1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00
Commit Graph

428 Commits

Author SHA1 Message Date
Mariusz Felisiak
12ac4916af Refs #28622 -- Removed settings.PASSWORD_RESET_TIMEOUT_DAYS per deprecation timeline. 2021-01-14 17:50:04 +01:00
Jon Moroney
76ae6ccf85 Fixed #31358 -- Increased salt entropy of password hashers.
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2021-01-14 11:20:28 +01:00
Jon Moroney
6bd206e1ff Refs #31358 -- Added bcrypt password hashers tests for must_update() with salt(). 2021-01-14 11:20:28 +01:00
Florian Apolloner
c76d51b3ad Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
2020-12-28 11:02:08 +01:00
Timo Ludwig
d8dfff2ab0 Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default. 2020-12-03 09:32:08 +01:00
Mariusz Felisiak
3828427f63 Refs #31978 -- Fixed hint in admin's password reset confirmation form for custom username fields.
Thanks Jaap Roes for the report.
2020-11-30 06:34:22 +01:00
Mariusz Felisiak
58740c0d7f Refs #22909 -- Removed camelCasing in auth_tests.test_templates tests. 2020-11-30 06:34:22 +01:00
Claude Paroz
187482d743
Avoided direct styles in admin templates.
Direct styles might be forbidden by Content Security Policies.
2020-11-10 21:32:15 +01:00
Hasan Ramezani
4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables.
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
2020-10-28 14:21:53 +01:00
Mariusz Felisiak
3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
2020-10-22 13:21:14 +02:00
Jacob Walls
0362b0e986 Fixed #26615 -- Made password reset token invalidate when changing email.
Co-Authored-By: Silas Barta <sbarta@gmail.com>
2020-10-21 09:29:53 +02:00
Hannes Ljungberg
f7963615eb Fixed #32121 -- Fixed detecting uniqueness of USERNAME_FIELD when using Meta.constraints.
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
2020-10-20 07:23:51 +02:00
Alexander Todorov
5fab16392f
Fixed #32003 -- Added obj argument to has_perm() methods in tests. 2020-09-14 12:28:17 +02:00
Tom Carrick
bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Jon Dufresne
53c0d16ac1
Fixed #31992 -- Made admin password reset templates use title/content_title blocks from the base template. 2020-09-10 11:53:09 +02:00
Collin Anderson
daa26acc4e Fixed #31978 -- Added username hint to admin's password reset confirmation form. 2020-09-03 09:25:21 +02:00
Yan Mitrofanov
b88f98738f Fixed #31878 -- Made createsuperuser respect --database option in default usernames. 2020-08-14 11:08:20 +02:00
Yan Mitrofanov
552bb82928 Fixed typo in tests/auth_tests/test_management.py docstring. 2020-08-14 11:08:12 +02:00
Jacob Walls
c7e7f176c1 Fixed #26977 -- Made abstract models raise TypeError when instantiating. 2020-08-05 06:37:04 +02:00
Mariusz Felisiak
d907371ef9 Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting.
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.

Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
2020-08-04 09:35:24 +02:00
Jon Dufresne
5a3d7cf462
Used urllib.parse.urljoin() in auth_tests to join URLs.
As the strings represent URLs and not paths, should use urllib to
manipulate them.
2020-07-09 12:03:03 +02:00
Hasan Ramezani
7af8f41273 Refs #26445 -- Allowed using UserManager.create_user()/create_superuser() in migrations.
Used app config to lookup user model in _create_user().

Thanks Markus Holtermann for the review and initial patch.
Thanks Simon Charette for the implementation idea.
2020-07-06 11:47:22 +02:00
Frantisek Holop
cc7c16af98 Fixed #31443 -- Fixed login redirection in auth mixins when LOGIN_URL is off-site URL. 2020-06-23 10:38:35 +02:00
Jon Moroney
136ec9b62b Refs #31358 -- Added decode() to password hashers.
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.

Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
2020-06-23 08:36:59 +02:00
Florian Apolloner
1621f06051 Fixed #30472 -- Made Argon2PasswordHasher use Argon2id. 2020-06-17 08:10:41 +02:00
Florian Apolloner
ee49cf4f35 Added test for old Argon2i hashes with version attribute. 2020-06-17 08:10:41 +02:00
Simon Charette
94f63b926f Refs #31395 -- Relied on setUpTestData() test data isolation in various tests. 2020-05-15 20:22:56 +02:00
Jon Dufresne
d522b51c40 Fixed #31575 -- Added system check for admin sidebar request context processor dependency.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2020-05-14 11:00:51 +02:00
François Freitag
c8bebbd541
Disabled management commands output with verbosity 0 in various tests. 2020-05-13 09:12:43 +02:00
Mariusz Felisiak
f2187a227f Increased the default PBKDF2 iterations for Django 3.2. 2020-05-13 09:07:51 +02:00
Jon Dufresne
d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__().
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
François Freitag
a0df5dea33
Removed unnecessary inner methods in CreatesuperuserManagementCommandTestCase. 2020-05-01 20:51:44 +02:00
Mariusz Felisiak
54646a423b
Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 16:45:00 +02:00
François Freitag
9ef4a18dbe Changed django.forms.ValidationError imports to django.core.exceptions.ValidationError.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-04-28 10:49:00 +02:00
Jon Dufresne
505fec6bad Capitalized Unicode in docs, strings, and comments. 2020-04-20 12:10:33 +02:00
François Freitag
c86201b6ed Disabled management commands output with verbosity 0 in various tests.
Instead of capturing the command output and discard it immediately,
tell the command not to log.
2020-04-20 09:09:26 +02:00
François Freitag
45e96b4d9d
Removed unnecessary capturing of stdout/stderr in auth_tests.test_management. 2020-04-20 09:08:43 +02:00
Hasan Ramezani
8aa71f4e87 Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings. 2020-03-31 10:52:56 +02:00
Hasan Ramezani
b3ab92cc5a Refs #31375 -- Added test for contrib.auth.hashers.make_password() bytes support. 2020-03-31 10:49:39 +02:00
Jon Dufresne
3857a08bdb Fixed #31361 -- Fixed invalid action="" in admin forms.
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
2020-03-16 07:31:19 +01:00
Mariusz Felisiak
8725d04764
Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_timeout failures.
Random failures depended on the current timestamp.

Thanks Matthijs Kooijman for the review.
2020-03-12 10:56:38 +01:00
Colton Hicks
f283ffaa84 Fixed #28699 -- Fixed CSRF validation with remote user middleware.
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
2020-02-26 17:25:20 +01:00
aryan
fba5d3b6e6 Fixed #31289 -- Added hint for USERNAME_FIELD/REQUIRED_FIELDS system check. 2020-02-26 08:40:36 +01:00
Claude Paroz
4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Claude Paroz
da4923ea87 Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm. 2020-02-12 21:46:56 +01:00
Claude Paroz
27f67317da Removed unnecessary token regex in auth_tests URLs.
All URLs in django.contrib.auth use a "<uidb64>/<token>" pattern.
2020-02-12 10:45:53 +01:00
Hasan Ramezani
fc4f45ebdc Used assertRaisesMessage() in various tests. 2020-02-07 12:46:23 +01:00
Hasan Ramezani
579f33eb79 Replaced assertWarns() with SimpleTestCase.assertWarnsMessage() in tests. 2020-01-30 11:19:50 +01:00
Jon Dufresne
f791673537
Made token tests in auth_tests use assertIs() rather than assertTrue/False(). 2020-01-29 09:01:18 +01:00
Michael Mulholland
5a68a223c7 Fixed #31200 -- Added system checks for permissions codenames max length. 2020-01-23 12:22:59 +01:00
Matthijs Kooijman
2a2ea4ee18 Refs #31117 -- Made various tests properly handle unexpected databases aliases.
- Used selected "databases" instead of django.db.connections.
- Made routers in tests.migrations skip migrations on unexpected
  databases.
- Added DiscoverRunnerGetDatabasesTests.assertSkippedDatabases() hook
  which properly asserts messages about skipped databases.
2020-01-20 14:39:02 +01:00
Mariusz Felisiak
1960d55f8b
Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py.
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402.
2020-01-03 07:47:04 +01:00
Simon Charette
5b1fbcef7a Fixed CVE-2019-19844 -- Used verified user email for password reset requests.
Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
2019-12-18 09:11:39 +01:00
Baptiste Mispelon
3df3c5e670 Fixed #26480 -- Fixed crash of contrib.auth.authenticate() on decorated authenticate() methods of authentication backends.
The Signature API (PEP 362) has better support for decorated functions
(by default, it follows the __wrapped__ attribute set by
functools.wraps for example).
2019-12-10 09:36:30 +01:00
Carlton Gibson
11c5e0609b Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.
Thank you to Shen Ying for reporting this issue.
2019-12-02 08:56:08 +01:00
Mariusz Felisiak
e8fcdaad5c Fixed #31021 -- Fixed proxy model permissions data migration crash with a multiple databases setup.
Regression in 98296f86b3.
2019-11-29 08:23:01 +01:00
Jon Dufresne
7f0946298e Replaced encode() usage with bytes literals. 2019-11-18 15:31:42 +01:00
Mariusz Felisiak
ca0d50f34a Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_10265 failures.
Random failures depended on the current timestamp.
2019-11-13 14:22:23 +01:00
Mariusz Felisiak
3b4b36fb1d Moved MockedPasswordResetTokenGenerator outside of TokenGeneratorTest.test_timeout(). 2019-11-13 14:22:23 +01:00
Sergey Fedoseev
d4e767911f Added tests for middlewares' checks. 2019-10-23 08:18:02 +02:00
Hasan Ramezani
226ebb1729 Fixed #28622 -- Allowed specifying password reset link expiration in seconds and deprecated PASSWORD_RESET_TIMEOUT_DAYS. 2019-09-20 13:52:04 +02:00
Sam Reynolds
6c9778a58e Fixed #30776 -- Restored max length validation on AuthenticationForm.UsernameField.
Regression in 5ceaf14686.

