Tim Graham
adedc31072
Fixed "redefinition of unused 'foo' from line X" pyflakes warnings.
2013-10-10 11:09:42 -04:00
Russell Keith-Magee
ddb53856b6
Fixed #21164 -- Added documentation for issue with test users.
...
The package renaming restores the older package names (which were also the
documented package names). This doesn't affect test discovery because the
module in question doesn't contain any tests.
Thanks to Carl for the design discussion.
2013-10-08 10:32:56 +08:00
Tim Graham
1285ca67eb
Fixed #16919 -- Passed user to set_password_form in GET requests.
...
Thanks Jaime Irurzun for the report and initial patch and
ejucovy for the test.
2013-10-02 13:28:15 -04:00
Florian Apolloner
5d74853e15
Revert "Ensure that passwords are never long enough for a DoS."
...
This reverts commit aae5a96d57
.
This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
2013-09-24 21:01:21 +02:00
Aymeric Augustin
a5b062576b
Removed a few trailing backslashes.
...
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Paul McMillan
a075e2ad0d
Increase default PBKDF2 iterations
...
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Russell Keith-Magee
aae5a96d57
Ensure that passwords are never long enough for a DoS.
...
* Limit the password length to 4096 bytes
* Password hashers will raise a ValueError
* django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change
Thanks to Josh Wright for the report, and Donald Stufft for the patch.
This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
Alex Gaynor
96fd5557f9
Removed a ton of unused local vars
2013-09-08 08:05:16 -07:00
Aymeric Augustin
6a6428a36f
Took advantage of django.utils.six.moves.urllib.*.
2013-09-05 14:39:23 -05:00
Aymeric Augustin
365c3e8b73
Replaced "not PY3" by "PY2", new in six 1.4.0.
2013-09-02 12:11:02 +02:00
Michał Górny
b89c2a5d9e
Fixed #18171 -- Checked signature of authenticate() to avoid supressing TypeErrors.
...
The current auth backend code catches TypeError to detect backends that
do not support specified argumetnts. As a result, any TypeErrors raised
within the actual backend code are silenced.
In Python 2.7+ and 3.2+ this can be avoided by using inspect.getcallargs().
With this method, we can test whether arguments match the signature without
actually calling the function.
Thanks David Eyk for the report.
2013-08-28 07:51:45 -04:00
Claude Paroz
165f44aaaa
Combine consecutive with statements
...
Python 2.7 allows to combine several 'with' instructions.
2013-08-16 20:12:10 +02:00
SusanTan
71c491972e
Fixed #11400 -- Passed kwargs from AbstractUser.email_user() to send_mail()
...
Thanks Jug_ for suggestion, john_scott for the initial patch,
and Tim Graham for code review.
2013-08-14 07:46:11 -04:00
Jacob Kaplan-Moss
ae3535169a
Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
...
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
ersran9
00d23a13eb
Fixed #20828 -- Allowed @permission_required to take a list of permissions
...
Thanks Giggaflop for the suggestion.
2013-08-10 10:10:18 -04:00
Tim Graham
453915bb12
SQLite test fix -- refs #9057
2013-08-09 10:57:25 -04:00
Tim Graham
ddae74b64c
Fixed #9057 -- Added default_permissions model meta option.
...
Thanks hvendelbo for the suggestion and koenb for the draft patch.
2013-08-09 09:19:52 -04:00
Justin Michalicek
6d88d47be6
Fixed #20832 -- Enabled HTML password reset email
...
Added optional html_email_template_name parameter to password_reset view
and PasswordResetForm.
2013-08-05 09:47:28 -04:00
Alex Gaynor
3e0eb2d788
Fixed a number of lint warnings, particularly around unused variables.
2013-08-04 09:17:10 -07:00
Tim Graham
a1889397a9
Fixed #12103 -- Added AuthenticationForm.confirm_login_allowed to allow customizing the logic policy.
...
Thanks ejucovy and lasko for work on the patch.
2013-07-31 13:54:05 -04:00
Aymeric Augustin
5b47a9c5a0
Fixed a test that could fail depending on PASSWORD_HASHERS.
