tarak / django-password-policies Goto Github PK

In the entropy validator you divide the password entropy by the ideal entropy based on the string length. However in it's method ideal_entropy you take math.log(1/length), which for a length of 1 is equal to zero. This leads to division by zero.

Hi
with django 1.9, an error occured when setting-up the application.

File "XXX/lib/python3.5/site-packages/password_policies/urls.py", line 3, in
from password_policies.views import PasswordChangeFormView
File "XXX/lib/python3.5/site-packages/password_policies/views.py", line 19, in
from password_policies.forms import PasswordPoliciesForm
File "XXX/lib/python3.5/site-packages/password_policies/forms/init.py", line 8, in
from django.contrib.sites.models import get_current_site
ImportError: cannot import name 'get_current_site

In Django Deprecation Timeline
https://docs.djangoproject.com/es/1.9/internals/deprecation/#deprecation-removed-in-1-9
there is the reason
"RequestSite and get_current_site() will no longer be importable from django.contrib.sites.models."

Is it possibile to fix it with

try:
    from django.contrib.sites.models import get_current_site
except ImportError:
    from django.contrib.sites.shortcuts import get_current_site

, correct?

Thank you
Pietro

Hello,

The latest version on PyPi is 0.4.1 [1], however the latest tagged version here is 0.3.2 [2]. This is confusing - can you please add the missing tags?

[1] https://pypi.python.org/pypi/django-password-policies
[2] https://github.com/tarak/django-password-policies/releases

Thanks

#64

Hi,

Is there any plans for Django 1.7 support? I see there is a fork from @hidashun (https://github.com/hidashun/django-password-policies) mentioning Django 1.7 fixes on commits messages but no pull request associated with this.

Thanks.

I propose that the creation of a PasswordHistory record should only occur when the 'commit' parameter is True. This allows a sub-form to make the call object = form.save(commit=False) to get the user object without creating a history record.

File: forms/init.py
class PasswordPoliciesForm
method save()
Code: Indent lines 95 to 99.

After submitting the password change form, I sometimes get this error, and sometimes the password change is successful.

AssertionError at /portal/user/mypass/
PasswordChangeRequired object can't be deleted because its id attribute is set to None.
Request Method: POST
Request URL: https://172.16.22.143/portal/user/mypass/
Django Version: 1.7.7
Exception Type: AssertionError
Exception Value:
PasswordChangeRequired object can't be deleted because its id attribute is set to None.
Exception Location: /usr/local/lib/python2.7/dist-packages/django/db/models/base.py in delete, line 735
Python Executable: /usr/local/bin/uwsgi
Python Version: 2.7.3

/usr/local/lib/python2.7/dist-packages/password_policies/forms/init.py in save
raise forms.ValidationError(self.error_messages['password_similar'])
return cleaned_data
def save(self, commit=True):
user = super(PasswordPoliciesChangeForm, self).save(commit=commit)
try:
if user.password_change_required:
user.password_change_required.delete() ...
except ObjectDoesNotExist:
pass
return user

One solution is to check the user.password_change_required.id is not None before calling .delete().

Environment:

    Request Method: GET
    Request URL: http://127.0.0.1:8000/

    Django Version: 1.5.2
    Python Version: 2.7.5
    Installed Applications:
    ('django.contrib.auth',
     'django.contrib.contenttypes',
     'django.contrib.sessions',
     'django.contrib.sites',
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'django.contrib.admin',
     'django.contrib.markup',
     'settings_context_processor',
     'compressor',
     'south',
     'floppyforms',
     'impersonate',
     'rest_framework',
     'password_policies',
     'luft_utils',
     'core',
     'mezixicht',
     'data_migration',
     'django_extensions',
     'devserver')
    Installed Middleware:
    ('django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'core.middleware.CheckPasswordExpiration',
     'impersonate.middleware.ImpersonateMiddleware')