Thanks gopackgo90 for the report and Mariusz Felisiak for tests.
2019-09-18 11:37:38 +02:00
Carlton Gibson
b5db65c4fb Increased the default PBKDF2 iterations for Django 3.1. 2019-09-12 17:24:01 +02:00
Mariusz Felisiak
d17be88afd Refs #30037 -- Required the RemoteUserBackend.configure_user() to have request as the first positional argument.
Per deprecation timeline.
2019-09-10 12:01:00 +02:00
Berker Peksag
400ec5125e Fixed #18763 -- Added ModelBackend/UserManager.with_perm() methods.
Co-authored-by: Nick Pope <nick.pope@flightdataservices.com>
2019-08-29 19:32:12 +02:00
daniel a rios
b5a5c92c72 Fixed #30066 -- Enabled super user creation without email and password 2019-08-29 12:49:16 +02:00
Carlton Gibson
57b9604451 Converted auth test to use subTest(). 2019-08-29 12:49:16 +02:00
Hasan Ramezani
03dbdfd9bb Fixed #29019 -- Added ManyToManyField support to REQUIRED_FIELDS. 2019-08-26 14:48:40 +02:00
Hasan Ramezani
a5308514fb Fixed #27801 -- Made createsuperuser fall back to environment variables for password and required fields. 2019-07-02 12:55:09 +02:00
Jon Dufresne
42b9a23267 Fixed #30400 -- Improved typography of user facing strings.
Thanks Claude Paroz for assistance with translations.
2019-06-28 16:46:18 +02:00
Sanyam Khurana
87f5d07eed Fixed #12952 -- Adjusted admin log change messages to use form labels instead of field names. 2019-06-14 18:20:29 +02:00
Aymeric Augustin
3ee0834a46 Fixed #30556 -- Avoided useless query and hasher call in ModelBackend.authenticate() when credentials aren't provided.
There's no need to fetch a user instance from the database unless
a username and a password are provided as credentials.
2019-06-10 11:12:31 +02:00
Hasan Ramezani
dcb8f00d06 Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields.
Thank you to Nick Pope for review.

