1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00
Commit Graph

435 Commits

Author SHA1 Message Date
Jaap Roes
ceecd518b1 Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin. 2024-11-28 17:43:46 +01:00
Jaap Roes
28b9b8d6d9 Refs #35530 -- Added basic test cases for auth.login. 2024-11-28 17:43:46 +01:00
Tommy Allen
c635decb00
Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when username is unavailable.
Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews.
2024-11-26 17:15:00 -03:00
GappleBee
037e740ec5 Refs #28215 -- Marked auth form passwords as sensitive variables. 2024-11-15 13:53:13 +01:00
Mariusz Felisiak
bd3b1dfa24
Refs #35844 -- Used asgiref.sync.iscoroutinefunction() instead of deprecated asyncio.iscoroutinefunction().
Fixes DeprecationWarning:

'asyncio.iscoroutinefunction' is deprecated and slated for removal in
Python 3.16; use inspect.iscoroutinefunction() instead.
2024-10-17 10:15:10 -03:00
SaJH
0c81775515 Refs #35727 -- Updated response.content.decode calls to use the HttpResponse.text property.
Signed-off-by: SaJH <wogur981208@gmail.com>
2024-10-16 11:52:22 +02:00
Ben Cail
ec7d69035a Fixed #35782 -- Allowed overriding password validation error messages. 2024-10-15 17:23:39 +02:00
Jon Janzen
50f89ae850 Fixed #35303 -- Implemented async auth backends and utils. 2024-10-07 14:19:41 +02:00
Natalia
8c35a0a903 Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.

Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
2024-09-03 09:22:32 -03:00
sanjeevholla26
387475c5b2 Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors.
This improves the screen reader experience.
2024-09-02 15:19:33 +02:00
nessita
046a354217
Added helper and refactored PasswordResetFormTest to unify email sending tests. 2024-08-23 11:13:31 -03:00
Natalia
0ebed5fa95 Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.
Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.

Regression in e626716c28.

Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
2024-08-19 12:39:57 -03:00
Natalia
b60fd8722f Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User model.
This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage.
2024-08-19 12:39:57 -03:00
Jacob Walls
b99c608ea1 Refs #35402 -- Added tests for invalid usage of submodules in some settings. 2024-08-13 16:09:52 +02:00
Natalia
e1606d27b4 Added test for acheck_password() to ensure make_password is called for unusable passwords.
This is a follow up for the fix of CVE-2024-39329
(5d86458579) where the timing of
verify_password() was standardized when checking unusable passwords.
2024-08-08 12:53:36 -03:00
Michael Manfre
5d86458579 Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords.
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-09 09:21:19 -03:00
Jake Howard
53e674d574 Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests. 2024-07-04 11:38:58 +02:00
Jacob Walls
31837dbcb3 Fixed #35569 -- Improved wording of invalid ForeignKey error message. 2024-07-04 11:35:03 +02:00
Fabian Braun
339977d444 Fixed #35477 -- Corrected 'required' errors in auth password set/change forms.
The auth forms using SetPasswordMixin were incorrectly including the
'This field is required.' error when additional validations (e.g.,
overriding `clean_password1`) were performed and failed.
This fix ensures accurate error reporting for password fields.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-05-30 16:31:01 -03:00
Natalia
04a208d7f1 Increased the default PBKDF2 iterations for Django 5.2. 2024-05-22 15:44:07 -03:00
Hisham Mahmood
c7fc9f20b4 Fixed #31405 -- Added LoginRequiredMiddleware.
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-22 08:51:17 +02:00
SaJH
8f205acea9 Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher. 2024-05-17 17:13:58 +02:00
Adam Johnson
d2c5a30e5a Fixed #35408 -- Optimized post-migrate permission creation.
co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-05-13 08:34:57 +02:00
Fabian Braun
944745afe2 Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing the reset password link with a button.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-03-27 16:40:41 -03:00
Dingning
549320946d Fixed #35030 -- Made django.contrib.auth decorators to work with async functions. 2024-03-07 09:59:33 +01:00
Mariusz Felisiak
c4df2a7776
Refs #35030 -- Added more tests for @user_passes_test decorator. 2024-03-06 13:28:32 +01:00
Fabian Braun
e626716c28 Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-02-20 12:13:32 -03:00
Natalia
8a757244f9 Refs #34429 -- Defined test user with unusable password for auth forms tests. 2024-02-20 12:12:37 -03:00
Mariusz Felisiak
305757aec1
Applied Black's 2024 stable style.
https://github.com/psf/black/releases/tag/24.1.0
2024-01-26 12:45:07 +01:00
nessita
02eaee1209
Added test ensuring that validate_password is used in AdminPasswordChangeForm.
Co-authored-by: Fabian Braun <fsbraun@gmx.de>
2024-01-12 17:27:55 -03:00
Mariusz Felisiak
0c5456ef37
Used enterClassContext() where appropriate. 2024-01-04 05:55:29 +01:00
Mariusz Felisiak
d88ec42bd0
Used addCleanup() in tests where appropriate. 2023-12-31 10:01:31 +01:00
Mariusz Felisiak
05ba4130ee Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2023-11-01 06:10:30 +01:00
Lily Foote
45078a204b Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests.
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly
depends on the password hasher having the three components algorithm,
salt and hash.

