I have an application where users are authenticated using active directory. This means that there is no need to store passwords in our application database. We store each users details such as username etc in a users table in our application database.

I am working on implementing functionality to allow users to be added to the application. I am using a ModelForm to generate the form.

The model form looks like this:

class GeminiUserAccessForm(ModelForm):
    class Meta:
        model = GeminiUser
        fields = ['email', 'is_authorised']
        labels = {
            'is_authorised': 'Is authorised?'
        }

The method in the view to handle requests from the form page:

def manage_user_access_view(request):
    template_name = 'gemini_users/manage_access.html'
    if request.method == 'POST':
        form = GeminiUserAccessForm(request.POST)
        if form.is_valid():
            new_user = form.save()
            pass
    else:
        form = GeminiUserAccessForm()

    return render(request, template_name, {'form': form})

Everything works as expected, a user with the given email and is authorised value is saved to the database. The password is left blank.

Do I also need to use set_unusable_password() before saving the user?

1 Answers

0
AKX On Best Solutions

It'd be good form and security-in-depth, just in case someone enables authentication that looks at the password field for one reason or another.

set_unusable_password() calls make_password(None), which returns

UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)

when password is None, i.e. a password hash that is never considered valid by any of the out-of-the-box hash algorithms.