Co-authored-by: CHI Cheng <cloudream@gmail.com>
2019-06-07 12:44:39 +02:00
Tobias Bengfort
581a0f4545 Refs #30226 -- Added User.get_user_permissions() method.
Added to mirror the existing User.get_group_permissions().
2019-06-05 13:56:37 +02:00
Tobias Bengfort
75337a6050 Fixed #30226 -- Added BaseBackend for authentication. 2019-06-05 13:39:46 +02:00
Mattia Procopio
aff61790a3 Refs #24944 -- Added test for overriding domain in email context in PasswordResetView. 2019-05-27 11:50:30 +02:00
Rob
58df8aa40f Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs.
Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
2019-05-24 08:40:25 +02:00
Ally Weir
bd228cb599 Fixed mis-capitalisation in comment. 2019-05-15 12:14:59 +02:00
Carlton Gibson
98296f86b3
Fixed #30351 -- Handled pre-existing permissions in proxy model permissions data migration.
Regression in 181fb60159.
2019-04-27 20:18:22 +02:00
Jon Dufresne
8d76443aba Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape(). 2019-04-25 15:09:07 +02:00
Markus Holtermann
da0b2554ec Renamed camelCaseTestMethods to snake_case_test_methods 2019-04-14 16:14:14 +02:00
pmisteli
9410db9683 Fixed #30236 -- Made UsernameField render with autocapitalize="none" HTML attribute.
This prevents automatic capitalization, which is the default behavior in
some browsers.
2019-03-29 15:24:44 +01:00
Ryan J Schave
cbf7e71558 Fixed #30257 -- Made UsernameValidators prohibit trailing newlines. 2019-03-22 13:16:25 -04:00
Jon Dufresne
95b7699ffc Cleaned up exception message checking in some tests. 2019-03-15 19:27:57 -04:00
Claude Paroz
a8e2a9bac6 Refs #15902 -- Deprecated storing user's language in the session. 2019-02-14 10:23:02 -05:00
Tim Graham
06670015f7 Increased the default PBKDF2 iterations for Django 3.0. 2019-01-17 11:15:27 -05:00
Arthur Rio
181fb60159 Fixed #11154, #22270 -- Made proxy model permissions use correct content type.
Co-Authored-By: Simon Charette <charette.s@gmail.com>
Co-Authored-By: Antoine Catton <acatton@fusionbox.com>
2019-01-16 10:07:28 -05:00
Simon Charette
8c775391b7 Refs #28478 -- Deprecated TestCase's allow_database_queries and multi_db in favor of databases. 2019-01-10 19:11:21 -05:00
Joshua Cannon
db1b10ef0d Fixed #30037 -- Added request arg to RemoteUserBackend.configure_user(). 2019-01-09 20:01:04 -05:00
Tim Graham
043bd70942 Updated test URL patterns to use path() and re_path(). 2018-12-31 10:47:32 -05:00
Tim Graham
194a4b526c Added tests for ContentType/Group/Permission.__str__(). 2018-12-21 12:45:02 -05:00
Simon Charette
0f212db29d Made reused RequestFactory instances class attributes. 2018-11-27 09:49:02 -05:00
Simon Charette
84e7a9f4a7 Switched setUp() to setUpTestData() where possible in Django's tests. 2018-11-27 09:35:17 -05:00
Tim Graham
193c109327 Switched TestCase to SimpleTestCase where possible in Django's tests. 2018-11-27 08:58:44 -05:00
Mathew Payne
26bb2611a5 Fixed #29952 -- Lowercased all passwords in contrib.auth's auth/common-passwords.txt.gz. 2018-11-15 14:11:03 -05:00
Jon Dufresne
c82893cb8c Refs #27795 -- Removed force_bytes() usage from django/utils/http.py.
django.utils.http.urlsafe_base64_encode() now returns a string, not a
bytestring. Since URLs are represented as strings,
urlsafe_base64_encode() should return a string. All uses immediately
decoded the bytestring to a string anyway.

