Jon Moroney 
							
						 
					 
					
						
						
							
						
						76ae6ccf85 
					 
					
						
						
							
							Fixed   #31358  -- Increased salt entropy of password hashers.  
						
						... 
						
						
						
						Co-authored-by: Florian Apolloner <florian@apolloner.eu > 
						
						
					 
					
						2021-01-14 11:20:28 +01:00 
						 
				 
			
				
					
						
							
							
								Tom Carrick 
							
						 
					 
					
						
						
							
						
						bcc2befd0e 
					 
					
						
						
							
							Fixed   #31789  -- Added a new headers interface to HttpResponse.  
						
						
						
						
					 
					
						2020-09-14 08:41:59 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						5a3d7cf462 
					 
					
						
						
							
							Used urllib.parse.urljoin() in auth_tests to join URLs.  
						
						... 
						
						
						
						As the strings represent URLs and not paths, should use urllib to
manipulate them. 
						
						
					 
					
						2020-07-09 12:03:03 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						d6aff369ad 
					 
					
						
						
							
							Refs  #30116  -- Simplified regex match group access with Match.__getitem__().  
						
						... 
						
						
						
						The method has been available since Python 3.6. The shorter syntax is
also marginally faster. 
						
						
					 
					
						2020-05-11 12:01:28 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						54646a423b 
					 
					
						
						
							
							Refs  #27468  -- Made user sessions use SHA-256 algorithm.  
						
						
						
						
					 
					
						2020-04-29 16:45:00 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						3857a08bdb 
					 
					
						
						
							
							Fixed   #31361  -- Fixed invalid action="" in admin forms.  
						
						... 
						
						
						
						The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action ) says:
> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.
Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now. 
						
						
					 
					
						2020-03-16 07:31:19 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						4d973f5939 
					 
					
						
						
							
							Refs  #26601  -- Deprecated passing None as get_response arg to middleware classes.  
						
						... 
						
						
						
						This is the new contract since middleware refactoring in Django 1.10.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es >
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com > 
						
						
					 
					
						2020-02-18 20:03:44 +01:00 
						 
				 
			
				
					
						
							
							
								Carlton Gibson 
							
						 
					 
					
						
						
							
						
						11c5e0609b 
					 
					
						
						
							
							Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.  
						
						... 
						
						
						
						Thank you to Shen Ying for reporting this issue. 
						
						
					 
					
						2019-12-02 08:56:08 +01:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						7f0946298e 
					 
					
						
						
							
							Replaced encode() usage with bytes literals.  
						
						
						
						
					 
					
						2019-11-18 15:31:42 +01:00 
						 
				 
			
				
					
						
							
							
								Sanyam Khurana 
							
						 
					 
					
						
						
							
						
						87f5d07eed 
					 
					
						
						
							
							Fixed   #12952  -- Adjusted admin log change messages to use form labels instead of field names.  
						
						
						
						
					 
					
						2019-06-14 18:20:29 +02:00 
						 
				 
			
				
					
						
							
							
								Mattia Procopio 
							
						 
					 
					
						
						
							
						
						aff61790a3 
					 
					
						
						
							
							Refs  #24944  -- Added test for overriding domain in email context in PasswordResetView.  
						
						
						
						
					 
					
						2019-05-27 11:50:30 +02:00 
						 
				 
			
				
					
						
							
							
								Rob 
							
						 
					 
					
						
						
							
						
						58df8aa40f 
					 
					
						
						
							
							Fixed   #28780  -- Allowed specyfing a token parameter displayed in password reset URLs.  
						
						... 
						
						
						
						Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com > 
						
						
					 
					
						2019-05-24 08:40:25 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						95b7699ffc 
					 
					
						
						
							
							Cleaned up exception message checking in some tests.  
						
						
						
						
					 
					
						2019-03-15 19:27:57 -04:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						a8e2a9bac6 
					 
					
						
						
							
							Refs  #15902  -- Deprecated storing user's language in the session.  
						
						
						
						
					 
					
						2019-02-14 10:23:02 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						043bd70942 
					 
					
						
						
							
							Updated test URL patterns to use path() and re_path().  
						
						
						
						
					 
					
						2018-12-31 10:47:32 -05:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						84e7a9f4a7 
					 
					
						
						
							
							Switched setUp() to setUpTestData() where possible in Django's tests.  
						
						
						
						
					 
					
						2018-11-27 09:35:17 -05:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						c82893cb8c 
					 
					
						
						
							
							Refs  #27795  -- Removed force_bytes() usage from django/utils/http.py.  
						
						... 
						
						
						
						django.utils.http.urlsafe_base64_encode() now returns a string, not a
bytestring. Since URLs are represented as strings,
urlsafe_base64_encode() should return a string. All uses immediately
decoded the bytestring to a string anyway.
As the inverse operation, urlsafe_base64_decode() accepts a string. 
						