    Traceback:
    File "/data/.envs/scorp/local/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
      115.                         response = callback(request, *callback_args, **callback_kwargs)
    File "/data/.envs/scorp/local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
      25.                 return view_func(request, *args, **kwargs)
    File "/data/www/outcomm/scorp/core/views.py" in homepage
      7.     return render(request, 'dashboard.html', {})
    File "/data/.envs/scorp/local/lib/python2.7/site-packages/django/shortcuts/__init__.py" in render
      49.         context_instance = RequestContext(request, current_app=current_app)
    File "/data/.envs/scorp/local/lib/python2.7/site-packages/django/template/context.py" in __init__
      179.             self.update(processor(request))
    File "/data/.envs/scorp/local/lib/python2.7/site-packages/password_policies/context_processors.py" in password_status
      29.             r = PasswordHistory.objects.change_required(request.user)
    File "/data/.envs/scorp/local/lib/python2.7/site-packages/password_policies/managers.py" in change_required
      46.         if last_change_date < expired_date:

    Exception Type: TypeError at /
    Exception Value: can't compare offset-naive and offset-aware datetimes

Instead of using
django>=1.5,<=1.6
It maybe better to use
django>=1.5,<1.7

As it is now the requirements will uninstall Django 1.6.1 or 1.6.2 etc. The other option is to keep this up to date. I doubt that future minor point releases, i.e 1.6.3 etc, will break the app.

could you tag a new release with italian translations?

Hi,

I have forked the project and I continue the work in my fork: https://github.com/iplweb/django-password-policies-iplweb

Feel free to report any issues, patches, docs improvements also badly needed.

I'm using this in a commercial project so I guess I'll maintain my fork for a few years at least.

If I set PASSWORD_USE_HISTORY to False I always get this exception

From what I can see, the pytz package is no longer used. Rather, django.utils.timezone appears to be used instead. Is pytz still required?

Tarak, when do you plan on releasing this version on pypi? I want to get these changes into my application. Thanks. Bob

Hi there. It looks like some recent changes (the UNUSABLE_PASSWORD fix for Django 1.6.3+ specifically) are in master, but not in the latest version of PyPI. Could you roll a new version out to PyPI? Thanks!

When using password policies, I get the following error when trying changing the password:

Traceback (most recent call last):
  File "/Users/eduardo.carvalho/workspace/kolab-dashboard/env/lib/python2.7/site-packages/django/core/handlers/base.py", line 201, in get_response
    response = middleware_method(request, response)
  File "/Users/eduardo.carvalho/workspace/kolab-dashboard/env/lib/python2.7/site-packages/django/contrib/sessions/middleware.py", line 38, in process_response
    request.session.save()
  File "/Users/eduardo.carvalho/workspace/kolab-dashboard/env/lib/python2.7/site-packages/django/contrib/sessions/backends/db.py", line 57, in save
    session_data=self.encode(self._get_session(no_load=must_create)),
  File "/Users/eduardo.carvalho/workspace/kolab-dashboard/env/lib/python2.7/site-packages/django/contrib/sessions/backends/base.py", line 87, in encode
    serialized = self.serializer().dumps(session_dict)
  File "/Users/eduardo.carvalho/workspace/kolab-dashboard/env/lib/python2.7/site-packages/django/core/signing.py", line 88, in dumps
    return json.dumps(obj, separators=(',', ':')).encode('latin-1')
  File "/usr/local/Cellar/python/2.7.6_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/__init__.py", line 250, in dumps
    sort_keys=sort_keys, **kw).encode(obj)
  File "/usr/local/Cellar/python/2.7.6_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/encoder.py", line 207, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "/usr/local/Cellar/python/2.7.6_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/encoder.py", line 270, in iterencode
    return _iterencode(o, 0)
  File "/usr/local/Cellar/python/2.7.6_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/encoder.py", line 184, in default
    raise TypeError(repr(o) + " is not JSON serializable")
TypeError: datetime.datetime(2014, 8, 14, 17, 57, 53, 151293, tzinfo=<UTC>) is not JSON serializable

The password changes, but I get the error because of the json session serializer.
When I change the following setting on settings.py:

SESSION_SERIALIZER='django.contrib.sessions.serializers.PickleSerializer'

I gess it should be in the docs.