As the inverse operation, urlsafe_base64_decode() accepts a string.
2018-10-10 14:38:22 -04:00
Tim Graham
a7284cc0c3 Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form. 2018-10-01 10:09:50 +02:00
Carlton Gibson
bf39978a53 Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.
Thanks Claude Paroz & Tim Graham for collaborating on the patch.
2018-10-01 10:05:01 +02:00
Ramon Saraiva
2349cbd909 Fixed #29782 -- Added better error message when filtering queryset with AnonymousUser. 2018-09-26 15:36:19 -04:00
Jon Dufresne
82f286cf6f Refs #29784 -- Switched to https:// links where available. 2018-09-26 08:48:47 +02:00
Alexey
8624459586 Added a test for password_changed() with a custom validator. 2018-09-25 11:58:05 -04:00
Josh Schneier
3daac76cfb Simplified how createsuperuser tests generate passwords. 2018-08-18 16:26:13 -04:00
Alexander Todorov
53ebd4cb13 Fixed #29686 -- Made UserAdmin.user_change_password() pass user to has_change_permission(). 2018-08-17 17:43:00 -04:00
Josh Schneier
8b43e9b1af Fixed #29616 -- Fixed createsuperuser for user models that don't have a password field. 2018-08-05 14:26:03 -04:00
Josh Schneier
793e9bb35a Fixed #29628 -- Made createsuperuser validate password against username and required fields. 2018-08-04 08:44:25 -04:00
Tim Graham
f3fa86a89b Fixed #29449 -- Reverted "Fixed #28757 -- Allowed using contrib.auth forms without installing contrib.auth."
This reverts commit 3333d935d2 due to
a crash if USERNAME_FIELD isn't a CharField.
2018-07-02 18:39:26 -04:00
Tim Graham
5d98d53fab Refs #27398 -- Simplified some tests with assertRedirects(). 2018-06-20 14:08:56 -04:00
Jan Pieter Waagmeester
24959e48d9 Fixed #27398 -- Added an assertion to compare URLs, ignoring the order of their query strings. 2018-06-20 13:26:12 -04:00
Hasan Ramezani
6df3d36801 Added a missing test for createsuperuser management command. 2018-06-07 19:49:25 -04:00
Claude Paroz
bec651a427 Fixed #10827 -- Ensured ContentTypes are created before permission creation. 2018-06-03 22:19:04 -04:00
Dohyeon Kim
f1f4aeb22e Fixed #28044 -- Unified the logic for createsuperuser's interactive and --noinput modes. 2018-05-29 08:41:32 -04:00
Hasan Ramezani
e0ff88be4f Added test for createsuperuser's handling of KeyboardInterrupt. 2018-05-27 19:24:07 -04:00
Tim Graham
9792af3648 Increased the default PBKDF2 iterations for Django 2.2. 2018-05-17 11:05:45 -04:00
olivierdalang
825f0beda8 Fixed #8936 -- Added a view permission and a read-only admin.
Co-authored-by: Petr Dlouhy <petr.dlouhy@email.cz>
Co-authored-by: Olivier Dalang <olivier.dalang@gmail.com>
2018-05-16 06:44:55 -04:00
Tim Graham
cae0107287 Increased the default PBKDF2 iterations for Django 2.1. 2018-05-13 20:06:20 -04:00
Claude Paroz
607970f31c Replaced django.test.utils.patch_logger() with assertLogs().
Thanks Tim Graham for the review.
2018-05-07 09:34:00 -04:00
Nick Pope
df90e462d9 Fixed #29212 -- Doc'd redirect loop if @permission_required used with redirect_authenticated_user. 2018-04-19 10:21:24 -04:00
Mads Jensen
9c651641f1 Added additional AdminPasswordChangeForm tests. 2018-04-04 11:25:28 -04:00
Malte Gerth
874977d388 Fixed #29270 -- Fixed UserChangeForm crash if password field is excluded. 2018-03-29 15:25:54 -04:00
Abeer Upadhyay
1bf4646f91 Fixed #29258 -- Added type checking for login()'s backend argument. 2018-03-28 10:10:18 -04:00
Tim Graham
a4f0e9aec7 Fixed #28718 -- Allowed user to request a password reset if their password doesn't use an enabled hasher.
Regression in aeb1389442.
Reverted changes to is_password_usable() from
703c266682 and documentation changes from
92f48680db.
2018-03-22 10:03:43 -04:00
Mariusz Felisiak
362813d628
Fixed hanging indentation in various code. 2018-03-16 10:54:34 +01:00
Mattia Procopio
aeb8c38178 Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected. 2018-03-15 21:33:15 -04:00
Christophe Mehay
40bac28faa Fixed #29176 -- Fixed AbstractBaseUser.normalize_username() crash if username isn't a string. 2018-03-02 11:32:53 -05:00
Tim Graham
5b589a47b9
Fixed #29161 -- Removed BCryptPasswordHasher from PASSWORD_HASHERS. 2018-02-26 09:05:18 -05:00
Mikhail Porokhovnichenko
14e34dcf8c Fixed #29132 -- Avoided connecting update_last_login() handler if User.last_login isn't a field. 2018-02-21 10:36:31 -05:00
Dylan Verheul
9b1125bfc7 Fixed #28379 -- Made AccessMixin raise Permissiondenied for authenticated users. 2018-02-16 13:58:55 -05:00
Tim Graham
fa75b2cb51
Refs #27795 -- Removed force_bytes/text() usage in tests. 2018-02-07 14:20:04 -05:00
Tim Graham
af33fb250e Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm.
Reverted 359370a8b8 (refs #28645).

