feat: Update the minimum password length. #33373
Conversation
feanil
force-pushed
the
feanil/update_password_length_default
branch
7 times, most recently
from
8d02bfe
to
6ccca3e
Compare
Make them resilient to the default changing where it makes sense.
feanil
force-pushed
the
feanil/update_password_length_default
branch
21 times, most recently
from
35318f1
to
6d851c4
Compare
feanil
force-pushed
the
feanil/update_password_length_default
branch
3 times, most recently
from
ba66223
to
3b5c32b
Compare
feanil
force-pushed
the
feanil/update_password_length_default
branch
from
3b5c32b
to
1e2ea85
Compare
feanil
force-pushed
the
feanil/update_password_length_default
branch
from
65263d4
to
64e91d4
Compare
| @@ -121,6 +121,9 @@ | |||
| # Methods to derive settings | |||
| _make_mako_template_dirs, | |||
| _make_locale_paths, | |||
|
|
|||
| # Password Validator Settings | |||
| AUTH_PASSWORD_VALIDATORS | |||
There was a problem hiding this comment.
Just curious about leaving this setting in if it has no assigned value - should we just remove it?
There was a problem hiding this comment.
This pulls this setting from the LMS so the LMS and CMS have the same setting instead of having a copy over here.
| @@ -121,6 +121,9 @@ | |||
| # Methods to derive settings | |||
| _make_mako_template_dirs, | |||
| _make_locale_paths, | |||
|
|
|||
| # Password Validator Settings | |||
| AUTH_PASSWORD_VALIDATORS | |||
There was a problem hiding this comment.
This is a critical functional change. This will cause the CMS and LMS to have the same password policies by default.
There was a problem hiding this comment.
Thanks @feanil! Should we include this in the PR description? It seems like a key piece of information that could be helpful to have at a glance.
There was a problem hiding this comment.
Updated the description.
| @@ -121,6 +121,9 @@ | |||
| # Methods to derive settings | |||
| _make_mako_template_dirs, | |||
| _make_locale_paths, | |||
|
|
|||
| # Password Validator Settings | |||
| AUTH_PASSWORD_VALIDATORS | |||
There was a problem hiding this comment.
This pulls this setting from the LMS so the LMS and CMS have the same setting instead of having a copy over here.
| @@ -50,7 +50,7 @@ def setUp(self): | |||
| certificate_available_date=datetime.datetime.now(pytz.UTC) | |||
| ) | |||
| self.user = UserFactory.create() | |||
| self.password = 'test' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
Since this class inherits from ModuleStoreTestCase, could we use TEST_PASSWORD?
| @@ -81,7 +81,7 @@ class Meta: | |||
| model = User | |||
| django_get_or_create = ('email', 'username') | |||
|
|
|||
| _DEFAULT_PASSWORD = 'test' | |||
| _DEFAULT_PASSWORD = 'Password1234' | |||
There was a problem hiding this comment.
Is it possible to reuse the TEST_PASSWORD constant here? It might help in maintaining consistency
There was a problem hiding this comment.
There are a few places, where I think making new accesses to the TEST_PASSWORD variable would result in weird coupling so I left them as is. I agree that we could make further improvements here but I think that what I have done so far is an improvement and good enough for now.
| @@ -28,7 +28,7 @@ def setUp(self): | |||
| self.client = Client() | |||
|
|
|||
| # Create two accounts | |||
| self.password = 'abc' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
I think we can use the TEST_PASSWORD attribute here
| @@ -29,7 +29,7 @@ def setUp(self): | |||
| self.client = Client() | |||
|
|
|||
| # Create two accounts | |||
| self.password = 'abc' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
Since this class inherits from ModuleStoreTestCase, can we use the TEST_PASSWORD attribute?
| @@ -21,8 +21,8 @@ class TestCrowdsourceHinter(SharedModuleStoreTestCase, LoginEnrollmentTestCase): | |||
| Create the test environment with the crowdsourcehinter xblock. | |||
| """ | |||
| STUDENTS = [ | |||
| {'email': 'view@test.com', 'password': 'foo'}, | |||
| {'email': 'view2@test.com', 'password': 'foo'} | |||
| {'email': 'view@test.com', 'password': 'Password1234'}, | |||
There was a problem hiding this comment.
Maybe we could reuse the TEST_PASSWORD attribute here for consistency?
| @@ -253,7 +253,7 @@ def setUp(self): | |||
| parent_block.children.append(self.xblock_keys[i]) | |||
| update_block(parent_block) | |||
|
|
|||
| self.password = 'test' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
same here, I believe we can use TEST_PASSWORD
| @@ -24,7 +24,7 @@ def setUp(self): | |||
| # Create two accounts | |||
| self.student = 'view@test.com' | |||
| self.instructor = 'view2@test.com' | |||
| self.password = 'foo' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
Since this class inherits from ModuleStoreTestCase, could we use the TEST_PASSWORD attribute?
| @@ -154,7 +154,7 @@ def setUp(self): | |||
| # create a test student | |||
| self.course = CourseFactory.create(display_name=self.COURSE_NAME, number=self.COURSE_SLUG) | |||
| self.student = 'view@test.com' | |||
| self.password = 'foo' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
Since this class inherits from ModuleStoreTestCase, can we use TEST_PASSWORD?
| @@ -548,7 +548,7 @@ class CourseSubmissionHistoryWithDataTest(TestSubmittingProblems): | |||
| def setUp(self): | |||
| super().setUp() | |||
| self.namespaced_url = 'grades_api:v1:submission_history' | |||
| self.password = 'test' | |||
| self.password = 'Password1234' | |||
There was a problem hiding this comment.
This test case inherits from TestSubmittingProblems, so I believe we can use the TEST_PASSWORDattribute
| @@ -122,8 +122,8 @@ def test_start_new_verification(self): | |||
| Test the case where the user has no pending `PhotoVerificationAttempts`, | |||
There was a problem hiding this comment.
I think it would be better to define 'Password1234' as a single variable and reuse it throughout this file. If not, maybe we can define the attribute in the setup classes for each necessary test case to reduce repetition.
| {'email': 'alice@test.edx.org', 'password': 'Password1234'}, | ||
| {'email': 'bob@test.edx.org', 'password': 'Password1234'}, | ||
| {'email': 'eve@test.edx.org', 'password': 'Password1234'}, |
There was a problem hiding this comment.
How about introducing a variable here to avoid repetition?
There was a problem hiding this comment.
Given how localized all the values are I don't think it's super valuable in this case.
|
Hey @feanil, should we update the password in this mixins file for tests as well? https://github.com/openedx/edx-platform/blob/master/lms/djangoapps/course_api/tests/mixins.py#L11. Do you think it's necessary, or is it fine to leave it as is? I'm wondering why the tests that are using the mixin aren't affected. |
Good catch @magajh it looks like the reason this doesn't fail is because the API endpoints that are being tested don't require authentication so the fact that auth failed doesn't matter. I've updated the password anyway so that it's less confusing. |
Some of the places where we had explicit copies of the password were not necessary so we referece the exsting TEST_PASSWORD variable where possible.
feanil
force-pushed
the
feanil/update_password_length_default
branch
from
9dba83b
to
e3851ab
Compare
|
2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production. |
|
2U Release Notice: This PR has been deployed to the edX production environment. |
1 similar comment
|
2U Release Notice: This PR has been deployed to the edX production environment. |
This changes:
Operational Impact: None
If you have an existing password, this change along will not force you to update it. However if you reset your password or go to change it, you'll have to conform to the new guidelines.
If you would like to force people to update their password, you'll probably want to take a look at the password_policy plugin and its settings.