Ensure that user passwords are unusable and friendly to django.contrib.auth

ssoauth/auth_utils.py

@@ -64,6 +64,8 @@ def get_or_create_user(uuid, username):
     def create_user(uuid, username):
         _validate_username(username)
         user = get_user_model().objects.create(username=username, is_staff=False)
+        user.set_unusable_password()
+        user.save()
         models.UserMapping.objects.create(user=user, uuid=uuid)
         logger.info("Created user: {username} {uuid}".format(**locals()))
         return user

ssoauth/checks.py

@@ -27,15 +27,11 @@ def _ignore_db_errors(function):
 def no_passwords_stored(app_configs, **kwargs):
     errors = list()
     user_model = get_user_model()
-    users_with_password = user_model.objects.exclude(password__isnull=True).exclude(password="")
-    if users_with_password:
-        errors.append(Error(
-            "Some users have their password stored in the database: {}".format(", ".join(u.username for u in users_with_password)),
-            obj=user_model
-        ))
-        for user in users_with_password:
-            user.password = str()
+    for user in user_model.objects.all():
+        if user.has_usable_password():
+            user.set_unusable_password()
             user.save()
+            errors.append(Warning("User \"{0}\" had usable password. Automatically fixed.".format(user), obj=user_model))
     return errors