This is a security fix.
2018-02-01 09:05:14 -05:00
shanghui
3333d935d2 Fixed #28757 -- Allowed using contrib.auth forms without installing contrib.auth.
Also fixed #28608 -- Allowed UserCreationForm and UserChangeForm to
work with custom user models.

Thanks Sagar Chalise and Rômulo Collopy for reports, and Tim Graham
and Tim Martin for reviews.
2018-01-05 14:47:37 -05:00
Дилян Палаузов
d7b2aa24f7 Fixed #28982 -- Simplified code with and/or. 2018-01-03 20:12:23 -05:00
Tim Graham
acc8dd4142
Fixed #28984 -- Made assorted code simplifications. 2018-01-03 13:24:02 -05:00
Alvin Lindstam
2cb6b7732d Fixed #28902 -- Fixed password_validators_help_text_html() double escaping. 2018-01-02 19:51:06 -05:00
shanghui
359370a8b8 Fixed #28645 -- Reallowed AuthenticationForm to raise the inactive user error when using ModelBackend.
Regression in e0a3d93730.

Thanks Guilherme Junqueira for the report and Tim Graham for the review.
2017-11-08 09:39:12 -05:00
Дилян Палаузов
6c0042430e Fixed #28776 -- Fixed a/an/and typos in docs and comments. 2017-11-06 22:41:03 -05:00
Tom
b81905bfd4 Fixed #28571 -- Added a prompt to bypass password validation in createsuperuser. 2017-11-03 20:00:08 -04:00
Tim Graham
872be5976d Improved technique for matching input prompts in contrib.auth management tests. 2017-11-03 20:00:08 -04:00
Jon Dufresne
6ed347d851 Fixed #28706 -- Moved AuthenticationFormn invalid login ValidationError to a method for reuse. 2017-10-23 09:10:45 -04:00
Lucas Connors
5ceaf14686 Fixed #27515 -- Made AuthenticationForm's username field use the max_length from the model field.
Thanks Ramin Farajpour Cami for the report.
2017-10-20 11:13:26 -04:00
Lucas Connors
d233391208 Refs #19130 -- Added a test for AuthenticationForm.username max_length.
This will be a more useful regression test after refs #27515.
2017-10-20 11:10:32 -04:00
Yuri Kaszubowski Lopes
d98210c255 Fixed #28713 -- Prevented ModelBackend.get_all_permissions() from mutating get_user_permissions(). 2017-10-14 20:47:49 -04:00
Hasan Ramezani
6aec130a4c Fixed #28591 -- Added an error message for createsuperuser --username= (blank). 2017-10-09 21:49:35 -04:00
Mads Jensen
3e72f4b7b6 Completed test coverage for BasePasswordHasher. 2017-09-29 09:28:25 -04:00
Mads Jensen
776f6902d9 Moved BasePasswordHasher tests to its own test case. 2017-09-29 09:28:24 -04:00
Mads Jensen
d917c17a3b Completed test coverage for AnonymousUser. 2017-09-28 13:11:23 -04:00
Mads Jensen
7fce4dc5ff Moved AnonymousUser tests to its own test case. 2017-09-28 13:11:07 -04:00
Mads Jensen
4803834aaa Added a test for PermWrapper.__iter__(). 2017-09-26 19:42:50 -04:00
Tim Graham
67a6ba391b Reverted "Fixed #28248 -- Fixed password reset tokens being valid for 1 day longer than PASSWORD_RESET_TIMEOUT_DAYS."
This reverts commit 95993a89ce.
2017-09-25 09:05:00 -04:00
Tim Graham
5e31be1b96 Refs #25187 -- Required the authenticate() method of authentication backends to have request as the first positional argument.
Per deprecation timeline.
2017-09-22 12:51:18 -04:00
Tim Graham
6e40b70bf4 Refs #26929 -- Removed extra_context parameter of contrib.auth.views.logout_then_login().
Per deprecation timeline.
2017-09-22 12:51:17 -04:00