Alex Gaynor
6819be1ea1
Fix a security issue in the auth system. Disclosure and new release forthcoming.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15032 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-23 03:45:08 +00:00
Jannis Leidel
745c255a19
Fixed #14249 -- Added support for inactive users to the auth backend system. Thanks, Harro van der Klauw.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15010 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-21 19:18:12 +00:00
Russell Keith-Magee
059d9205d4
Fixed #14920 -- Fixed some test failures caused by caching contenttypes that were loaded during a contenttype fixture test. Thanks to Karen for the report.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14985 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-19 13:01:51 +00:00
Jannis Leidel
674c671cae
Fixed #14731 -- Respect ordering when creating the default permissions. Thanks, chipx86.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14891 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-12 22:59:28 +00:00
Jannis Leidel
867e935c51
Fixed #14446 -- Prevented the password reset confirmation view to be cached. Thanks, Paul and Gabriel.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14890 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-12 22:59:03 +00:00
Russell Keith-Magee
5b8ef18dcc
Fixed #14795 -- Ensure that get_all_permissions() returns the right result (i.e., all permissions) for superusers. Thanks to jay.halleaux@gmail.com for the report, and Brett Haydon for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14797 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-04 05:59:56 +00:00
Russell Keith-Magee
34a386378f
Fixed #13190 -- Improved error handling for the case where no authentication backends are defined. Thanks to Joel3000 for the report, and Łukasz Rekucki for the final patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14793 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-04 04:47:59 +00:00
Jannis Leidel
cc64fb5c4b
Fixed #8342 -- Removed code from the admin that assumed that you can't login with an email address (nixed by r12634). Also refactored login code slightly to be DRY by using more of auth app's forms and views.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14769 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-02 00:44:35 +00:00
Jannis Leidel
07705ca129
Fixed #5298 -- Added extra_context to contrib auth views.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14768 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-02 00:43:52 +00:00
Chris Beaven
dceaa82dec
Fixed #14809 -- broken login related tests after r14733.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14764 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-12-01 22:25:17 +00:00
Chris Beaven
e74edb4d53
Fixes #11025 -- ability to specify LOGIN_URL as full qualified absolute URL.
...
auth.views.login now allows for login redirections for different schemes
with the same host (or no host even, e.g. 'https:///login/ ')
auth.decorators.login_required can now use lazy urls (refs #5925 )
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14733 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-27 22:43:33 +00:00
Jannis Leidel
132afbf8ee
Fixed #5612 -- Added login and logout signals to contrib auth app. Thanks SmileyChris and pterk.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14710 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-26 13:33:27 +00:00
Ramiro Morales
0e26f58dae
Corrected change in behavior regarding the page shown after the 'Save' button is pressed when adding a user through the admin.
...
It had been introduced in trunk (r13503) and between 1.2.1 and 1.2.2 (r13504). The original fix intended to correct a similar problem introduced between 1.1 and 1.2 (r12218) this time in the 'Save and add another' button.
We have now tests for the three buttons present in the Add User admin form to avoid future regressions.
Thanks to Juan Pedro Fisanotti and Cesar H. Roldan for their work.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14628 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-19 22:45:51 +00:00
Jannis Leidel
9b6535b894
Fixed #7077 and #7431 -- Use getpass.getuser instead of pwd.getpwuid to determine the current system user's username in the createsuperuser management command to enable the feature on Windows. getpass.getuser automatically falls back to the previous method.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14607 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-17 20:28:33 +00:00
Luke Plant
02fc6276d7
Fixed #14508 - test suite silences warnings.
...
Utility functions get_warnings_state and save_warnings_state have been added
to django.test.utils, and methods to django.test.TestCase for convenience.
The implementation is based on the catch_warnings context manager from
Python 2.6.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14526 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-11 15:06:20 +00:00
Luke Plant
6feef0c13e
Fixed #14612 - Password reset page leaks valid user ids publicly.
...
