From e036217ec5ec9af6e5cd518f6624b0e029af81a1 Mon Sep 17 00:00:00 2001
From: Gagan Deep <pandafy.dev@gmail.com>
Date: Thu, 15 Feb 2024 14:35:27 +0530
Subject: [PATCH 1/2] Fix: New created users will have unusable password

Closes #398
---
 djangosaml2/backends.py       | 1 +
 djangosaml2/tests/__init__.py | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/djangosaml2/backends.py b/djangosaml2/backends.py
index 5678991e..d1c01407 100644
--- a/djangosaml2/backends.py
+++ b/djangosaml2/backends.py
@@ -290,6 +290,7 @@ def get_or_create_user(
             # Create new one if desired by settings
             if create_unknown_user:
                 user = UserModel(**{user_lookup_key: user_lookup_value})
+                user.set_unusable_password()
                 created = True
                 logger.debug(f"New user created: {user}", exc_info=True)
             else:
diff --git a/djangosaml2/tests/__init__.py b/djangosaml2/tests/__init__.py
index 59223410..8b8602cc 100644
--- a/djangosaml2/tests/__init__.py
+++ b/djangosaml2/tests/__init__.py
@@ -462,6 +462,9 @@ def test_assertion_consumer_service(self):
         user_id = self.client.session[SESSION_KEY]
         user = User.objects.get(id=user_id)
         self.assertEqual(user.username, "student")
+        # Since a new user object is created, the password
+        # field is set to have an unusable password.
+        self.assertEqual(user.has_usable_password(), False)
 
         # let's create another user and log in with that one
         new_user = User.objects.create(username="teacher", password="not-used")
@@ -486,6 +489,10 @@ def test_assertion_consumer_service(self):
         # as the RelayState is empty we have redirect to ACS_DEFAULT_REDIRECT_URL
         self.assertRedirects(response, "/dashboard/")
         self.assertEqual(str(new_user.id), client.session[SESSION_KEY])
+        new_user.refresh_from_db()
+        # Since "new_user" already had a password,
+        # the password field will remain unchanged.
+        self.assertEqual(new_user.has_usable_password(), True)
 
     @override_settings(ACS_DEFAULT_REDIRECT_URL="testprofiles:dashboard")
     def test_assertion_consumer_service_default_relay_state(self):

From 769947502a828b1ac8aa03bafc5939c7a0c6f9b5 Mon Sep 17 00:00:00 2001
From: Gagan Deep <pandafy.dev@gmail.com>
Date: Thu, 15 Feb 2024 16:00:15 +0530
Subject: [PATCH 2/2] Bump version to 1.9.2

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 98d606f0..7713acd1 100644
--- a/setup.py
+++ b/setup.py
@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.9.1",
+    version="1.9.2",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",