Added basic Django password validations and updated .gitignore (#136)

src/pretix/base/forms/auth.py

@@ -1,5 +1,8 @@
 from django import forms
 from django.contrib.auth import authenticate
+from django.contrib.auth.password_validation import (
+    password_validators_help_texts, validate_password,
+)
 from django.utils.translation import ugettext_lazy as _
 
 from pretix.base.models import User
@@ -84,7 +87,7 @@ class RegistrationForm(forms.Form):
     )
 
     def clean(self):
-        password1 = self.cleaned_data.get('password')
+        password1 = self.cleaned_data.get('password', '')
         password2 = self.cleaned_data.get('password_repeat')
 
         if password1 and password1 != password2:
@@ -93,6 +96,12 @@ class RegistrationForm(forms.Form):
                 code='pw_mismatch'
             )
 
+        user = User(email=self.cleaned_data.get('email'))
+        if validate_password(password1, user=user) is not None:
+            raise forms.ValidationError(
+                _(password_validators_help_texts()),
+                code='pw_invalid'
+            )
         return self.cleaned_data
 
     def clean_email(self):
@@ -107,7 +116,7 @@ class RegistrationForm(forms.Form):
 
 class PasswordRecoverForm(forms.Form):
     error_messages = {
-        'pw_mismatch': _("Please enter the same password twice")
+        'pw_mismatch': _("Please enter the same password twice"),
     }
     password = forms.CharField(
         label=_('Password'),
@@ -119,11 +128,12 @@ class PasswordRecoverForm(forms.Form):
         widget=forms.PasswordInput
     )
 
-    def __init__(self, *args, **kwargs):
+    def __init__(self, user_id=None, *args, **kwargs):
+        self.user_id = user_id
         super().__init__(*args, **kwargs)
 
     def clean(self):
-        password1 = self.cleaned_data.get('password')
+        password1 = self.cleaned_data.get('password', '')
         password2 = self.cleaned_data.get('password_repeat')
 
         if password1 and password1 != password2:
@@ -132,6 +142,16 @@ class PasswordRecoverForm(forms.Form):
                 code='pw_mismatch'
             )
 
+        try:
+            user = User.objects.get(id=self.user_id)
+        except User.DoesNotExist:
+            user = None
+        if validate_password(password1, user=user) is not None:
+            raise forms.ValidationError(
+                _(password_validators_help_texts()),
+                code='pw_invalid'
+            )
+
         return self.cleaned_data
 
 

src/pretix/base/forms/user.py

@@ -1,5 +1,8 @@
 from django import forms
 from django.contrib.auth.hashers import check_password
+from django.contrib.auth.password_validation import (
+    password_validators_help_texts, validate_password,
+)
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 
@@ -66,6 +69,15 @@ class UserSettingsForm(forms.ModelForm):
             )
         return email
 
+    def clean_new_pw(self):
+        password1 = self.cleaned_data.get('new_pw', '')
+        if password1 and validate_password(password1, user=self.user) is not None:
+            raise forms.ValidationError(
+                _(password_validators_help_texts()),
+                code='pw_invalid'
+            )
+        return password1
+
     def clean_new_pw_repeat(self):
         password1 = self.cleaned_data.get('new_pw')
         password2 = self.cleaned_data.get('new_pw_repeat')

src/pretix/control/views/auth.py

@@ -161,7 +161,8 @@ class Recover(TemplateView):
 
     @cached_property
     def form(self):
-        return PasswordRecoverForm(data=self.request.POST if self.request.method == 'POST' else None)
+        return PasswordRecoverForm(data=self.request.POST if self.request.method == 'POST' else None,
+                                   user_id=self.request.GET.get('id'))
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)

src/pretix/settings.py

@@ -388,3 +388,18 @@ CELERY_RESULT_SERIALIZER = 'pickle'
 BOOTSTRAP3 = {
     'success_css_class': ''
 }
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]