Allow for special characters in the username

[jochenklar]

Rationale / Begründung

Sometimes, weird strings with special characters are used as username (e.g. in a Shibbolth setup). A custom validator, which can be specified in the settings via ACCOUNT_USERNAME_VALIDATORS can be used to allow those for an instance.

Affected

Admins

Minimal functionality

A more liberal validator in RDMO, a bit like here: https://github.com/django-daiquiri/daiquiri/blob/master/daiquiri/auth/validators.py

[MyPyDavid]

Hi @jochenklar, we have the same issue and wanted to post it here!

In our case it is because the Identity Providers are using, the now recommended, pairwise-id attribute.

https://doku.tid.dfn.de/de:common_attributes#a17

Es handelt sich um ein Scoped Attribute (s. eduPersonPrincipalName), bei dem der linke Teil (uniqueID) aus einem eindeutigen, max. 127 Zeichen langen String: (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / „=“ / „-“) besteht, während der rechte, durch '@' abgetrennte Teil (Scope) den Domain Namen der betreffenden Einrichtung repräsentiert. Wichtig: der linke Teil (uniqueId) muss case-insensitive behandelt werden, d.h. Werte, die sich nur in Groß-/Klein-Schreibung unterscheiden, müssen auf die selbe Identität bzw. das selbe 'Subject' weisen.

A costum validator would fix it I guess!

[jochenklar]

Hi @MyPyDavid , I created the issue, because I got a mail by your colleague :slightly_smiling_face:

You can create a custom validator like the one linked above in your rdmo app and it should work.

[MyPyDavid]

ok thanks, I will try it with that in the app!

[MyPyDavid]

Hi @jochenklar,

I could use a Costum Validator to allow these characters in the ACCOUNT_SIGNUP form. In the case of Shibboleth, these users were already automatically signed up after login without raising a ValidationError..

Our issue lies mainly in the admin/auth/user/ pages. When we want to save changes to the permissions, then the username ValidationError is raised.

This setting ACCOUNT_USERNAME_VALIDATORS applies to the /accounts/ and not to the /auth/ pages right? How can we apply this Costum Validator also to the admin/auth/user/ page?

For example, add a Costum Form to the UserAdmin or change the validator of the UsernameField or something else?

[MyPyDavid]

For now we can give the roles and permissions also via the django shell with a small script to the users.

from django.contrib.auth.models import User, Group
from django.contrib.sites.models import Site

# get current site
site = Site.objects.get_current()
# get user via email
user = User.objects.get(email='user@example.com')

# set staff
user.is_staff = True

# add user permissions to editor group
group = Group.objects.get(name='editor')
user.groups.add(group)   
# add member role
user.role.member.add(site)
# add manager role
user.role.manager.add(site)
# save the changes to the user
user.save()

I could add something like this in a manage.py command but then extend it with an option to remove the permissions as well.

[jochenklar]

Hmm, It could be that you need a Custom (Proxy) User Model for this. I don't know if this works on a running system.

https://stackoverflow.com/questions/48030567/how-to-customize-username-validation