Remove resurrected User.__init__ that mutated Field.validators

JSv4 · JSv4 · commit 6b56ee373a3e · 2026-04-26T09:39:23.000-05:00
PR #1374 (50ed674) fixed #1358 by deleting the User.__init__ override that re-bound `username_field.validators[0] = UserUnicodeUsernameValidator()` on every instantiation. The merge commit b68c1cb (resolving issue #1333, the auth/users typing pass) carried the mypy-typed version of that same __init__ forward and the merge-in-main resurrected it on origin/main at 6d2cddb. The class-body declaration `validators=[UserUnicodeUsernameValidator()]` from PR #1374 is the canonical and only validator binding — the __init__ override was a shared-state mutation that clobbered anything third-party prepended to the field's validators list (and changed validator identity on each instantiation). The two regression tests that exposed this on main are already in the repo and pass with this change: - test_validators_list_stable_across_instantiations - test_third_party_prepend_does_not_corrupt_username_validator Also drop the now-unused `Field` import.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- **`User.__init__` shared-state mutation re-introduced by branch merge** (`opencontractserver/users/models.py:172-180` removed): PR #1374 (commit `50ed6740`) deleted the `User.__init__` override that mutated `Field.validators[0]` on every instantiation, but a subsequent merge (`b68c1cb4 → 6d2cddbf`) resurrected the override along with its mypy-narrowing changes. The current main on commit `6d2cddbf` therefore reproduced the original `#1358` bug: `User(...)` rebound `username_field.validators[0]` and clobbered any third-party validator prepended to the list. Removed the `__init__` override entirely; the class-body declaration `validators=[UserUnicodeUsernameValidator()]` on the `username` field (still present from PR #1374) is the canonical and only declaration. Also dropped the now-unused `Field` import. Regression coverage from PR #1374 (`opencontractserver/tests/test_user_username_validator.py`) was already on main and is what surfaced the regression in CI.
+
 ### Security
 
 - **Cross-corpus structural-annotation leak in `CoreAnnotationVectorStore`** (`opencontractserver/llms/vector_stores/core_vector_stores.py:296-326,371-413`): The corpus-wide retrieval path (`corpus_id` set, `document_id=None`) returned every structural annotation in the database regardless of corpus. Two collaborating defects caused the leak:
diff --git a/opencontractserver/users/models.py b/opencontractserver/users/models.py
@@ -12,7 +12,7 @@
     Group,
 )
 from django.contrib.auth.models import UserManager as DjangoUserManager
-from django.db.models import Field, Q, QuerySet
+from django.db.models import Q, QuerySet
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -169,16 +169,6 @@ class User(AbstractUser):
     def __str__(self) -> str:
         return f"{self.username}: {self.email}"
 
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
-        username_field = self._meta.get_field("username")
-        # ``get_field`` is typed as ``Field | ForeignObjectRel``; the
-        # username field is always a plain ``Field``, but narrow here so
-        # mypy can see ``.validators`` without a cast.
-        if isinstance(username_field, Field):
-            username_field.validators[0] = UserUnicodeUsernameValidator()
-
-        super().__init__(*args, **kwargs)
-
     def get_absolute_url(self) -> str:
         """Get url for user's detail view.
 
