Should it be useful to have ThumbnailNamedField to generate images with both query parameters and arguments?

This would make it line up with @perry's angular-registration (soon to be angular-user-management).

We currently support:

• python
  • 2.7
  • 3.3
  • 3.4
• django
  • 1.6
  • 1.7
  • 1.8
• DRF
  • 3.1
  • 3.2

I think we should consider dropping support for the bold versions.

Security requirements of a number of projects require the site to enforce a set of complexity for passwords. Usually this is some of the following:

• mixture of upper and lowercase letters
• at least one number
• at least one "special character"

• password reset successful
• password changed

Having a library migration for AuthToken would avoid to create the migration with MIGRATION_MODULES in the project.

This would need to be addressed when we drop support for Django v1.6

If you request a password reset with an email address for a user that does not exist or is not active then no email is sent.

Can we send a "You do not have a an account email" in this case.

(cc @meshy @jturnbull )

Just encountered an odd thing where I could create a user with no parameters, and there was no error. It doesn't feel right that a blank email isn't validated as false.

@incuna/backend @meshy What do you think?

from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
from user_management.models.mixins import VerifyEmailMixin


class User(VerifyEmailMixin, PermissionsMixin, AbstractBaseUser):
    pass

I think that DELETE to the Auth endpoint should require a token in order to invalidate it, otherwise we may be deleting tokens too casually.

The email templates have a #/ in the /register/verify URL, which is a bit awkward. We could use having alternate templates in the ui folder that don't have the #/ in.

I'm trying to e2e test user registration and login.

When I try to log in with bad credentials I get back a 400 error with a text in non_field_errors Unable to log in with provided credentials.

When I try to log in with an unverified account I also get back a 400 error with a different non_field_errors User account is disabled.

The only way to distinguish between them is by the error text, which will break when the text changes or we change to a different language.

A possible solution would be to use a different error status or maybe add a field which describes error type in machine readable form.

We have tests, we should have Travis on this.

_{A changelog would be nice ;)}

In user_management/utils/validators.py, the validate_password_strength function does two different validation checks, and can throw two errors. It should be two validators.

Returning a 404 response doesn't interrupt the workflow but instead is dispatched and a AssertionError: .accepted_renderer not set on Response is raised. A workaround is to raise a 404.

The password_reset_email_handler and validation_email_handler each define a subject that is formatted with the site.domain. This is difficult to override when the domain is unwanted.

We could instead use a django template, to which we pass the site.domain in a context. This would allow a project to replace the subject completely, ignoring the context.

Avatar support requires the fix in encode/django-rest-framework#1377. We are including this in test_requirements.txt, but not in setup.py. We should not release a new version (> v0.0.7) until a new version of django-rest-framework is released.

If you post two matching passwords that do not fulfil the password strength validation rules then the endpoint responds that new_password2 does not match

{
  "new_password": ["Password must have at least one upper case letter, one lower case letter, and one number."], 
  "new_password2": ["Your new passwords do not match."]
}

Currently the (other) users list detail serialiser (UserSerializer) extend HyperlinkedModelSerializer however the (my) profile serializer (ProfileSerializer) does not. It is not therefore possible to identify (my) profile in the users list detail list.

Should the ProfileSerializer include a way to identify the user in the users list? Such as a public_url link?

A non-API view that verifies a user's email address on a GET request (accessed via a link in an email) would be a very useful thing to keep around in a library.

An error message is displayed in model.py.
"unresolve import 'user_management.models.mixins'"

`from django.db import models
from django.db.models import Sum

from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
from user_management.models.mixins import ActiveUserMixin`

Am I missing something?

I know it's abstract, but it still seems presumptuous to me. A custom user model will always be custom. This seems to be duplicating incuna/custom-user-model.