...
Thanks Claude. Refs #20760 .
2013-07-30 16:14:53 +02:00
Serge G. Spaolonzi
e07e4030b9
Fixed #18511 -- Cleaned up admin password reset template titles.
2013-07-27 14:23:04 -04:00
Aymeric Augustin
5dbca13f3b
Fixed #20760 -- Reduced timing variation in ModelBackend.
...
Thanks jpaglier and erikr.
2013-07-23 15:43:12 +02:00
Kirill Fomichev
33242fe015
Fixed #19019 -- Fixed UserAdmin to log password change.
...
Thanks Tuttle for the report.
2013-07-23 08:33:07 -04:00
Simon Charette
8759778185
Fixed #20675 -- `check_password` should work when no password is specified.
...
The regression was introduced by 2c4fe761a
. refs #20593 .
2013-07-03 14:09:58 -04:00
Aymeric Augustin
cfcf4b3605
Stopped using django.utils.unittest in the test suite.
...
Refs #20680 .
2013-07-01 14:29:33 +02:00
Ramiro Morales
d51b7794bf
Removed django.contrib.auth.views.password_reset_confirm_uidb36() view to finish its accelerated deprecation schedule.
2013-06-29 12:22:15 -03:00
Claude Paroz
6118d6d1c9
More import removals
...
Following the series of commits removing deprecated features in
Django 1.7, here are some more unneeded imports removed and other
minor cleanups.
2013-06-29 11:58:36 +02:00
Ramiro Morales
c196564132
Removed custom profile model functionality as per deprecation TL.
2013-06-28 21:48:16 -03:00
Andrew Godwin
f325f86971
Fixed #20244 : PermissionsMixin now defines a related_query_name for M2Ms
2013-06-27 15:44:22 +01:00
Anton Baklanov
cab333cb16
Fixed #20541 -- don't raise db signals twice when creating superuser
2013-06-27 05:58:01 -04:00
Tim Graham
1184d07789
Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
...
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.
Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
Aymeric Augustin
ffcf24c9ce
Removed several unused imports.
2013-06-19 17:18:40 +02:00
Erik Romijn
aeb1389442
Fixed #20079 -- Improve security of password reset tokens
2013-06-18 20:02:00 +02:00
Erik Romijn
2c4fe761a0
Fixed #20593 -- Allow blank passwords in check_password() and set_password()
2013-06-18 13:32:54 -04:00
Claude Paroz
beb652e069
Worked around Python 3.3 modified exception repr
...
Refs #20599 .
2013-06-15 11:14:59 +02:00
Jaap Roes
990f8d92dc
Fixed #20599 -- Changed wording of ValueError raised by _load_library
...
The _load_library method on BasePasswordHasher turns ImportErrors
into ValueErrors, this masks ImportErrors in the algorithm library.
Changed it to a clearer worded error message that includes
the ImportError string.
2013-06-15 10:50:55 +02:00
Aymeric Augustin
c6e6d4eeb7
Defined available_apps in relevant tests.
...
Fixed #20483 .
2013-06-10 11:30:01 +02:00
Chris Streeter
69373f3420
Fixed #19925 - Added validation for REQUIRED_FIELDS being a list
...
Thanks Roman Alexander for the suggestion.
2013-06-07 19:58:41 -04:00
Gavin Wahl
4f4e9243e4
Fixed #20532 -- Reverse auth views by name, not by path.
...
Auth views should be reversed by name, not their locations in
`django.contrib.auth.views`. This allows substituting your own
implementations of the auth views.
2013-06-03 13:30:40 -04:00
Gavin Wahl
01ae881bb4
Don't hard-code class names when calling static methods
...
normalize_email should be called on the instance, not the class. This
has the same effect normally but is more helpful to subclassers. When
methods are called directly on the class, subclasses can't override
them.
2013-05-29 16:11:26 -06:00
Preston Holmes
d228c1192e
Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
...
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Andrew Godwin
1514f17aa6
Rotate CSRF token on login
2013-05-24 22:15:08 +01:00
Baptiste Mispelon
3cb1e9b93c
Fix test failure introduced by 980ae2ab29
.
