Django users being created with cleartext passwords

问题

I hav ean issue in my django app where newly created users are being set up with cleartext passwords.

This is the failing test.

def test_create_valid_user_success(self):
    """Test creating user with valid user is successful"""
    payload = {
        'email': 'test@email.com',
        'password': 'testpass',
        'name': 'Test Name'
    }
    res = self.client.post(CREATE_USER_URL, payload)

    self.assertEqual(res.status_code, status.HTTP_201_CREATED)
    user = get_user_model().objects.get(**res.data)
    print(user.password) # Comes out as clear text == 'testpass'
    self.assertTrue(user.check_password(payload['password']))
    self.assertNotIn('password', res.data)

Test Error:

======================================================================
FAIL: test_create_valid_user_success (user.tests.test_user_api.PublicUserApiTests)
Test creating user with valid user is successful
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/app/user/tests/test_user_api.py", line 33, in test_create_valid_user_success
    self.assertTrue(user.check_password(payload['password']))
AssertionError: False is not true

Serializer:

from django.contrib.auth import get_user_model

from rest_framework import serializers


class UserSerializer(serializers.ModelSerializer):
    """Serializer for users object"""

    class Meta:
        model = get_user_model()
        fields = ('email', 'password', 'name')
        extra_kwargs = {
            'password': {
                'write_only': True,
                'min_length': 8
            }
        }

        def create(self, validated_data):
            """Create a new user with encrypted password and return it"""
            return get_user_model().objects.create_user(**validated_data)

Model:

class UserManager(BaseUserManager):
    def create_user(self, email, password=None, **extra_fields):
        """Creates and saves a new user"""
        if not email:
            raise ValueError('Users must have an email address')
        user = self.model(email=self.normalize_email(email), **extra_fields)
        user.set_password(password)
        user.save(using=self._db)

What am I missing here to properly hash users passwords on creation?

回答1:

Well don't I feel stupid.

When I created the create method under Meta in my serializer I forgot about the indentation so my create was part of Meta not UserSerializer

Correct indentation:

class UserSerializer(serializers.ModelSerializer):
    """Serializer for users object"""

    class Meta:
        model = get_user_model()
        fields = ('email', 'password', 'name')
        extra_kwargs = {
            'password': {
                'write_only': True,
                'min_length': 8
            }
        }

    def create(self, validated_data):
        """Create a new user with encrypted password and return it"""
        return get_user_model().objects.create_user(**validated_data)

来源：https://stackoverflow.com/questions/61857290/django-users-being-created-with-cleartext-passwords