						
					 
					
						2018-10-10 14:38:22 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						a7284cc0c3 
					 
					
						
						
							
							Fixed   #29809  -- Fixed a crash when a "view only" user POSTs to the admin user change form.  
						
						
						
						
					 
					
						2018-10-01 10:09:50 +02:00 
						 
				 
			
				
					
						
							
							
								Carlton Gibson 
							
						 
					 
					
						
						
							
						
						bf39978a53 
					 
					
						
						
							
							Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.  
						
						... 
						
						
						
						Thanks Claude Paroz & Tim Graham for collaborating on the patch. 
						
						
					 
					
						2018-10-01 10:05:01 +02:00 
						 
				 
			
				
					
						
							
							
								Alexander Todorov 
							
						 
					 
					
						
						
							
						
						53ebd4cb13 
					 
					
						
						
							
							Fixed   #29686  -- Made UserAdmin.user_change_password() pass user to has_change_permission().  
						
						
						
						
					 
					
						2018-08-17 17:43:00 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						5d98d53fab 
					 
					
						
						
							
							Refs  #27398  -- Simplified some tests with assertRedirects().  
						
						
						
						
					 
					
						2018-06-20 14:08:56 -04:00 
						 
				 
			
				
					
						
							
							
								Jan Pieter Waagmeester 
							
						 
					 
					
						
						
							
						
						24959e48d9 
					 
					
						
						
							
							Fixed   #27398  -- Added an assertion to compare URLs, ignoring the order of their query strings.  
						
						
						
						
					 
					
						2018-06-20 13:26:12 -04:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						607970f31c 
					 
					
						
						
							
							Replaced django.test.utils.patch_logger() with assertLogs().  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2018-05-07 09:34:00 -04:00 
						 
				 
			
				
					
						
							
							
								Nick Pope 
							
						 
					 
					
						
						
							
						
						df90e462d9 
					 
					
						
						
							
							Fixed   #29212  -- Doc'd redirect loop if @permission_required used with redirect_authenticated_user.  
						
						
						
						
					 
					
						2018-04-19 10:21:24 -04:00 
						 
				 
			
				
					
						
							
							
								Mattia Procopio 
							
						 
					 
					
						
						
							
						
						aeb8c38178 
					 
					
						
						
							
							Fixed   #29206  -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected.  
						
						
						
						
					 
					
						2018-03-15 21:33:15 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						fa75b2cb51 
					 
					
						
						
							
							Refs  #27795  -- Removed force_bytes/text() usage in tests.  
						
						
						
						
					 
					
						2018-02-07 14:20:04 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						6e40b70bf4 
					 
					
						
						
							
							Refs  #26929  -- Removed extra_context parameter of contrib.auth.views.logout_then_login().  
						
						... 
						
						
						
						Per deprecation timeline. 
						
						
					 
					
						2017-09-22 12:51:17 -04:00 
						 
				 
			
				
					
						
							
							
								Luoxzhg 
							
						 
					 
					
						
						
							
						
						ffbee67f8e 
					 
					
						
						
							
							Fixed some comments referring to a nonexistent TestClient class.  
						
						
						
						
					 
					
						2017-09-09 11:21:15 -04:00 
						 
				 
			
				
					
						
							
							
								hui shang 
							
						 
					 
					
						
						
							
						
						c0f4c60edd 
					 
					
						
						
							
							Fixed   #28513  -- Added POST request support to LogoutView.  
						
						
						
						
					 
					
						2017-08-24 09:11:16 -04:00 
						 
				 
			
				
					
						
							
							
								Mikhail Golubev 
							
						 
					 
					
						
						
							
						
						e7dc39fb65 
					 
					
						
						
							
							Fixed   #28229  -- Fixed the value of LoginView's "next" template variable.  
						
						
						
						
					 
					
						2017-06-13 09:13:22 -04:00 
						 
				 
			
				
					
						
							
							
								Bruno Alla 
							
						 
					 
					
						
						
							
						
						6092ea8fa6 
					 
					
						
						
							
							Refs  #27804  -- Used subTest() in several tests.  
						
						
						
						
					 
					
						2017-05-24 08:36:34 -04:00 
						 
				 
			
				
					
						
							
							
								Camilo Nova 
							
						 
					 
					
						
						
							
						
						5db465d5a6 
					 
					
						
						
							
							Fixed   #27891  -- Added PasswordResetConfirmView.post_reset_login_backend.  
						
						
						
						
					 
					
						2017-03-07 19:52:26 -05:00 
						 
				 
			
				
					
						
							
							
								Markus Holtermann 
							
						 
					 
					
						
						
							
						
						b9b35f9efa 
					 
					
						
						
							
							Fixed   #27840  -- Fixed KeyError in PasswordResetConfirmView.form_valid().  
						
						... 
						