Thanks to PaulM for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14456 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-04 12:36:55 +00:00
Luke Plant
7d4a3991f3
Fixed a test setup and isolation bug that was causing PasswordResetTest to fail when run individually
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14455 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-04 12:31:57 +00:00
Alex Gaynor
877033b479
Sped up the create_permissions signal handler (and thus the test suite) by restructuring its queries.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14446 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-04 00:01:54 +00:00
Alex Gaynor
34e545a938
Restructure the create_permission signal handler to perform fewer SQL queries, this speeds up the test suite dramatically.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14413 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-01 20:54:39 +00:00
Alex Gaynor
282e53b499
Reflow django/contrib/auth/management/__init__.py for readability.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14408 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-31 16:49:36 +00:00
Alex Gaynor
15b3350d30
Fixed the auth tests so they work when the AUTHENTICATION_BACKENDS setting is a list. Thanks to Patrick Altman for the report.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14406 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-31 16:25:29 +00:00
Luke Plant
45c7f427ce
Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
...
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.
In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.
All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.
There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee
03f00bcd42
Fixed #14447 -- Modified the auth and sitemaps tests to remove some assumptions about the environment in which the tests are run. Thanks to Gabriel Hurley for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14184 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-12 07:15:47 +00:00
Russell Keith-Magee
1070c57b83
Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to DeprecationWarnings, and removed 1.1 deprecated code.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:20:07 +00:00
Luke Plant
f3429da6a0
Converted contrib/auth/tokens doctests to unittests. We've always said "no more" to doctests.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14100 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-10 01:06:42 +00:00
Russell Keith-Magee
a904e55859
Fixed #11509 -- Modified usage of "Web" to match our style guide in various documentation, comments and code. Thanks to timo and Simon Meers for the work on the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14069 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-09 08:12:50 +00:00
Russell Keith-Magee
8755fb1549
Fixed #14354 -- Normalized the handling of empty/null passwords in contrib.auth. This also updates the createsuperuser command to be more testable, and migrates some auth doctests. Thanks to berryp for the report, and Laurent Luce for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14053 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-09 03:34:08 +00:00
Russell Keith-Magee
f53491db6e
#14374 -- Added some missing template files to ensure that contrib.auth tests will pass when admin isn't installed. Thanks to henriquebastos for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14003 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-08 13:50:54 +00:00
Luke Plant
667d832e90
Fixed #14386 , #8960 , #10235 , #10909 , #10608 , #13845 , #14377 - standardize Site/RequestSite usage in various places.
...
Many thanks to gabrielhurley for putting most of this together. Also to
bmihelac, arthurk, qingfeng, hvendelbo, petr.pulc@s-cape.cz , Hraban for
reports and some initial patches.
The patch also contains some whitespace/PEP8 fixes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13980 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-04 14:20:47 +00:00
Jannis Leidel
1df1378f9e
Fixed #13827 -- Cleaned up a few unnecessary function calls.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13876 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-26 21:36:22 +00:00
Malcolm Tredinnick
4084bc7354
Permit custom from-email address in auth forms email.
...
Patch from cassidy and Rob Hudson. Fixed #11300 .
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13817 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-12 22:38:01 +00:00
Jannis Leidel
bb00b28399
Added login_url argument to login_required decorator. Thanks mhlakhani and ericflo for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13723 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-10 19:38:57 +00:00
Luke Plant
303bdc85a7
Fixed #14242 - UserChangeForm subclasses without 'user_permissions' field causes KeyError
...
This was a regression introduced by [13683]
Thanks to adammckerlie@gmail.com for report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13702 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 23:31:54 +00:00
Luke Plant
801bb146e8
Converted tests for contrib.auth.forms to unit tests.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13701 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-09 23:21:16 +00:00
Luke Plant
bdd13a4daa
Fixed #14090 - Many sql queries needed to display change user form
...
