Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

User manager methods create() and create_user()

I have encountered with some suspicious behavior of create() method of User object manager. Looks like password field isn't required for creating User object if you use this method. In result you get User with blank password. In case when you use create_user method and don't specify password it creates User with unusable password (through to set_unusable_password()).

I am not sure why create() method doesn't raise exception when you try to create user without password - in documentation it's specified that this field is required. Is something wrong in create() method/documentation?

like image 220
sunprophit Avatar asked Jul 18 '12 15:07

sunprophit


1 Answers

That's exactly why the user model has a custom manager with a UserManager.create_user() method for creating users. There are two problems with using the QuerySet.create() method on User instances:

  1. If you run the management command python manage.py sql, pay attention to the auth_user schema:

    CREATE TABLE "auth_user" (
        ...
        "password" varchar(128) NOT NULL,
        ...
    )
    

    In SQL, an empty string, '', does not equate to NULL, i.e. ISNULL('') != TRUE.

  2. QuerySet.create() and QuerySet.update() do not trigger model validation. Model validation only happens when ModelForm instances call the Model.full_clean() instance method.

    Raising a validation error in the context of working with the QuerySet API directly simply makes no sense in Django. That's why you can do something like User.objects.create(username='foo', password='') even though CharField().validate(value='', None) would raise a ValidationError for a blank string.

For the reasons above, you should defer from using User.objects.create() and rely on the supplied User.objects.create_user() method from the model's custom manager.

like image 80
Filip Dupanović Avatar answered Oct 09 '22 12:10

Filip Dupanović