2013-05-19 16:51:36 +02:00
Baptiste Mispelon
980ae2ab29
Fix #20447 : URL names given to contrib.auth.views are now resolved.
...
This commit also adds tests for the redirect feature of most auth views.
It also cleans up the tests, most notably using @override_settings instead
of ad-hoc setUp/tearDown methods.
Thanks to caumons for the report.
Conflicts:
docs/releases/1.6.txt
2013-05-19 14:36:38 +02:00
Jorge Bastida
dc43fbc2f2
Fixed #18998 - Prevented session crash when auth backend removed
...
Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.
2013-05-18 15:58:29 +02:00
Jacob Burch
340115200f
Fixed #20432 -- Test failure in admin_views.
...
The failure was triggered by a cache leak.
2013-05-18 13:13:33 +02:00
Mark Huang
0732c8e8c6
Fixed #20357 -- Allow empty username field label in `AuthentificationForm`.
2013-05-16 11:41:52 -04:00
Donald Stufft
8f0a4665d6
Recommend using the bcrypt library instead of py-bcrypt
...
* py-bcrypt has not been updated in some time
* py-bcrypt does not support Python3
* py3k-bcrypt, a port of py-bcrypt to python3 is not compatible
with Django
* bcrypt is supported on all versions of Python that Django
supports
2013-05-13 23:49:00 -04:00
Carl Meyer
9012833af8
Fixed #17365 , #17366 , #18727 -- Switched to discovery test runner.
...
Thanks to Preston Timmons for the bulk of the work on the patch, especially
updating Django's own test suite to comply with the requirements of the new
runner. Thanks also to Jannis Leidel and Mahdi Yusuf for earlier work on the
patch and the discovery runner.
Refs #11077 , #17032 , and #18670 .
2013-05-10 23:08:45 -04:00
Preston Holmes
a49e7dd2a3
Fixed #20114 -- support custom project login_url in tests
...
Thanks to Matias Bordese for the patch
2013-04-05 09:03:28 -07:00
Preston Timmons
fde2e4fd6e
Modified auth to work with unittest2 discovery.
2013-04-02 21:59:45 -06:00
Jacob Kaplan-Moss
9e462f8101
Fixed #20078 : don't allow filtering on password in the user admin.
2013-03-27 11:24:36 -05:00
Donald Stufft
25f2acfed0
Fixed #20138 -- Added BCryptSHA256PasswordHasher
...
BCryptSHA256PasswordHasher pre-hashes the users password using
SHA256 to prevent the 72 byte truncation inherient in the BCrypt
algorithm.
2013-03-26 13:26:57 -04:00
Claude Paroz
2f121dfe63
Fixed #17051 -- Removed some 'invalid' field error messages
...
When the 'invalid' error message is set at field level, it masks
the error message raised by the validator, if any.
2013-03-14 17:03:43 +01:00
matiasb
f39fead1c3
Fixed #19945 -- Fixed default User model Meta inheritance.
...
Updated default User model Meta class to extend AbstractUser Meta
where translated verbose_name and verbose_name_plural are
defined.
2013-03-01 19:32:20 -03:00
Aymeric Augustin
f1255a3c09
Fixed #18144 -- Restored compatibility with SHA1 hashes with empty salt.
...
Thanks dahool for the report and initial version of the patch.
2013-02-25 20:21:58 +01:00
Florian Apolloner
f56ca3f0e6
Fixed the usage of the deprecated assertEquals.
2013-02-24 11:15:17 +01:00
Preston Holmes
22d82a7742
Fixed #15198 -- pass request to AuthenticationForm
...
Thanks to Ciantic for the report, claudep and slurms for initial work
2013-02-23 15:28:49 -08:00
Horst Gutmann
2f4a4703e1
Fixed #19758 -- Avoided leaking email existence through the password reset form.
2013-02-23 14:31:21 +01:00
Carl Meyer
d51fb74360
Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Claude Paroz
5ec0405a09
Fixed #19839 -- Isolated auth tests from customized TEMPLATE_LOADERS
...
