Fixed #28718 -- Allowed user to request a password reset if their password doesn't use an enabled hasher.

Regression in aeb1389442. Reverted changes to is_password_usable() from 703c266682 and documentation changes from 92f48680db.
2025-08-04 10:59:45 +00:00 · 2018-03-20 17:19:27 -04:00 · 2018-03-20 17:19:27 -04:00 · a4f0e9aec7
commit a4f0e9aec7
parent d97cce3409
7 changed files with 50 additions and 19 deletions
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@ -409,8 +409,16 @@ from the ``User`` model.

 .. function:: is_password_usable(encoded_password)

-   Checks if the given string is a hashed password that has a chance
-   of being verified against :func:`check_password`.
+    Returns ``False`` if the password is a result of
+    :meth:`.User.set_unusable_password`.
+
+    .. versionchanged:: 2.1
+
+        In older versions, this also returns ``False`` if the password is
+        ``None`` or an empty string, or if the password uses a hasher that's
+        not in the :setting:`PASSWORD_HASHERS` setting. That behavior is
+        considered a bug as it prevents users with such passwords from
+        requesting a password reset.

 .. _password-validation: