🤦‍♂️

[fsbraun]

Thanks, everybody, for the constructive feedback. I have updated the PR:

• @knyghty The help text now reads

  Upon submission an unusable password will be set which prevents the user from logging in
  using their username and password. The user's current password will be lost. Potential other
  means of authentication remain unaffected.

• @xi This is gender-neural and clarifies that the current password will be lost

• @knyghty I have moved the warning into the help_text div. This implies that once the form field sets the aria-describedby property, it will include the help text and the warning. No need for two id to be provided to aria-describedby (which would be possible as far as I understand the docs).

[fsbraun]

Is there anything I can do to move this forward?

[felixxm]

@fsbraun Thanks 👍 I left initial comments.

According to the ticket description we should have the same feature when adding a new user:

[felixxm]

Please correct indentation.

[felixxm]

Shouldn't this be initialized with the has_usable_password()?

[felixxm]

Is this needed? Looks unrelated.

[fsbraun]

Yes, it's both needed and related. The password validation can only happen in the form's clean method, since a password is only required or needs to be validated if has_usable_password is True.

[felixxm]

To add more explanation, docstrings should state the expected behavior and omit prefixes like "Tests if" since all tests test things. This guideline is from Python coding style.

[felixxm]

This can be single-lined.

[felixxm]

I'd add a Selenium test to check that layout is changing.

[felixxm]

">" should be outside of {% if ... %}...{% endif %}/

[fsbraun]

Indeed! 🤦‍♂️

[fsbraun]

@felixxm Thank you for your detailed feedback. Indeed, I overlooked that this should also apply to the user add form. This is fixed now:

• Since the change password and user add form are quite different (form with template and an admin form) I have refactored the HTML to avoid repetition and make it usable for both forms (using the <template> tag).
• Indentation has been fixed
• The initial value of usable_password now is has_usable_password()
• I annotated the docs with versionchanged
• Updated the docstrings for the tests
• Added a Selenium test
• Fixed the HTML layout issue (wrongly placed >)

Please let me know if there is anything else I can do!

[fsbraun]

@felixxm Is there anything I can do to get this PR over the finish line? Would you like to take a final look?

[nessita]

I think people are going to be confused about what the difference is between this and the active flag on the edit screen:

I started reviewing this PR and the first think I thought was exactly this. Was there a consideration of being more "honest" with the admin user operating the form, something like:

Label: "Unset the password"
Help text: "Unsetting the password will render the login credentials unusable. The User will no longer be able to log in until a new password is set."

[fsbraun]

@nessita Thanks for taking the time to look through this.

Indeed, the wording has been discussed here (and I also tried to get some input here).

I did consider "Set unusable password" but this would require the user to understand the implications, namely, that the user cannot log in using a username and password. That's the root of the wording.

IMHO, "unsetting" a password could be confused with "set no password". Also, even with an unusable password, you can potentially still log in with a different authentication backend.

Current text:
Allow login with username and password

Help text:
If unchecked, the user will have an unusable password and not be able to log in using their username and any password. (I just realized this had a spelling error)

Warning:
Upon submission, an unusable password will be set which prevents the user from logging in
using their username and password. The user's current password will be lost. Potential other
means of authentication remain unaffected.

I am not hung up on this, but also would like it to be as clear as possible. What's your call?

[nessita]

@nessita Thanks for taking the time to look through this.

Indeed, the wording has been discussed here (and I also tried to get some input here).

I did consider "Set unusable password" but this would require the user to understand the implications, namely, that the user cannot log in using a username and password. That's the root of the wording.

IMHO, "unsetting" a password could be confused with "set no password". Also, even with an unusable password, you can potentially still log in with a different authentication backend.

Current text: Allow login with username and password

My main concern with this sentence is that, given that Django allows the User model to be customized so that the USERNAME_FIELD could be something other than username, like email or something system specific, saying username here would not be a accurate for those cases.

Also, considering that this flow occurs within the context of the admin, I would suggest to be more direct with the admin user and explicitly saying that the password will be set and it will be unususable. Otherwise I can see admin user scratching their head wondering what's the difference with marking a user as inactive.

Help text: If unchecked, the user will have an unusable password and not be able to log in using their username and any password. (I just realized this had a spelling error)

Same concern about saying username, we could say "credentials" as I suggested?

Warning: Upon submission, an unusable password will be set which prevents the user from logging in using their username and password. The user's current password will be lost. Potential other means of authentication remain unaffected.

I would omit "upon submission", I think this is implied from every help text. With that in mind, I would suggest:

An unusable password will be set which prevents the user from logging in until a new password is set. The user's current password will be lost, though other means of authentication (if configured) remain unaffected.

I am not hung up on this, but also would like it to be as clear as possible. What's your call?