The default password hasher (PBKDF2PasswordHasher) has an extra
iterations component, breaking the test.
2023-09-20 05:35:49 +02:00
Mariusz Felisiak
0e560edf32 Increased the default PBKDF2 iterations for Django 5.1. 2023-09-18 22:12:40 +02:00
Mariusz Felisiak
6e4e5523a8 Refs #33691 -- Removed insecure password hashers per deprecation timeline. 2023-09-18 22:12:40 +02:00
Mariusz Felisiak
00e1879610 Refs #33764 -- Removed BaseUserManager.make_random_password() per deprecation timeline. 2023-09-18 22:12:40 +02:00
konsti
48a1929ca0
Removed unnecessary trailing commas in tests. 2023-08-22 12:42:57 +02:00
Mateusz Więckowski
5aa4c0b675 Fixed #34542 -- Made createsuperuser handle required blank fields in non-interactive mode. 2023-08-08 09:26:28 +02:00
Jon Janzen
5e98959d92 Fixed #34391 -- Added async-compatible interface to auth functions and related methods test clients. 2023-06-27 11:17:17 +02:00
HappyDingning
674c23999c Fixed #34565 -- Added support for async checking of user passwords. 2023-05-18 09:39:04 +02:00
Gary Jarrel
fcc7dc5781 Fixed #34438 -- Reallowed extending UserCreationForm.
Regression in 298d02a77a.
2023-03-28 11:33:20 +02:00
Liyang Zhang
f9f9215d3e
Fixed some typos in comments, docstrings, and tests. 2023-03-20 08:07:23 +01:00
Hrushikesh Vaidya
a52bdea5a2 Fixed #33985 -- Used app_config.verbose_name in ContentType.__str__(). 2023-03-09 10:27:08 +01:00
David Wobrock
2396933ca9 Fixed #34384 -- Fixed session validation when rotation secret keys.
Bug in 0dcd549bbe.

Thanks Eric Zarowny for the report.
2023-03-08 10:48:04 +01:00
Jon Janzen
e846c5e724 Fixed #31920 -- Made AuthenticationMiddleware add request.auser(). 2023-03-07 13:11:22 +01:00
Mariusz Felisiak
5e9aded33f
Increased the default PBKDF2 iterations for Django 5.0.
Follow up to 9a1848f48c.
2023-02-04 13:37:44 +01:00
David Smith
097e3a70c1 Refs #33476 -- Applied Black's 2023 stable style.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.

https://github.com/psf/black/releases/tag/23.1.0
2023-02-01 11:04:38 +01:00
Mariusz Felisiak
4fc711a108 Increased the default PBKDF2 iterations for Django 5.0. 2023-01-17 11:49:15 +01:00
Mariusz Felisiak
b5ac6e78f8 Refs #33691 -- Removed django.contrib.auth.hashers.CryptPasswordHasher per deprecation timeline. 2023-01-17 11:49:15 +01:00