Jacob Kaplan-Moss
6e748b5db4
Fixed #11457 : tightened the security check for "next" redirects after logins.
...
The new behavior still disallows redirects to off-site URLs, but now allows
redirects of the form `/some/other/view?foo=http://...`.
Thanks to brutasse.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-01 19:58:53 +00:00
Luke Plant
7230a995ce
Moved contrib.csrf.* to core code.
...
There is stub code for backwards compatiblity with Django 1.1 imports.
The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant
8e70cef9b6
Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
...
This is a large change to CSRF protection for Django. It includes:
* removing the dependency on the session framework.
* deprecating CsrfResponseMiddleware, and replacing with a core template tag.
* turning on CSRF protection by default by adding CsrfViewMiddleware to
the default value of MIDDLEWARE_CLASSES.
* protecting all contrib apps (whatever is in settings.py)
using a decorator.
For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.
Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.
Details of the rationale for these changes is found here:
http://code.djangoproject.com/wiki/CsrfProtection
As of this commit, the CSRF code is mainly in 'contrib'. The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Luke Plant
c46ddbf1fc
Fixed #8274 - allow custom forms for auth 'login' and 'password_change' views
...
Thanks to julien for the suggestion and patch, and SmileyChris for work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-12 15:32:24 +00:00
Jacob Kaplan-Moss
3e6f4674e2
Fixed #10460 : the logout view can now redirect like the rest of the auth views. Thanks, chronos and steingrd.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10332 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-01 17:02:32 +00:00
Jacob Kaplan-Moss
19b9211a3b
Fixed #9881 : Added the to the login view context, not just the site's name. Thanks, nessita.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10330 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-01 16:37:48 +00:00
Brian Rosner
ab26efc952
Fixed #8493 -- Fixed a NoReverseMatch when redirecting to password_change/done/ in the admin. Added the ability to override redirects to other password change views for consistency. Thanks for the report mtrichardson.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8473 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 03:26:01 +00:00
Gary Wilson Jr
3bb50169d9
Removed unused and redefined imports.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8386 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:42:13 +00:00
Gary Wilson Jr
415bf3efb3
Fixed #7364 -- Never cache the contrib.auth login view.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8383 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:10:14 +00:00
Jacob Kaplan-Moss
bb30805452
Fixed #8131 : use reverse() in auth views. Patch from davenaff.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8334 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-12 23:31:31 +00:00
Brian Rosner
a7d3c92767
Fixed #8202 -- Moved user_change_password to UserAdmin. This enables seamless integration of a custom UserAdmin. Thanks ElliottM for catching this.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8283 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-10 09:43:48 +00:00
Luke Plant
079e5bf1ec
Added a login link to the password reset completion screen.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8171 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-01 16:13:12 +00:00
Luke Plant
fcd837cd0f
Fixed #7723 - implemented a secure password reset form that uses a token and prompts user for new password.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8162 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-31 20:47:53 +00:00
Brian Rosner
a19ed8aea3
Merged the newforms-admin branch into trunk.
...
This is a backward incompatible change. The admin contrib app has been
refactored. The newforms module has several improvements including FormSets
and Media definitions.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7967 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-18 23:54:34 +00:00
Adrian Holovaty
fbef599f60
Fixed #6306 -- redirect_to_login() helper function now quotes the URL arguments correctly. Thanks, SmileyChris
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7749 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-26 04:11:53 +00:00
Adrian Holovaty
54f7da3a27
Fixed #7274 -- Improved the django.contrib.auth password_reset() view not to require the Sites framework. Thanks, joshrl
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7748 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-26 04:09:29 +00:00
Jacob Kaplan-Moss
2b62e945b0
Fixed #3393 : login view no longer assumes that set_test_cookie has been called. This is mildly backwards-incompatible, but in the "now it works the way it should have all along" sense. Thanks to James and lcordier for the patches.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7692 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-18 16:13:14 +00:00
Adrian Holovaty
55d6aebfec
Fixed #5394 -- REDIRECT_FIELD_NAME is now configurable. Thanks, Petr Marhoun, DavidReynolds and effbot
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6206 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-14 19:25:37 +00:00
Adrian Holovaty
375c88d2bc
Fixed #5227 -- Made the redirect security check in django.contrib.auth.views.login() tighter. Thanks, Sander Dijkhuis
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-25 18:34:28 +00:00
Adrian Holovaty
b38375ee4c
Fixed bug in [5885]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5886 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-14 22:26:34 +00:00
Adrian Holovaty
6aae9b2aa4
Changed django.contrib.auth.views.login to use RequestSite if the sites framework is not installed -- i.e., the sites framework is no longer required to use this view. See also [5654]
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5885 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-14 22:08:11 +00:00
Malcolm Tredinnick
953badbea5
Merged Unicode branch into trunk (r4952:5608). This should be fully
...
backwards compatible for all practical purposes.
Fixed #2391 , #2489 , #2996 , #3322 , #3344 , #3370 , #3406 , #3432 , #3454 , #3492 , #3582 , #3690 , #3878 , #3891 , #3937 , #4039 , #4141 , #4227 , #4286 , #4291 , #4300 , #4452 , #4702
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5609 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-04 12:11:04 +00:00
Malcolm Tredinnick
5dfe74f221
Fixed #3185 -- Made values for login, logout and post-login redirect URLs
...
configurable. This is a combined patch from Vasily Sulatskov, Marc Fargas and
Collin Grady.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5072 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-04-25 08:49:57 +00:00
Malcolm Tredinnick
6c4757729b
Revert [4485] in order to fix accidental mod_python breakage. Refs #2920 .
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4486 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-02-11 23:50:35 +00:00
Russell Keith-Magee
0e924c70b1
Refs #2920 -- Replaced implicit uses of _() with explicit imports or calls to gettext(). At some point post 0.96, we need to remove the calls that put _ into the builtins.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-02-11 06:20:52 +00:00
Adrian Holovaty
706fcec164
Copied django.forms to django.oldforms and changed all code to reference django.oldforms instead of django.forms. Updated docs/forms.txt to add 'Forwards-compatibility' section that says you should not be using django.oldforms for any new projects.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4208 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-12-15 18:00:50 +00:00
Adrian Holovaty
2a0af00524
Fixed #2375 -- Changed password_reset auth view to make e-mail template name variable. Thanks, treborhudson@gmail.com
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3462 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-27 17:48:35 +00:00
Adrian Holovaty
564d556519
Fixed #2405 -- Fixed recursion error in auth.views.logout(), caused by [3402]. Thanks, Jay Skabber
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3431 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-23 23:14:36 +00:00
Jacob Kaplan-Moss
17d0bd1512
Fixed a bunch of spurious imports, typos, and other small errors turned up by a pass through PyFlakes. This covers about the first third of the errors.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3411 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-21 17:11:13 +00:00
Jacob Kaplan-Moss
aab3a418ac
Merged multi-auth branch to trunk. See the authentication docs for the ramifications of this change. Many, many thanks to Joseph Kocherhans for the hard work!
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3226 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-28 16:37:02 +00:00
Adrian Holovaty
29f55c8dbb
Fixed #2106 -- Made collapse-block JavaScript translatable. Thanks, ramiro
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3114 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-08 05:04:10 +00:00
Adrian Holovaty
6dfea737f6
Made template names in django.contrib.auth.views passable as template_name argument to the view
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3087 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-06 05:16:05 +00:00
Adrian Holovaty
f69cf70ed8
MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions.
...
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-02 01:31:56 +00:00