User manager methods create() and create_user()

sunprophit picture sunprophit · Jul 18, 2012 · Viewed 8.2k times · Source

I have encountered with some suspicious behavior of create() method of User object manager. Looks like password field isn't required for creating User object if you use this method. In result you get User with blank password. In case when you use create_user method and don't specify password it creates User with unusable password (through to set_unusable_password()).

I am not sure why create() method doesn't raise exception when you try to create user without password - in documentation it's specified that this field is required. Is something wrong in create() method/documentation?

Answer

Filip Dupanović picture Filip Dupanović · Jul 18, 2012

That's exactly why the user model has a custom manager with a UserManager.create_user() method for creating users. There are two problems with using the QuerySet.create() method on User instances:

  1. If you run the management command python manage.py sql, pay attention to the auth_user schema:

    CREATE TABLE "auth_user" (
        ...
        "password" varchar(128) NOT NULL,
        ...
    )
    

    In SQL, an empty string, '', does not equate to NULL, i.e. ISNULL('') != TRUE.

  2. QuerySet.create() and QuerySet.update() do not trigger model validation. Model validation only happens when ModelForm instances call the Model.full_clean() instance method.

    Raising a validation error in the context of working with the QuerySet API directly simply makes no sense in Django. That's why you can do something like User.objects.create(username='foo', password='') even though CharField().validate(value='', None) would raise a ValidationError for a blank string.

For the reasons above, you should defer from using User.objects.create() and rely on the supplied User.objects.create_user() method from the model's custom manager.