I suggest a Setting that forces password changes on first login, as this is required by many safety standards.

issues with redirecting to login page after password change

Django 1.6 changed validation of email addresses. Regex disappeared, see django/django/core/validators.py

Traceback (most recent call last):
  File "setup.py", line 26, in <module>
    test_suite='tests.main',
  File "/usr/lib/python2.7/distutils/core.py", line 152, in setup
    dist.run_commands()
  File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands
    self.run_command(cmd)
  File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command
    cmd_obj.run()
  File "/usr/lib/python2.7/dist-packages/setuptools/command/test.py", line 138, in run
    self.with_project_on_sys_path(self.run_tests)
  File "/usr/lib/python2.7/dist-packages/setuptools/command/test.py", line 118, in with_project_on_sys_path
    func()
  File "/usr/lib/python2.7/dist-packages/setuptools/command/test.py", line 164, in run_tests
    testLoader = cks
  File "/usr/lib/python2.7/unittest/main.py", line 94, in __init__
    self.parseArgs(argv)
  File "/usr/lib/python2.7/unittest/main.py", line 149, in parseArgs
    self.createTests()
  File "/usr/lib/python2.7/unittest/main.py", line 158, in createTests
    self.module)
  File "/usr/lib/python2.7/unittest/loader.py", line 128, in loadTestsFromNames
    suites = [self.loadTestsFromName(name, module) for name in names]
  File "/usr/lib/python2.7/unittest/loader.py", line 91, in loadTestsFromName
    module = __import__('.'.join(parts_copy))
  File "/home/dev/django-password-policies/tests.py", line 13, in <module>
    from password_policies.tests import settings
  File "/home/dev/django-password-policies/password_policies/tests/__init__.py", line 1, in <module>
    from password_policies.tests.forms import *
  File "/home/dev/django-password-policies/password_policies/tests/forms.py", line 5, in <module>
    from password_policies.forms import PasswordPoliciesForm, PasswordPoliciesChangeForm
  File "/home/dev/django-password-policies/password_policies/forms/__init__.py", line 16, in <module>
    from password_policies.forms.fields import PasswordPoliciesField
  File "/home/dev/django-password-policies/password_policies/forms/fields.py", line 3, in <module>
    from password_policies.forms.validators import validate_common_sequences
  File "/home/dev/django-password-policies/password_policies/forms/validators.py", line 9, in <module>
    from django.core.validators import email_re
ImportError: cannot import name email_re

Does this app require users to change the Django setting SESSION_SERIALIZER to 'django.contrib.sessions.serializers.PickleSerializer'? Based on the Django documentation, this seems like a fairly steep price to pay: https://docs.djangoproject.com/en/1.7/topics/http/sessions/#session-serialization.

Is there anything we can do to help add support for JSONSerializer?

Hello,

I am using django-password-policies v0.3.2 with django 1.8.3.

When I deploy my Django site with a uwsgi prefix, the middleware that should enforce a password change fails. It is letting the user through.

I could fix the issue by changing resolve(request.path) into resolve(request.path_info) on line 143 in middleware.py.

Request.path_info does not contain the site prefix and will resolve. Request.path contains the prefix and will not resolve letting the user pass...

Am I doing something wrong or is this a bug?

kind regards,
Lode

Changes in Django 1.10 means MIDDLEWARE_CLASSES now becomes MIDDLEWARE.

password_policies.middleware.PasswordChangeMiddleware now broken:

in load_middleware
    mw_instance = middleware(handler)
TypeError: object() takes no parameters

https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware

All it seems to need is:

from django.utils.deprecation import MiddlewareMixin

class PasswordChangeMiddleware(MiddlewareMixin):

Tested, and seems fine.

Merged #26. Needs to be uploaded to PyPI. Will be done after visiting grandma...

How do you build the password reset confirm url in the email template? I can't figure out how to do it.