Thanks to Suor for report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13683 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-03 18:56:12 +00:00
Jannis Leidel
286ce85e45
Fixed #13569 -- Fixed createsuperuser management command to work with the new relaxed requirements for usernames.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13297 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-05-21 14:08:49 +00:00
Russell Keith-Magee
5211f48ae3
Fixed #12164 -- Removed the Python 2.3 compatibility imports and workarounds. Thanks to timo and claudep for the patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13094 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-05-04 14:00:30 +00:00
Russell Keith-Magee
056c940f0d
Fixed #13304 -- Updated auth decorators so they can be used with callable classes. Thanks to Horst Gutmann for the report and patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12938 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-04-09 11:07:17 +00:00
Jannis Leidel
7989a78baf
Fixed #13000 - Use a dictionary for the error messages definition in user creation and change form. Thanks for the patch, lgs.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12785 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-15 12:16:01 +00:00
Russell Keith-Magee
4dfe6190fa
Fixed #13108 -- Corrected an ambiguity in test data with the potential to cause test failures out of the box. Thanks to benreynwar for the report.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12778 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-15 06:55:56 +00:00
Jacob Kaplan-Moss
973bf6f485
Fixed #5605 : only lowercase the domain portion of an email address in `UserManager.create_user`.
...
Thanks, Leo.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12641 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-01 20:30:44 +00:00
Jacob Kaplan-Moss
6e748b5db4
Fixed #11457 : tightened the security check for "next" redirects after logins.
...
The new behavior still disallows redirects to off-site URLs, but now allows
redirects of the form `/some/other/view?foo=http://...`.
Thanks to brutasse.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-01 19:58:53 +00:00
Jacob Kaplan-Moss
c8015052d9
Fixed #5786 : relaxed the validation for usernames to allow more common characters '@', etc.
...
This is really just a stop-gap until we come up with a improved way of handling
disparate auth data, but it should help us stretch a bit more milage out of the
current system.
Thanks to alextreme, lbruno, and clayg.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12634 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-01 19:49:05 +00:00
Russell Keith-Magee
6b2f125b80
Fixed #12729 -- Replaced a hard-coded SQL statement with an ORM query so that the contrib.auth ModelBackend will work on a routed multi-db setup. Thanks to dhageman for the report.
...
Historical note: The SQL that was removed predates Django being open sourced.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12509 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-23 12:02:41 +00:00
Justin Bronn
1d5165e3be
Fixed #12776 -- `User.get_profile` now raises `SiteProfileNotAvailable` instead of `AttributeError` in certain circumstances. Thanks, Bruno Renié.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12506 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-23 05:52:37 +00:00
Russell Keith-Magee
eb67e449dd
Fixed #12864 -- Corrected handling of new user creation when a multi-database router is in place. Thanks to haris@dubizzle.com for the report.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12488 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-22 13:09:02 +00:00
Jannis Leidel
67d4289c2e
Fixed #12066 - Moved auth context processor from core to the auth app. Thanks, Rob Hudson.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12466 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-21 23:40:47 +00:00
Russell Keith-Magee
b794441951
Fixed #10976 -- Isolated contrib.auth tests so they will always pass, regardless of any local templates. Thanks to aarond10 for the report, and SmileyChris for turning that into a patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12420 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-13 12:02:11 +00:00
Luke Plant
4bff194633
Fixed #12804 - regression with decorating admin views.
...
This is a BACKWARDS INCOMPATIBLE change, because it removes the flawed
'auto_adapt_to_methods' decorator, and replaces it with 'method_decorator'
which must be applied manually when necessary, as described in the 1.2
release notes.
For users of 1.1 and 1.0, this affects the decorators:
* login_required
* permission_required
* user_passes_test
For those following trunk, this also affects:
* csrf_protect
* anything created with decorator_from_middleware
If a decorator does not depend on the signature of the function it is
supposed to decorate (for example if it only does post-processing of the
result), it will not be affected.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12399 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-02-09 15:02:39 +00:00
Russell Keith-Magee
47acb1d659
Fixed #6273 -- Added a 'changepassword' management command. Thanks to Ludvig Ericson and Justin Lilly for their work on this patch.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-29 08:10:29 +00:00