Fix: New created users will have unusable password

djangosaml2/backends.py

@@ -290,6 +290,7 @@ def get_or_create_user(
             # Create new one if desired by settings
             if create_unknown_user:
                 user = UserModel(**{user_lookup_key: user_lookup_value})
+                user.set_unusable_password()
                 created = True
                 logger.debug(f"New user created: {user}", exc_info=True)
             else:

djangosaml2/tests/__init__.py

@@ -462,6 +462,9 @@ def test_assertion_consumer_service(self):
         user_id = self.client.session[SESSION_KEY]
         user = User.objects.get(id=user_id)
         self.assertEqual(user.username, "student")
+        # Since a new user object is created, the password
+        # field is set to have an unusable password.
+        self.assertEqual(user.has_usable_password(), False)
 
         # let's create another user and log in with that one
         new_user = User.objects.create(username="teacher", password="not-used")
@@ -486,6 +489,10 @@ def test_assertion_consumer_service(self):
         # as the RelayState is empty we have redirect to ACS_DEFAULT_REDIRECT_URL
         self.assertRedirects(response, "/dashboard/")
         self.assertEqual(str(new_user.id), client.session[SESSION_KEY])
+        new_user.refresh_from_db()
+        # Since "new_user" already had a password,
+        # the password field will remain unchanged.
+        self.assertEqual(new_user.has_usable_password(), True)
 
     @override_settings(ACS_DEFAULT_REDIRECT_URL="testprofiles:dashboard")
     def test_assertion_consumer_service_default_relay_state(self):

setup.py

@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.9.1",
+    version="1.9.2",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",