New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Update the minimum password length. #33373
Conversation
8d02bfe
to
6ccca3e
Compare
Make them resilient to the default changing where it makes sense.
35318f1
to
6d851c4
Compare
ba66223
to
3b5c32b
Compare
3b5c32b
to
1e2ea85
Compare
65263d4
to
64e91d4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @feanil!
@@ -121,6 +121,9 @@ | |||
# Methods to derive settings | |||
_make_mako_template_dirs, | |||
_make_locale_paths, | |||
|
|||
# Password Validator Settings | |||
AUTH_PASSWORD_VALIDATORS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious about leaving this setting in if it has no assigned value - should we just remove it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pulls this setting from the LMS so the LMS and CMS have the same setting instead of having a copy over here.
@@ -121,6 +121,9 @@ | |||
# Methods to derive settings | |||
_make_mako_template_dirs, | |||
_make_locale_paths, | |||
|
|||
# Password Validator Settings | |||
AUTH_PASSWORD_VALIDATORS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a critical functional change. This will cause the CMS and LMS to have the same password policies by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @feanil! Should we include this in the PR description? It seems like a key piece of information that could be helpful to have at a glance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the description.
@@ -121,6 +121,9 @@ | |||
# Methods to derive settings | |||
_make_mako_template_dirs, | |||
_make_locale_paths, | |||
|
|||
# Password Validator Settings | |||
AUTH_PASSWORD_VALIDATORS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pulls this setting from the LMS so the LMS and CMS have the same setting instead of having a copy over here.
@@ -50,7 +50,7 @@ def setUp(self): | |||
certificate_available_date=datetime.datetime.now(pytz.UTC) | |||
) | |||
self.user = UserFactory.create() | |||
self.password = 'test' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this class inherits from ModuleStoreTestCase
, could we use TEST_PASSWORD
?
@@ -81,7 +81,7 @@ class Meta: | |||
model = User | |||
django_get_or_create = ('email', 'username') | |||
|
|||
_DEFAULT_PASSWORD = 'test' | |||
_DEFAULT_PASSWORD = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to reuse the TEST_PASSWORD
constant here? It might help in maintaining consistency
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are a few places, where I think making new accesses to the TEST_PASSWORD variable would result in weird coupling so I left them as is. I agree that we could make further improvements here but I think that what I have done so far is an improvement and good enough for now.
@@ -28,7 +28,7 @@ def setUp(self): | |||
self.client = Client() | |||
|
|||
# Create two accounts | |||
self.password = 'abc' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can use the TEST_PASSWORD
attribute here
@@ -29,7 +29,7 @@ def setUp(self): | |||
self.client = Client() | |||
|
|||
# Create two accounts | |||
self.password = 'abc' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this class inherits from ModuleStoreTestCase
, can we use the TEST_PASSWORD
attribute?
@@ -21,8 +21,8 @@ class TestCrowdsourceHinter(SharedModuleStoreTestCase, LoginEnrollmentTestCase): | |||
Create the test environment with the crowdsourcehinter xblock. | |||
""" | |||
STUDENTS = [ | |||
{'email': 'view@test.com', 'password': 'foo'}, | |||
{'email': 'view2@test.com', 'password': 'foo'} | |||
{'email': 'view@test.com', 'password': 'Password1234'}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could reuse the TEST_PASSWORD
attribute here for consistency?
@@ -253,7 +253,7 @@ def setUp(self): | |||
parent_block.children.append(self.xblock_keys[i]) | |||
update_block(parent_block) | |||
|
|||
self.password = 'test' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here, I believe we can use TEST_PASSWORD
@@ -24,7 +24,7 @@ def setUp(self): | |||
# Create two accounts | |||
self.student = 'view@test.com' | |||
self.instructor = 'view2@test.com' | |||
self.password = 'foo' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this class inherits from ModuleStoreTestCase
, could we use the TEST_PASSWORD
attribute?
@@ -154,7 +154,7 @@ def setUp(self): | |||
# create a test student | |||
self.course = CourseFactory.create(display_name=self.COURSE_NAME, number=self.COURSE_SLUG) | |||
self.student = 'view@test.com' | |||
self.password = 'foo' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this class inherits from ModuleStoreTestCase
, can we use TEST_PASSWORD
?
@@ -548,7 +548,7 @@ class CourseSubmissionHistoryWithDataTest(TestSubmittingProblems): | |||
def setUp(self): | |||
super().setUp() | |||
self.namespaced_url = 'grades_api:v1:submission_history' | |||
self.password = 'test' | |||
self.password = 'Password1234' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test case inherits from TestSubmittingProblems
, so I believe we can use the TEST_PASSWORD
attribute
@@ -122,8 +122,8 @@ def test_start_new_verification(self): | |||
Test the case where the user has no pending `PhotoVerificationAttempts`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to define 'Password1234' as a single variable and reuse it throughout this file. If not, maybe we can define the attribute in the setup classes for each necessary test case to reduce repetition.
{'email': 'alice@test.edx.org', 'password': 'Password1234'}, | ||
{'email': 'bob@test.edx.org', 'password': 'Password1234'}, | ||
{'email': 'eve@test.edx.org', 'password': 'Password1234'}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about introducing a variable here to avoid repetition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given how localized all the values are I don't think it's super valuable in this case.
Hey @feanil, should we update the password in this mixins file for tests as well? https://github.com/openedx/edx-platform/blob/master/lms/djangoapps/course_api/tests/mixins.py#L11. Do you think it's necessary, or is it fine to leave it as is? I'm wondering why the tests that are using the mixin aren't affected. |
Good catch @magajh it looks like the reason this doesn't fail is because the API endpoints that are being tested don't require authentication so the fact that auth failed doesn't matter. I've updated the password anyway so that it's less confusing. |
Some of the places where we had explicit copies of the password were not necessary so we referece the exsting TEST_PASSWORD variable where possible.
9dba83b
to
e3851ab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production. |
2U Release Notice: This PR has been deployed to the edX production environment. |
1 similar comment
2U Release Notice: This PR has been deployed to the edX production environment. |
This changes:
Operational Impact: None
If you have an existing password, this change along will not force you to update it. However if you reset your password or go to change it, you'll have to conform to the new guidelines.
If you would like to force people to update their password, you'll probably want to take a look at the password_policy plugin and its settings.