Allow user to dismiss password validation

misago/users/management/commands/createsuperuser.py

@@ -6,6 +6,7 @@ import sys
 from getpass import getpass
 
 from django.contrib.auth import get_user_model
+from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
 from django.core.management.base import BaseCommand
 from django.db import DEFAULT_DB_ALIAS, IntegrityError
@@ -36,13 +37,13 @@ class Command(BaseCommand):
             '--email',
             dest='email',
             default=None,
-            help="Specifies the username for the superuser.",
+            help="Specifies the e-mail for the superuser.",
         )
         parser.add_argument(
             '--password',
             dest='password',
             default=None,
-            help="Specifies the username for the superuser.",
+            help="Specifies the password for the superuser.",
         )
         parser.add_argument(
             '--noinput',
@@ -130,12 +131,26 @@ class Command(BaseCommand):
                         self.stderr.write(u'\n'.join(e.messages))
 
                 while not password:
-                    password = getpass("Enter password: ")
-                    password2 = getpass("Repeat password")
-                    if password != password2:
+                    raw_value = getpass("Enter password: ")
+                    password_repeat = getpass("Repeat password:")
+                    if raw_value != password_repeat:
                         self.stderr.write("Error: Your passwords didn't match.")
-                    if password.strip() == '':
+                        # Don't validate passwords that don't match.
+                        continue
+                    if raw_value.strip() == '':
                         self.stderr.write("Error: Blank passwords aren't allowed.")
+                        # Don't validate blank passwords.
+                        continue
+                    try:
+                        validate_password(
+                            raw_value, user=UserModel(username=username, email=email)
+                        )
+                    except ValidationError as e:
+                        self.stderr.write(u'\n'.join(e.messages))
+                        response = input('Bypass password validation and create user anyway? [y/N]: ')
+                        if response.lower() != 'y':
+                            continue
+                    password = raw_value
 
                 # Call User manager's create_superuser using our wrapper
                 self.create_superuser(username, email, password, verbosity)

misago/users/models/user.py

@@ -67,10 +67,6 @@ class UserManager(BaseUserManager):
 
         validate_username(username)
         validate_email(email)
-        
-        if password:
-            # password is conditional: users created with social-auth don't have one
-            validate_password(password, user=user)
 
         if not 'rank' in extra_fields:
             user.rank = Rank.objects.get_default()

misago/users/tests/test_createsuperuser.py

@@ -8,7 +8,7 @@ UserModel = get_user_model()
 
 
 class CreateSuperuserTests(TestCase):
-    def test_create_superuser(self):
+    def test_valid_input_creates_superuser(self):
         """command creates superuser"""
         out = StringIO()
 

misago/users/tests/test_user_create_api.py

@@ -224,6 +224,19 @@ class UserCreateTests(UserTestCase):
             'email': ["You can't register account like this."],
         })
 
+    def test_registration_requires_password(self):
+        """api uses django's validate_password to validate registrations"""
+        response = self.client.post(
+            self.api_link,
+            data={
+                'username': 'Bob',
+                'email': 'loremipsum@dolor.met',
+                'password': '',
+            },
+        )
+        
+        self.assertContains(response, "This field is required", status_code=400)
+
     def test_registration_validates_password(self):
         """api uses django's validate_password to validate registrations"""
         response = self.client.post(