I proposed a few alternatives above. The summary would be:

• not saying "username and password" explicitly, and
• being clear about how this action is different from making a user inactive

[nessita]

There is also a potentially awkward user flow when:

1. A user tesuser1 has an unusable password
2. Later on, the admin user goes to this user's change form to set a valid password:
   
3. The admin user is presented with a "change password" form where no password fields are available:
   

I wonder if we should enable the password fields when going from "change the password using "?

[fsbraun]

@nessita Indeed, I initially had the password fields enabled by default. @felixxm requested it differently here: #16942 (comment)

I can revert the change. A third option might be to change the help text if the user does not have a usable password to something like: "Currently this user does not have a usable password. Enable this to set a password for this user".

An update for wording is coming up.

[nessita]

@nessita Indeed, I initially had the password fields enabled by default. @felixxm requested it differently here: #16942 (comment)

Oh, I see. I can understand the goal of having the form properly initialized, but I guess is weird when coming from "no password set". I guess we can proceed as is and then evaluate potential/future ticket reports.

I can revert the change.

No need for now.

A third option might be to change the help text if the user does not have a usable password to something like: "Currently this user does not have a usable password. Enable this to set a password for this user".

I like this proposal. May I suggest:

The current password is not usable, check this option to set a new password for user authentication.

[nessita]

@nessita OK! I just feel not sure how to do that exactly. It might be my limited mastery of git that scares me. (I just clicked update branch on my fork in GitHub, for example. Next time I will run git rebase main.)

Not being sure is completely fine! Also do note that you need to update your main before doing the rebase.

The big advantage for using rebasing (IMHO) is that your commits always end up at the "top of the stack of commits". For example, git rebase <ref> means (I'll handwave a bit, there are tons of articles out there explaining this with more technically correct terms):

• all your commits since <ref> are put aside
• repo is updated with latest changes for <ref> (this is why you need to update main before rebasing)
• the commits are re-played on top of the latest changes

Doing this consistently and often, ensures that your branch history looks like this:

main-hash-1
main-hash-2
...
main-hash-N
your-branch-hash-1
your-branch-hash-2
...
your-branch-hash-M

When newer revnos are landed in main, say revnos main-hash-N+1 and main-hash-N+2, after a rebase your branch looks like this:

main-hash-1
main-hash-2
...
main-hash-N
main-hash-N+1
main-hash-N+2
your-branch-hash-1
your-branch-hash-2
...
your-branch-hash-M

To the contrary, when doing merges from main into your branch, your history starts looking like this:

main-hash-1
main-hash-2
...
main-hash-N
your-branch-hash-1
your-branch-hash-2
...
your-branch-hash-M
your-branch-hash-M+1

The difference is that your-branch-hash-M+1 is a single merge commit of both revnos from main ( main-hash-N+1 and main-hash-N+2 merged into a single commit). So your branch history incorporates newer changes from main but starts diverging quite considerably.

I can go on and on about this, but I figured you could continue the investigation on your own with these pointers.

Isolating the changes to the tests should be easy. There's probably some thinking involved when separating out the mixin.

I agree. I have separated and simplified the test in PR #17729. I removed the testing on both values of password1 because as far as I understood, the fact that password1 would be empty or not was irrelevant for the call:

password_validation.validate_password(password2, self.user)

If I'm missing something here, please let me know.

Out of curiosity, how do you do this? You would need to "undo" all commits while keeping the changes and then redoing the changes in a new order.

What I did was doing multiple interactive rebases. An interactive rebase is a rebase as described above but before replaying the commits from your branch, you get a screen to "interact" with git and instruct it to do things, perhaps differently, with the commits that is about to replay.

Specifically for this PR, which had 76 commits before my work, the rebasing was very painful and slow. It took me almost 2 hours to resolve all the conflicts that were arising after every commit from the 76 pending ones was applied.

I think I got the squash and rebase correct. Will push the result in a few.

[nessita]

One thing that I noticed while rebasing and fixing conflicts is that the adding in various places (tests) of "usable_password": "true" to form data could be removed, since that's the default and I don't think is necessary to set it explicitly in tests that are not relevant to this feature. Let me know if there is a reason to add it!

[nessita]

If you wanna give it a shot to splitting the Mixin into its own commit, this article may help when it comes to finding the necessary git magic incantations.

[fsbraun]

@nessita Is this what you expected?

[nessita]

@nessita Is this what you expected?

Yes, quite close! Could you please adjust the Mixin docstring to not mention the unusable password bit in the first commit? That piece should only be added in the second commit.

[fsbraun]

@nessita There you go!! 😎😃

Thanks to @thibaudcolas for his patient introduction to interactive rebase.

[nessita]

Hey @fsbraun, thanks for your patience. Last week and today I've been working on final tweaks for this PR. I have reviewed logic and tests in detail, making some adjustments to the UI and UX, and adding more tests to ensure proper coverage of changes.

Tomorrow I'll give the docs another pass and hopefully I will approve and merge. 🤞

[nessita]

I believe this is ready for merge, will do so later today after the CI runs complete.