Natalia 
							
						 
					 
					
						
						
							
						
						8c35a0a903 
					 
					
						
						
							
							Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.  
						
						... 
						
						
						
						On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews. 
						
						
					 
					
						2024-09-03 09:22:32 -03:00 
						 
				 
			
				
					
						
							
							
								nessita 
							
						 
					 
					
						
						
							
						
						046a354217 
					 
					
						
						
							
							Added helper and refactored PasswordResetFormTest to unify email sending tests.  
						
						
						
						
					 
					
						2024-08-23 11:13:31 -03:00 
						 
				 
			
				
					
						
							
							
								Natalia 
							
						 
					 
					
						
						
							
						
						0ebed5fa95 
					 
					
						
						
							
							Fixed   #35678  -- Removed "usable_password" field from BaseUserCreationForm.  
						
						... 
						
						
						
						Refs #34429 : Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.
Regression in e626716c28 
						
						
					 
					
						2024-08-19 12:39:57 -03:00 
						 
				 
			
				
					
						
							
							
								Natalia 
							
						 
					 
					
						
						
							
						
						b60fd8722f 
					 
					
						
						
							
							Refs  #35678  -- Split tests for BaseUserCreationForm when using a custom User model.  
						
						... 
						
						
						
						This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage. 
						
						
					 
					
						2024-08-19 12:39:57 -03:00 
						 
				 
			
				
					
						
							
							
								Fabian Braun 
							
						 
					 
					
						
						
							
						
						339977d444 
					 
					
						
						
							
							Fixed   #35477  -- Corrected 'required' errors in auth password set/change forms.  
						
						... 
						
						
						
						The auth forms using SetPasswordMixin were incorrectly including the
'This field is required.' error when additional validations (e.g.,
overriding `clean_password1`) were performed and failed.
This fix ensures accurate error reporting for password fields.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com > 
						
						
					 
					
						2024-05-30 16:31:01 -03:00 
						 
				 
			
				
					
						
							
							
								Fabian Braun 
							
						 
					 
					
						
						
							
						
						944745afe2 
					 
					
						
						
							
							Fixed   #34977  -- Improved accessibility in the UserChangeForm by replacing the reset password link with a button.  
						
						... 
						
						
						
						Co-authored-by: Natalia <124304+nessita@users.noreply.github.com > 
						
						
					 
					
						2024-03-27 16:40:41 -03:00 
						 
				 
			
				
					
						
							
							
								Fabian Braun 
							
						 
					 
					
						
						
							
						
						e626716c28 
					 
					
						
						
							
							Fixed   #34429  -- Allowed setting unusable passwords for users in the auth forms.  
						
						... 
						
						
						
						Co-authored-by: Natalia <124304+nessita@users.noreply.github.com > 
						
						
					 
					
						2024-02-20 12:13:32 -03:00 
						 
				 
			
				
					
						
							
							
								Natalia 
							
						 
					 
					
						
						
							
						
						8a757244f9 
					 
					
						
						
							
							Refs  #34429  -- Defined test user with unusable password for auth forms tests.  
						
						
						
						
					 
					
						2024-02-20 12:12:37 -03:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						305757aec1 
					 
					
						
						
							
							Applied Black's 2024 stable style.  
						
						... 
						
						
						
						https://github.com/psf/black/releases/tag/24.1.0  
					
						2024-01-26 12:45:07 +01:00 
						 
				 
			
				
					
						
							
							
								nessita 
							
						 
					 
					
						
						
							
						
						02eaee1209 
					 
					
						
						
							
							Added test ensuring that validate_password is used in AdminPasswordChangeForm.  
						
						... 
						
						
						
						Co-authored-by: Fabian Braun <fsbraun@gmx.de > 
						
						
					 
					
						2024-01-12 17:27:55 -03:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						05ba4130ee 
					 
					
						
						
							
							Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.  
						
						... 
						
						
						
						Thanks MProgrammer (https://hackerone.com/mprogrammer ) for the report. 
						
						
					 
					
						2023-11-01 06:10:30 +01:00 
						 
				 
			
				
					
						
							
							
								Gary Jarrel 
							
						 
					 
					
						
						
							
						
						fcc7dc5781 
					 
					
						
						
							
							Fixed   #34438  -- Reallowed extending UserCreationForm.  
						
