Validation utilities¶
To ease the process of validating user registration data, django-registration includes some validation-related data and utilities.
Error messages¶
Several error messages are available as constants. All of them are marked for translation; most have translations already provided in django-registration.
- django_registration.validators.DUPLICATE_EMAIL¶
Error message raised by
RegistrationFormUniqueEmail
when the supplied email address is not unique.
- django_registration.validators.DUPLICATE_USERNAME¶
Error message raised by
CaseInsensitiveValidator
when the supplied username is not unique. This is the same string raised by Django’s defaultUser
model for a non-unique username.
- django_registration.validators.RESERVED_NAME¶
Error message raised by
ReservedNameValidator
when it is given a value that is a reserved name.
- django_registration.validators.TOS_REQUIRED¶
Error message raised by
RegistrationFormTermsOfService
when the terms-of-service field is not checked.
Rejecting “reserved” usernames¶
By default, django-registration treats some usernames as reserved.
Note
Why reserved names are reserved
Many Web applications enable per-user URLs (to display account information), and some may also create email addresses or even subdomains, based on a user’s username. While this is often useful, it also represents a risk: a user might register a name which conflicts with an important URL, email address or subdomain, and this might give that user control over it.
django-registration includes a list of reserved names, and rejects them as usernames by default, in order to avoid this issue.
- class django_registration.validators.ReservedNameValidator(reserved_names)¶
A callable validator class (see Django’s validators documentation) which prohibits the use of a reserved name as the value.
By default, this validator is applied to the username field of
django_registration.forms.RegistrationForm
and all of its subclasses. This validator is attached to the list of validators for the username field, so to remove it (not recommended), subclassRegistrationForm
and override __init__() to change the set of validators on the username field.If you want to supply your own custom list of reserved names, you can subclass
RegistrationForm
and set the attribute reserved_names to the list of values you want to disallow.The default list of reserved names, if you don’t specify one, is
DEFAULT_RESERVED_NAMES
. The validator will also reject any value beginning with the string “.well-known” (see RFC 5785).- Parameters
reserved_names (list) – A list of reserved names to forbid.
- Raises
django.core.exceptions.ValidationError – if the provided value is reserved.
Several constants are provided which are used by this validator:
- django_registration.validators.CA_ADDRESSES¶
A list of email usernames commonly used by certificate authorities when verifying identity.
- django_registration.validators.NOREPLY_ADDRESSES¶
A list of common email usernames used for automated messages from a Web site (such as “noreply” and “mailer-daemon”).
- django_registration.validators.PROTOCOL_HOSTNAMES¶
A list of protocol-specific hostnames sites commonly want to reserve, such as “www” and “mail”.
- django_registration.validators.OTHER_SENSITIVE_NAMES¶
Other names, not covered by any of the other lists, which have the potential to conflict with common URLs or subdomains, such as “blog” and “docs”.
- django_registration.validators.SENSITIVE_FILENAMES¶
A list of common filenames with important meanings, such that usernames should not be allowed to conflict with them (such as “favicon.ico” and “robots.txt”).
- django_registration.validators.SPECIAL_HOSTNAMES¶
A list of hostnames with reserved or special meaning (such as “autoconfig”, used by some email clients to automatically discover configuration data for a domain).
- django_registration.validators.DEFAULT_RESERVED_NAMES¶
A list made of the concatenation of all of the above lists, used as the default set of reserved names for
ReservedNameValidator
.
Protecting against homograph attacks¶
By default, Django permits a broad range of Unicode to be used in usernames; while this is useful for serving a worldwide audience, it also creates the possibility of homograph attacks through the use of characters which are easily visually confused for each other (for example: “pаypаl” containing a Cyrillic “а”, visually indistinguishable in many fonts from a Latin “а”).
To protect against this, django-registration applies some validation rules to usernames and email addresses.
- django_registration.validators.validate_confusables(value)¶
A custom validator which prohibits the use of dangerously-confusable usernames.
This validator will reject any mixed-script value (as defined by Unicode ‘Script’ property) which also contains one or more characters that appear in the Unicode Visually Confusable Characters file.
This validator is enabled by default on the username field of registration forms.
- Parameters
value (str) – The username value to validate (non-string usernames will not be checked)
- Raises
django.core.exceptions.ValidationError – if the value is mixed-script confusable
- django_registration.validators.validate_confusables_email(value)¶
A custom validator which prohibits the use of dangerously-confusable email address.
This validator will reject any email address where either the local-part of the domain is – when considered in isolation – dangerously confusable. A string is dangerously confusable if it is a mixed-script value (as defined by Unicode ‘Script’ property) which also contains one or more characters that appear in the Unicode Visually Confusable Characters file.
This validator is enabled by default on the email field of registration forms.
- Parameters
value (str) – The email address to validate
- Raises
django.core.exceptions.ValidationError – if the value is mixed-script confusable
Other validators¶
- class django_registration.validators.CaseInsensitiveUnique(model, field_name)¶
A callable validator class (see Django’s validators documentation) which enforces case-insensitive uniqueness on a given field of a particular model. Used by
RegistrationFormCaseInsensitive
for case-insensitive username uniqueness, andRegistrationFormUniqueEmail
for unique email addresses.- Parameters
model (django.db.models.Model) – The model class to query against for uniqueness checks.
field_name (str) – The field name to perform the uniqueness check against.
- Raises
django.core.exceptions.ValidationError – if the value is not unique.
- class django_registration.validators.HTML5EmailValidator¶
A callable validator class (see Django’s validators documentation) which enforces the HTML5 email address format. The format used by HTML5’s input type=”email” is deliberately more restrictive than what is permitted by the latest email RFCs; specifically, HTML5’s validation rule disallows a number of rare and problematic features – such as embedded comments and quoted-string inclusion of otherwise-illegal characters – which are technically legal to have in an email address but which now mostly serve to confuse or complicate parsers, rather than to provide actual utility.