Fixed #20593 -- Allow blank passwords in check_password() and set_password()

2025-08-04 19:08:28 +00:00 · 2013-06-17 18:06:26 +02:00 · 2013-06-17 18:06:26 +02:00 · 2c4fe761a0
commit 2c4fe761a0
parent 3128f3d38d
6 changed files with 106 additions and 6 deletions
--- a/docs/ref/contrib/auth.txt
+++ b/docs/ref/contrib/auth.txt
@ -132,12 +132,28 @@ Methods
        password hashing. Doesn't save the
        :class:`~django.contrib.auth.models.User` object.

+        When the ``raw_password`` is ``None``, the password will be set to an
+        unusable password, as if
+        :meth:`~django.contrib.auth.models.User.set_unusable_password()`
+        were used.
+
+        .. versionchanged:: 1.6
+
+            In Django 1.4 and 1.5, a blank string was unintentionally stored
+            as an unsable password.
+
    .. method:: check_password(raw_password)

        Returns ``True`` if the given raw string is the correct password for
        the user. (This takes care of the password hashing in making the
        comparison.)

+        .. versionchanged:: 1.6
+
+            In Django 1.4 and 1.5, a blank string was unintentionally
+            considered to be an unusable password, resulting in this method
+            returning ``False`` for such a password.
+
    .. method:: set_unusable_password()

        Marks the user as having no password set.  This isn't the same as