						
						
						When a user is already logged in when submitting the password and
password confirmation to reset a password, a KeyError occurred while
removing the reset session token from the session.
Refs #17209 
Thanks Quentin Marlats for the report and Florian Apolloner and Tim
Graham for the review. 
						
						
					 
					
						2017-02-15 00:35:04 +01:00 
						 
				 
			
				
					
						
							
							
								Zoltan Gyarmati 
							
						 
					 
					
						
						
							
						
						41ba27fefd 
					 
					
						
						
							
							Fixed   #27815  -- Made LoginView pass the request kwarg to AuthenticationForm.  
						
						
						
						
					 
					
						2017-02-07 08:54:21 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						29f607927f 
					 
					
						
						
							
							Fixed spelling of "nonexistent".  
						
						
						
						
					 
					
						2017-02-03 08:01:45 -05:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						fee42fd99e 
					 
					
						
						
							
							Refs  #23919  -- Replaced usage of django.utils.http utilities with Python equivalents  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2017-01-26 19:49:03 +01:00 
						 
				 
			
				
					
						
							
							
								chillaranand 
							
						 
					 
					
						
						
							
						
						d6eaf7c018 
					 
					
						
						
							
							Refs  #23919  -- Replaced super(ClassName, self) with super().  
						
						
						
						
					 
					
						2017-01-25 12:23:46 -05:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						2366100872 
					 
					
						
						
							
							Removed unneeded force_text calls in the test suite  
						
						
						
						
					 
					
						2017-01-24 18:45:54 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						2b281cc35e 
					 
					
						
						
							
							Refs  #23919  -- Removed most of remaining six usage  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2017-01-18 21:33:28 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						d7b9aaa366 
					 
					
						
						
							
							Refs  #23919  -- Removed encoding preambles and future imports  
						
						
						
						
					 
					
						2017-01-18 09:55:19 +01:00 
						 
				 
			
				
					
						
							
							
								Romain Garrigues 
							
						 
					 
					
						
						
							
						
						ede59ef6f3 
					 
					
						
						
							
							Fixed   #27518  -- Prevented possibie password reset token leak via HTTP Referer header.  
						
						... 
						
						
						
						Thanks Florian Apolloner for contributing to this patch and
Collin Anderson, Markus Holtermann, and Tim Graham for review. 
						
						
					 
					
						2017-01-13 09:17:54 -05:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
							
						
						51eaff6d35 
					 
					
						
						
							
							Refs  #17209  -- Fixed token verification for PasswordResetConfirmView POST requests.  
						
						
						
						
					 
					
						2016-11-21 13:42:25 -05:00 
						 
				 
			
				
					
						
							
							
								za 
							
						 
					 
					
						
						
							
						
						321e94fa41 
					 
					
						
						
							
							Refs  #27392  -- Removed "Tests that", "Ensures that", etc. from test docstrings.  
						
						
						
						
					 
					
						2016-11-10 21:30:21 -05:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						20be1918e7 
					 
					
						
						
							
							Simplified some auth_tests with assertRedirects().  
						
						
						
						
					 
					
						2016-10-28 11:52:52 -04:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						66e1ebbffc 
					 
					
						
						
							
							Fixed   #26956  -- Added success_url_allowed_hosts to LoginView and LogoutView.  
						
						... 
						
						
						
						Allows specifying additional hosts to redirect after login and log out. 
						
						
					 
					
						2016-09-07 19:56:25 -07:00 
						 
				 
			
				
					
						
							
							
								Przemysław Suliga 
							
						 
					 
					
						
						
							
						
						549b90fab3 
					 
					
						
						
							
							Refs  #26902  -- Protected against insecure redirects in Login/LogoutView.  
						
						
						
						
					 
					
						2016-08-19 19:01:01 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						13857b45ca 
					 
					
						
						
							
							Removed unused 'password' parameter in auth_tests.  
						
						
						
						
					 
					
						2016-08-18 19:01:28 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						7549eb0004 
					 
					
						
						
							
							Fixed   #27009  -- Made update_session_auth_hash() rotate the session key.  
						
						
						
						
					 
					
						2016-08-15 19:29:12 -04:00 
						 
				 
			
				
					
						
							
							
								jordij 
							
						 
					 
					
						
						
							
						
						0814566bf1 
					 
					
						
						
							
							Fixed   #26960  -- Added PasswordResetConfirmView option to automatically log in after a reset.  
						
						
						
						
					 
					
						2016-08-10 10:23:16 -04:00 
						 
				 
			
				
					
						
							
							
								Andrew Nester 
							
						 
					 
					
						
						
							
						
						0ba179194b 
					 
					
						
						
							
							Fixed   #26929  -- Deprecated extra_context parameter of contrib.auth.views.logout_then_login().  
						
						
						
						
					 
					
						2016-07-28 11:57:02 -04:00