mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-29 00:26:07 +00:00
Code Issues 32 Releases Wiki Activity
32,197 Commits 30 Branches 460 Tags
32ea23f53bb71fedb00b42a59fbad22052466a3c
Commit Graph

89 Commits

Author SHA1 Message Date
Lily Foote
45078a204b Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests. 
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly
depends on the password hasher having the three components algorithm,
salt and hash.

The default password hasher (PBKDF2PasswordHasher) has an extra
iterations component, breaking the test.
 2023-09-20 05:35:49 +02:00
Mariusz Felisiak
9a01311d20 Refs #15619 -- Removed support for logging out via GET requests. 
Per deprecation timeline.
 2023-01-17 11:49:15 +01:00
David Wobrock
99bd5fb4c2 Refs #34074 -- Used headers argument for RequestFactory and Client in docs and tests. 2023-01-04 09:11:36 +01:00
Shai Berger
fdf0f62521 Fixed ReadOnlyPasswordHashWidget's template for RTL languages. 2022-09-01 21:20:15 +02:00
Aymeric Augustin
5dfa6fca96 Refactored out RedirectURLMixin.get_success_url(). 
This also adds a default implementation of get_default_redirect_url().
 2022-04-20 10:04:29 +02:00
Aymeric Augustin
04bc2564b6 Simplified LogoutView.get_success_url(). 
This preserves the behavior of redirecting to the logout URL without
query string parameters when an insecure ?next=... parameter is given.

It changes the behavior of a POST to the logout URL, as shown by the
test that is changed. Currently, this results in a GET to the logout
URL. However, such GET requests are deprecated. This change would be
necessary in Django 5.0 anyway. This commit merely anticipates it.
 2022-04-20 10:04:29 +02:00
Aymeric Augustin
5591a72571 Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set. 2022-04-18 16:33:10 +02:00
René Fleschenberg
eb07b5be0c Fixed #15619 -- Deprecated log out via GET requests. 
Thanks Florian Apolloner for the implementation idea.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2022-03-29 06:42:14 +02:00
Mariusz Felisiak
94d8ed55fa Refs #15619 -- Logged out with POST requests in admin. 2022-03-24 17:41:53 +01:00
Mariusz Felisiak
7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Chris Jerdonek
f3825ee050 Fixed wording of AuthViewsTestCase's docstring. 2021-07-19 06:36:20 +02:00
Mateo Radman
8a7ac78b70 Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using "assert" in various code. 2021-06-25 06:55:47 +02:00
ThinkChaos
b99d6c9cbc Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView. 2021-02-08 21:08:05 +01:00
Mariusz Felisiak
6b4941dd57 Refs #27468 -- Removed support for the pre-Django 3.1 user sessions. 
Per deprecation timeline.
 2021-01-14 17:50:04 +01:00
Jon Moroney
76ae6ccf85 Fixed #31358 -- Increased salt entropy of password hashers. 
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
 2021-01-14 11:20:28 +01:00
Tom Carrick
bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Jon Dufresne
5a3d7cf462 Used urllib.parse.urljoin() in auth_tests to join URLs. 
As the strings represent URLs and not paths, should use urllib to
manipulate them.
 2020-07-09 12:03:03 +02:00
Jon Dufresne
d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__(). 
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
 2020-05-11 12:01:28 +02:00
Mariusz Felisiak
54646a423b Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 16:45:00 +02:00
Jon Dufresne
3857a08bdb Fixed #31361 -- Fixed invalid action="" in admin forms. 
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
 2020-03-16 07:31:19 +01:00
Claude Paroz
4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. 
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2020-02-18 20:03:44 +01:00
Carlton Gibson
11c5e0609b Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin. 
Thank you to Shen Ying for reporting this issue.
 2019-12-02 08:56:08 +01:00
Jon Dufresne
7f0946298e Replaced encode() usage with bytes literals. 2019-11-18 15:31:42 +01:00
Sanyam Khurana
87f5d07eed Fixed #12952 -- Adjusted admin log change messages to use form labels instead of field names. 2019-06-14 18:20:29 +02:00
Mattia Procopio
aff61790a3 Refs #24944 -- Added test for overriding domain in email context in PasswordResetView. 2019-05-27 11:50:30 +02:00
Rob
58df8aa40f Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. 
Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
 2019-05-24 08:40:25 +02:00
Jon Dufresne
95b7699ffc Cleaned up exception message checking in some tests. 2019-03-15 19:27:57 -04:00
Claude Paroz
a8e2a9bac6 Refs #15902 -- Deprecated storing user's language in the session. 2019-02-14 10:23:02 -05:00
Tim Graham
043bd70942 Updated test URL patterns to use path() and re_path(). 2018-12-31 10:47:32 -05:00
Simon Charette
84e7a9f4a7 Switched setUp() to setUpTestData() where possible in Django's tests. 2018-11-27 09:35:17 -05:00
Jon Dufresne
c82893cb8c Refs #27795 -- Removed force_bytes() usage from django/utils/http.py. 
django.utils.http.urlsafe_base64_encode() now returns a string, not a
bytestring. Since URLs are represented as strings,
urlsafe_base64_encode() should return a string. All uses immediately
decoded the bytestring to a string anyway.

