From ec3075426748eb66097952635d8f8323fb553c04 Mon Sep 17 00:00:00 2001
From: Art Lukyanchyk <artiom.lukyanchyk@hs-hannover.de>
Date: Thu, 9 Aug 2018 12:45:20 +0200
Subject: [PATCH] Ensure that user passwords are unusable and friendly to
 django.contrib.auth

---
 ssoauth/auth_utils.py |  2 ++
 ssoauth/checks.py     | 12 ++++--------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/ssoauth/auth_utils.py b/ssoauth/auth_utils.py
index cd86bf6..cf5b0ae 100644
--- a/ssoauth/auth_utils.py
+++ b/ssoauth/auth_utils.py
@@ -64,6 +64,8 @@ def get_or_create_user(uuid, username):
     def create_user(uuid, username):
         _validate_username(username)
         user = get_user_model().objects.create(username=username, is_staff=False)
+        user.set_unusable_password()
+        user.save()
         models.UserMapping.objects.create(user=user, uuid=uuid)
         logger.info("Created user: {username} {uuid}".format(**locals()))
         return user
diff --git a/ssoauth/checks.py b/ssoauth/checks.py
index d68d800..93c054f 100644
--- a/ssoauth/checks.py
+++ b/ssoauth/checks.py
@@ -27,15 +27,11 @@ def _ignore_db_errors(function):
 def no_passwords_stored(app_configs, **kwargs):
     errors = list()
     user_model = get_user_model()
-    users_with_password = user_model.objects.exclude(password__isnull=True).exclude(password="")
-    if users_with_password:
-        errors.append(Error(
-            "Some users have their password stored in the database: {}".format(", ".join(u.username for u in users_with_password)),
-            obj=user_model
-        ))
-        for user in users_with_password:
-            user.password = str()
+    for user in user_model.objects.all():
+        if user.has_usable_password():
+            user.set_unusable_password()
             user.save()
+            errors.append(Warning("User \"{0}\" had usable password. Automatically fixed.".format(user), obj=user_model))
     return errors
 
 
-- 
GitLab