						... 
						
						
						
						Regression in 298d02a77a 
						
						
					 
					
						2023-03-28 11:33:20 +02:00 
						 
				 
			
				
					
						
							
							
								Paul Schilling 
							
						 
					 
					
						
						
							
						
						298d02a77a 
					 
					
						
						
							
							Fixed   #25617  -- Added case-insensitive unique username validation in UserCreationForm.  
						
						... 
						
						
						
						Co-Authored-By: Neven Mundar <nmundar@gmail.com > 
						
						
					 
					
						2022-12-29 09:42:22 +01:00 
						 
				 
			
				
					
						
							
							
								sdolemelipone 
							
						 
					 
					
						
						
							
						
						9d726c7902 
					 
					
						
						
							
							Fixed   #34187  -- Made UserCreationForm save many-to-many fields.  
						
						
						
						
					 
					
						2022-11-29 05:56:53 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Kern 
							
						 
					 
					
						
						
							
						
						de2c2127b6 
					 
					
						
						
							
							Fixed   #34066  -- Fixed link to password reset view in UserChangeForm.password's help text when using to_field.  
						
						... 
						
						
						
						Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com >
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com > 
						
						
					 
					
						2022-10-27 09:23:34 +02:00 
						 
				 
			
				
					
						
							
							
								Marcelo Galigniana 
							
						 
					 
					
						
						
							
						
						b440493eaa 
					 
					
						
						
							
							Completed test coverage for contrib.auth.forms.  
						
						
						
						
					 
					
						2022-10-26 12:52:18 +02:00 
						 
				 
			
				
					
						
							
							
								Shai Berger 
							
						 
					 
					
						
						
							
						
						fdf0f62521 
					 
					
						
						
							
							Fixed ReadOnlyPasswordHashWidget's template for RTL languages.  
						
						
						
						
					 
					
						2022-09-01 21:20:15 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
						
						7119f40c98 
					 
					
						
						
							
							Refs  #33476  -- Refactored code to strictly match 88 characters line length.  
						
						
						
						
					 
					
						2022-02-07 20:37:05 +01:00 
						 
				 
			
				
					
						
							
							
								django-bot 
							
						 
					 
					
						
						
							
						
						9c19aff7c7 
					 
					
						
						
							
							Refs  #33476  -- Reformatted code with Black.  
						
						
						
						
					 
					
						2022-02-07 20:37:05 +01:00 
						 
				 
			
				
					
						
							
							
								Mads Jensen 
							
						 
					 
					
						
						
							
						
						c51bf80d56 
					 
					
						
						
							
							Used more specific unittest assertions in tests.  
						
						
						
						
					 
					
						2021-07-07 10:51:38 +02:00 
						 
				 
			
				
					
						
							
							
								David Sanders 
							
						 
					 
					
						
						
							
						
						536c155e67 
					 
					
						
						
							
							Fixed   #32765  -- Removed "for" HTML attribute from ReadOnlyPasswordHashWidget.  
						
						... 
						
						
						
						ReadOnlyPasswordHashWidget doesn't have any labelable elements. 
						
						
					 
					
						2021-05-19 20:34:57 +02:00 
						 
				 
			
				
					
						
							
							
								Timo Ludwig 
							
						 
					 
					
						
						
							
						
						d8dfff2ab0 
					 
					
						
						
							
							Fixed   #32235  -- Made ReadOnlyPasswordHashField disabled by default.  
						
						
						
						
					 
					
						2020-12-03 09:32:08 +01:00 
						 
				 
			
				
					
						
							
							
								François Freitag 
							
						 
					 
					
						
						
							
						
						9ef4a18dbe 
					 
					
						
						
							
							Changed django.forms.ValidationError imports to django.core.exceptions.ValidationError.  
						
						... 
						
						
						
						Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com > 
						
						
					 
					
						2020-04-28 10:49:00 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						5b1fbcef7a 
					 
					
						
						
							
							Fixed CVE-2019-19844 -- Used verified user email for password reset requests.  
						
						... 
						
