Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks buffgecko12 for the report and Sarah Boyce for the review.
Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
Backport of 0ebed5fa95f53b87383901bbd9341ef3c974344f from main.
This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage.
Backport of b60fd8722f305ec29c87f34d3fea262e56394ebd from main.
The auth forms using SetPasswordMixin were incorrectly including the
'This field is required.' error when additional validations (e.g.,
overriding `clean_password1`) were performed and failed.
This fix ensures accurate error reporting for password fields.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 339977d4441fd353e20950b98bad3d42afb1f126 from main.
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly
depends on the password hasher having the three components algorithm,
salt and hash.
The default password hasher (PBKDF2PasswordHasher) has an extra
iterations component, breaking the test.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.
https://github.com/psf/black/releases/tag/23.1.0
- Updated references to RFC 1123 to RFC 5322
- Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
- Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
