diff --git a/djangosaml2/backends.py b/djangosaml2/backends.py index 5678991e..d1c01407 100644 --- a/djangosaml2/backends.py +++ b/djangosaml2/backends.py @@ -290,6 +290,7 @@ def get_or_create_user( # Create new one if desired by settings if create_unknown_user: user = UserModel(**{user_lookup_key: user_lookup_value}) + user.set_unusable_password() created = True logger.debug(f"New user created: {user}", exc_info=True) else: diff --git a/djangosaml2/tests/__init__.py b/djangosaml2/tests/__init__.py index 59223410..8b8602cc 100644 --- a/djangosaml2/tests/__init__.py +++ b/djangosaml2/tests/__init__.py @@ -462,6 +462,9 @@ def test_assertion_consumer_service(self): user_id = self.client.session[SESSION_KEY] user = User.objects.get(id=user_id) self.assertEqual(user.username, "student") + # Since a new user object is created, the password + # field is set to have an unusable password. + self.assertEqual(user.has_usable_password(), False) # let's create another user and log in with that one new_user = User.objects.create(username="teacher", password="not-used") @@ -486,6 +489,10 @@ def test_assertion_consumer_service(self): # as the RelayState is empty we have redirect to ACS_DEFAULT_REDIRECT_URL self.assertRedirects(response, "/dashboard/") self.assertEqual(str(new_user.id), client.session[SESSION_KEY]) + new_user.refresh_from_db() + # Since "new_user" already had a password, + # the password field will remain unchanged. + self.assertEqual(new_user.has_usable_password(), True) @override_settings(ACS_DEFAULT_REDIRECT_URL="testprofiles:dashboard") def test_assertion_consumer_service_default_relay_state(self): diff --git a/setup.py b/setup.py index 98d606f0..7713acd1 100644 --- a/setup.py +++ b/setup.py @@ -27,7 +27,7 @@ def read(*rnames): setup( name="djangosaml2", - version="1.9.1", + version="1.9.2", description="pysaml2 integration for Django", long_description=read("README.md"), long_description_content_type="text/markdown",