						
						
						Co-Authored-By: Florian Apolloner <florian@apolloner.eu > 
						
						
					 
					
						2019-12-18 09:11:39 +01:00 
						 
				 
			
				
					
						
							
							
								Sam Reynolds 
							
						 
					 
					
						
						
							
						
						6c9778a58e 
					 
					
						
						
							
							Fixed   #30776  -- Restored max length validation on AuthenticationForm.UsernameField.  
						
						... 
						
						
						
						Regression in 5ceaf14686 
						
						
					 
					
						2019-09-18 11:37:38 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						42b9a23267 
					 
					
						
						
							
							Fixed   #30400  -- Improved typography of user facing strings.  
						
						... 
						
						
						
						Thanks Claude Paroz for assistance with translations. 
						
						
					 
					
						2019-06-28 16:46:18 +02:00 
						 
				 
			
				
					
						
							
							
								Hasan Ramezani 
							
						 
					 
					
						
						
							
						
						dcb8f00d06 
					 
					
						
						
							
							Fixed   #29379  -- Added autocomplete attribute to contrib.auth.forms fields.  
						
						... 
						
						
						
						Thank you to Nick Pope for review.
Co-authored-by: CHI Cheng <cloudream@gmail.com > 
						
						
					 
					
						2019-06-07 12:44:39 +02:00 
						 
				 
			
				
					
						
							
							
								Ally Weir 
							
						 
					 
					
						
						
							
						
						bd228cb599 
					 
					
						
						
							
							Fixed mis-capitalisation in comment.  
						
						
						
						
					 
					
						2019-05-15 12:14:59 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						8d76443aba 
					 
					
						
						
							
							Fixed   #30399  -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape().  
						
						
						
						
					 
					
						2019-04-25 15:09:07 +02:00 
						 
				 
			
				
					
						
							
							
								pmisteli 
							
						 
					 
					
						
						
							
						
						9410db9683 
					 
					
						
						
							
							Fixed   #30236  -- Made UsernameField render with autocapitalize="none" HTML attribute.  
						
						... 
						
						
						
						This prevents automatic capitalization, which is the default behavior in
some browsers. 
						
						
					 
					
						2019-03-29 15:24:44 +01:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						f3fa86a89b 
					 
					
						
						
							
							Fixed   #29449  -- Reverted "Fixed  #28757  -- Allowed using contrib.auth forms without installing contrib.auth."  
						
						... 
						
						
						
						This reverts commit 3333d935d2 
						
						
					 
					
						2018-07-02 18:39:26 -04:00 
						 
				 
			
				
					
						
							
							
								Mads Jensen 
							
						 
					 
					
						
						
							
						
						9c651641f1 
					 
					
						
						
							
							Added additional AdminPasswordChangeForm tests.  
						
						
						
						
					 
					
						2018-04-04 11:25:28 -04:00 
						 
				 
			
				
					
						
							
							
								Malte Gerth 
							
						 
					 
					
						
						
							
						
						874977d388 
					 
					
						
						
							
							Fixed   #29270  -- Fixed UserChangeForm crash if password field is excluded.  
						
						
						
						
					 
					
						2018-03-29 15:25:54 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						af33fb250e 
					 
					
						
						
							
							Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm.  
						
						... 
						
						
						
						Reverted 359370a8b8#28645 ).
This is a security fix. 
						
						
					 
					
						2018-02-01 09:05:14 -05:00 
						 
				 
			
				
					
						
							
							
								shanghui 
							
						 
					 
					
						
						
							
						
						3333d935d2 
					 
					
						
						
							
							Fixed   #28757  -- Allowed using contrib.auth forms without installing contrib.auth.  
						
						... 
						
						
						
						Also fixed  #28608  -- Allowed UserCreationForm and UserChangeForm to
work with custom user models.
Thanks Sagar Chalise and Rômulo Collopy for reports, and Tim Graham
and Tim Martin for reviews. 
						
						
					 
					
						2018-01-05 14:47:37 -05:00 
						 
				 
			
				
					
						
							
							
								shanghui 
							
						 
					 
					
						
						
							
						
						359370a8b8 
					 
					
						
						
							
							Fixed   #28645  -- Reallowed AuthenticationForm to raise the inactive user error when using ModelBackend.  
						
						... 
						