Thanks limscoder for the report.
2013-02-18 09:22:25 +01:00
Claude Paroz
a8d1421dd9
Avoided unneeded assertion on Python 3
...
Fixes failure introduced in 02e5909f7a
.
2013-02-15 16:09:31 +01:00
Claude Paroz
02e5909f7a
Fixed #19807 -- Sanitized getpass input in createsuperuser
...
Python 2 getpass on Windows doesn't accept unicode, even when
containing only ascii chars.
Thanks Semmel for the report and tests.
2013-02-15 15:44:27 +01:00
Russell Keith-Magee
f5e4a699ca
Fixed #19822 -- Added validation for uniqueness on USERNAME_FIELD on custom User models.
...
Thanks to Claude Peroz for the draft patch.
2013-02-15 09:00:55 +08:00
Claude Paroz
f1029b308f
Fixed a misnamed variable introduced in commit 142ec8b283
...
Refs #8404 .
2013-02-14 08:33:10 +01:00
Claude Paroz
142ec8b283
Fixed #8404 -- Isolated auth password-related tests from custom templates
2013-02-13 23:11:49 +01:00
Hiroki Kiyohara
e94f405d94
Fixed #18558 -- Added url property to HttpResponseRedirect*
...
Thanks coolRR for the report.
2013-02-13 10:29:32 +01:00
Preston Holmes
c44d748272
Fixed #19662 -- alter auth modelbackend to accept custom username fields
...
Thanks to Aymeric and Carl for the review.
2013-02-07 16:07:56 -08:00
Claude Paroz
2390fe3f4f
Fixed #19745 -- Forced resolution of verbose names in createsupersuser
...
Thanks Baptiste Mispelon for the report and Preston Holmes for the review.
2013-02-06 10:06:21 +01:00
Claude Paroz
55c585f1c7
Fixed #19725 -- Made createsuperuser handle non-ascii prompts
...
Thanks Michisu for the report.
2013-02-04 10:09:10 +01:00
Claude Paroz
63d6a50dd8
Fixed #18144 -- Added backwards compatibility with old unsalted MD5 passwords
...
Thanks apreobrazhensky at gmail.com for the report.
2013-02-02 12:02:36 +01:00
Claude Paroz
1686e0d184
Fixed #18460 -- Fixed change detection of ReadOnlyPasswordHashField
...
Thanks jose.sanchez et ezeep.com for the report and Vladimir Ulupov
for the initial patch.
2013-01-25 21:27:49 +01:00
Florian Apolloner
cc4de61a2b
Fixed #19596 -- Use `_default_manager` instead of `objects` in the auth app.
...
This is needed to support custom user models which don't define a manager
named `objects`.
2013-01-22 12:47:34 +01:00
Nick Sandford
cdad0b28d4
Fixed #19573 -- Allow override of username field label in AuthenticationForm
2013-01-10 09:06:04 +01:00
Claude Paroz
34ee7d9875
Updated deprecated test assertions
2013-01-08 19:08:15 +01:00
Aymeric Augustin
4e5369a596
Silenced warnings in the tests of deprecated features.
2012-12-29 22:32:07 +01:00
Claude Paroz
0dc3fc954f
Fixed #19509 -- Fixed crypt/bcrypt non-ascii password encoding
...
Also systematically added non-ascii passwords in hashers test suite.
Thanks Vaal for the report.
2012-12-22 16:04:10 +01:00
Russell Keith-Magee
9facca28b6
Corrected tests depending on the error message on the AuthenticationForm.
...
Refs #19368 , and the fix introduced in 27f8129d64
.
2012-12-16 07:18:45 +08:00
Russell Keith-Magee
47e1df896b
Fixed #19412 -- Added PermissionsMixin to the auth.User heirarchy.
...
This makes it easier to make a ModelBackend-compliant (with regards to
permissions) User model.
Thanks to cdestigter for the report about the relationship between
ModelBackend and permissions, and to the many users on django-dev that
contributed to the discussion about mixins.
2012-12-15 22:44:47 +08:00
Claude Paroz
c91667338a
Fixed #19357 -- Allow non-ASCII chars in filesystem paths
...
