1

I'm deploying Django automatically. I create a superuser at installation with the command : 

python manage createsuperuser --username me --email me@example.org --noinput

When I do this no password is set for the account and I'm not able to change the password with the "Forget password" functionality.

If I do : 

python manage changepassword me

Then I can reset the password. This behavior comes from this code : 

return (u for u in active_users if u.has_usable_password())

What would be the way to "activate" the reset function for all users without hacking the core ?

Plup
  • 750
  • 1
  • 6
  • 13
  • the proper solution is not to weakens your site's security by allowing to reset the superuser's password TTW if the superuser has no password (which would allow anyone to reset the superuser's password...), but to create the superuser with a password right from the start. The question I linked to has many suggestions on how to do this, the best one IMHO being the custom management command. – bruno desthuilliers Oct 20 '17 at 10:16
  • Thanks for pointing me this. In my opinion, setting a password or not doesn't change anything to the security level because in both case I will be able to reset it via email. If I have to set a password in order to reset it why shouldn't be able to reset it directly ? – Plup Oct 20 '17 at 10:24
  • Do you think I should make my comments on the question you linked ? As it has already lot of opinions on this. – Plup Oct 20 '17 at 10:27
  • 1
    you're indeed right that not knowing the password wouldn't change anything here (my bad, it's Friday obviously...) - but it still weakens the security by allowing a user whose password has be rendered unusable by an admin to still reset it's own password. But anyway: the right solution to your problem is _still_ (IMHO) to set the password on superuser creation. – bruno desthuilliers Oct 20 '17 at 10:45
  • `it still weakens the security by allowing a user whose password has be rendered unusable by an admin to still reset it's own password.` True ! I didn't think of this use case. Thanks. – Plup Oct 20 '17 at 11:33

0 Answers0