						
						
						Regression in e0a3d93730 
						
						
					 
					
						2017-11-08 09:39:12 -05:00 
						 
				 
			
				
					
						
							
							
								Jon Dufresne 
							
						 
					 
					
						
						
							
						
						6ed347d851 
					 
					
						
						
							
							Fixed   #28706  -- Moved AuthenticationFormn invalid login ValidationError to a method for reuse.  
						
						
						
						
					 
					
						2017-10-23 09:10:45 -04:00 
						 
				 
			
				
					
						
							
							
								Lucas Connors 
							
						 
					 
					
						
						
							
						
						5ceaf14686 
					 
					
						
						
							
							Fixed   #27515  -- Made AuthenticationForm's username field use the max_length from the model field.  
						
						... 
						
						
						
						Thanks Ramin Farajpour Cami for the report. 
						
						
					 
					
						2017-10-20 11:13:26 -04:00 
						 
				 
			
				
					
						
							
							
								Lucas Connors 
							
						 
					 
					
						
						
							
						
						d233391208 
					 
					
						
						
							
							Refs  #19130  -- Added a test for AuthenticationForm.username max_length.  
						
						... 
						
						
						
						This will be a more useful regression test after refs #27515 . 
						
						
					 
					
						2017-10-20 11:10:32 -04:00 
						 
				 
			
				
					
						
							
							
								Andrew Pinkham 
							
						 
					 
					
						
						
							
						
						a96b981d84 
					 
					
						
						
							
							Fixed   #28127  -- Allowed UserCreationForm's password validation to check all user fields.  
						
						
						
						
					 
					
						2017-06-21 09:22:15 -04:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						dff559ff83 
					 
					
						
						
							
							Fixed   #28097  -- Fixed layout of ReadOnlyPasswordHashWidget.  
						
						
						
						
					 
					
						2017-04-19 12:59:30 -04:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						c651331b34 
					 
					
						
						
							
							Converted usage of ugettext* functions to their gettext* aliases  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2017-02-07 09:04:04 +01:00 
						 
				 
			
				
					
						
							
							
								chillaranand 
							
						 
					 
					
						
						
							
						
						d6eaf7c018 
					 
					
						
						
							
							Refs  #23919  -- Replaced super(ClassName, self) with super().  
						
						
						
						
					 
					
						2017-01-25 12:23:46 -05:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						2366100872 
					 
					
						
						
							
							Removed unneeded force_text calls in the test suite  
						
						
						
						
					 
					
						2017-01-24 18:45:54 +01:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
							
						
						7aba69145d 
					 
					
						
						
							
							Refs  #23919  -- Removed django.test.mock Python 2 compatibility shim.  
						
						
						
						
					 
					
						2017-01-20 08:17:20 -05:00 
						 
				 
			
				
					
						
							
							
								Simon Charette 
							
						 
					 
					
						
						
							
						
						cecc079168 
					 
					
						
						
							
							Refs  #23919  -- Stopped inheriting from object to define new style classes.  
						
						
						
						
					 
					
						2017-01-19 08:39:46 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						c716fe8782 
					 
					
						
						
							
							Refs  #23919  -- Removed six.PY2/PY3 usage  
						
						... 
						
						
						
						Thanks Tim Graham for the review. 
						
						
					 
					
						2017-01-18 16:21:28 +01:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
							
						
						d7b9aaa366 
					 
					
						
						
							
							Refs  #23919  -- Removed encoding preambles and future imports  
						
						
						
						
					 
					
						2017-01-18 09:55:19 +01:00 
						 
				 
			
				
					
						
							
							
								za 
							
						 
					 
					
						
						
							
						
						321e94fa41 
					 
					
						
						
							
							Refs  #27392  -- Removed "Tests that", "Ensures that", etc. from test docstrings.  
						
						
						
						
					 
					
						2016-11-10 21:30:21 -05:00 
						 
				 
			
				
					
						
							
							
								levental 
							
						 
					 
					
						
						
							
						
						617e36dc1e 
					 
					
						
						
							
							Fixed   #20705  -- Allowed using PasswordResetForm with user models with an email field not named 'email'.  
						
						
						
						
					 
					
						2016-09-27 11:59:00 -04:00