As the inverse operation, urlsafe_base64_decode() accepts a string.
 2018-10-10 14:38:22 -04:00
Tim Graham
a7284cc0c3 Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form. 2018-10-01 10:09:50 +02:00
Carlton Gibson
bf39978a53 Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users. 
Thanks Claude Paroz & Tim Graham for collaborating on the patch.
 2018-10-01 10:05:01 +02:00
Alexander Todorov
53ebd4cb13 Fixed #29686 -- Made UserAdmin.user_change_password() pass user to has_change_permission(). 2018-08-17 17:43:00 -04:00
Tim Graham
5d98d53fab Refs #27398 -- Simplified some tests with assertRedirects(). 2018-06-20 14:08:56 -04:00
Jan Pieter Waagmeester
24959e48d9 Fixed #27398 -- Added an assertion to compare URLs, ignoring the order of their query strings. 2018-06-20 13:26:12 -04:00
Claude Paroz
607970f31c Replaced django.test.utils.patch_logger() with assertLogs(). 
Thanks Tim Graham for the review.
 2018-05-07 09:34:00 -04:00
Nick Pope
df90e462d9 Fixed #29212 -- Doc'd redirect loop if @permission_required used with redirect_authenticated_user. 2018-04-19 10:21:24 -04:00
Mattia Procopio
aeb8c38178 Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected. 2018-03-15 21:33:15 -04:00
Tim Graham
fa75b2cb51 Refs #27795 -- Removed force_bytes/text() usage in tests. 2018-02-07 14:20:04 -05:00
Tim Graham
6e40b70bf4 Refs #26929 -- Removed extra_context parameter of contrib.auth.views.logout_then_login(). 
Per deprecation timeline.
 2017-09-22 12:51:17 -04:00
Luoxzhg
ffbee67f8e Fixed some comments referring to a nonexistent TestClient class. 2017-09-09 11:21:15 -04:00
hui shang
c0f4c60edd Fixed #28513 -- Added POST request support to LogoutView. 2017-08-24 09:11:16 -04:00
Mikhail Golubev
e7dc39fb65 Fixed #28229 -- Fixed the value of LoginView's "next" template variable. 2017-06-13 09:13:22 -04:00
Bruno Alla
6092ea8fa6 Refs #27804 -- Used subTest() in several tests. 2017-05-24 08:36:34 -04:00
Camilo Nova
5db465d5a6 Fixed #27891 -- Added PasswordResetConfirmView.post_reset_login_backend. 2017-03-07 19:52:26 -05:00
Markus Holtermann
b9b35f9efa Fixed #27840 -- Fixed KeyError in PasswordResetConfirmView.form_valid(). 
When a user is already logged in when submitting the password and
password confirmation to reset a password, a KeyError occurred while
removing the reset session token from the session.

Refs #17209

Thanks Quentin Marlats for the report and Florian Apolloner and Tim
Graham for the review.
 2017-02-15 00:35:04 +01:00
Zoltan Gyarmati
41ba27fefd Fixed #27815 -- Made LoginView pass the request kwarg to AuthenticationForm. 2017-02-07 08:54:21 -05:00
Tim Graham
29f607927f Fixed spelling of "nonexistent". 2017-02-03 08:01:45 -05:00