Thanks kujiu for the report and Aymeric Augustin for the review.
2012-12-08 11:13:52 +01:00
Claude Paroz
a0cd6dd11e
Fixed #19349 -- Fixed re-rendering of ReadOnlyPasswordHashWidget
...
Thanks tim.bowden at mapforge.com.au for the report, Andreas Hug
for the patch and Anton Baklanov for the review.
2012-12-01 12:22:43 +01:00
Preston Holmes
84a5294788
Added missing custom user skip decorator
...
PermissionDeniedBackendTest references User model.
2012-11-30 22:54:42 -08:00
Claude Paroz
0eeae15056
Fixed #19354 -- Do not assume usermodel.pk == usermodel.id
...
Thanks markteisman at hotmail.com for the report.
2012-11-29 21:45:43 +01:00
Claude Paroz
a962bc7c45
Updated User manager when testing custom AUTH_USER_MODEL
...
This is giving more real test conditions when AUTH_USER_MODEL is
set with override_settings.
2012-11-24 16:00:00 +01:00
Jannis Leidel
1520748dac
Fixed #2550 -- Allow the auth backends to raise the PermissionDenied exception to completely stop the authentication chain. Many thanks to namn, danielr, Dan Julius, Łukasz Rekucki, Aashu Dwivedi and umbrae for working this over the years.
2012-11-17 20:24:54 +01:00
Preston Holmes
9741912a9a
Fixed #17869 - force logout when REMOTE_USER header disappears
...
If the current sessions user was logged in via a remote user backend log out
the user if REMOTE_USER header not available - otherwise leave it to other auth
middleware to install the AnonymousUser.
Thanks to Sylvain Bouchard for the initial patch and ticket maintenance.
2012-10-29 22:58:14 -07:00
Preston Holmes
2b5f848207
Fixed #19057 (again) -- added additional tests
2012-10-29 22:24:42 -07:00
Russell Keith-Magee
81f5d4a1a7
Added some test guards for some recently added auth tests.
...
Refs #19061 , #19057 .
2012-10-30 10:28:35 +08:00
Claude Paroz
b774c5993c
Fixed #19172 -- Isolated poisoned_http_host tests from 500 handlers
...
Thanks bernardofontes for the report.
2012-10-29 17:28:04 +01:00
Preston Holmes
4ea8105120
Fixed #19061 -- added is_active attribute to AbstractBaseUser
2012-10-28 23:04:03 -07:00
Russell Keith-Magee
04b53ebfb7
Fixed #19133 -- Corrected regression in form handling for user passwords.
...
Thanks to pressureman for the report, and to Preston Holmes for the draft patch.
2012-10-20 11:41:54 +08:00
Preston Holmes
9305c0e12d
Fixed a security issue related to password resets
...
Full disclosure and new release are forthcoming
2012-10-17 14:36:41 -07:00
Russell Keith-Magee
b3b3db3d95
Fixed #19067 -- Clarified handling of username in createsuperuser.
...
Thanks to clelland for the report, and Preston Holmes for the draft patch.
2012-10-13 13:36:07 +08:00
Anssi Kääriäinen
b5f224e8e2
Fixed tests introduced for #15915
...
The tests didn't clean up properly. The commit that introduced the
errors was 8c427448d5
.
Thanks to Trac alias rizumu for spotting this.
2012-10-12 00:10:49 +03:00
Russell Keith-Magee
b9039268a1
Fixed #19060 -- Corrected assumptions about the name of the User model in the ModelBackend.
...
Thanks to Ivan Virabyan for the report and initial patch.
2012-10-06 12:43:29 +08:00
Mateusz Haligowski
8c427448d5
Fixed #15915 -- Cleaned handling of duplicate permission codenames
...
Previously, a duplicate model, codename for permission would lead to
database integrity error. Cleaned the implementation so that this case
now raises an CommandError instead.
2012-10-03 23:10:32 +03:00
Russell Keith-Magee
934f35f1f9
Corrected test docstring.
2012-10-03 09:16:33 +08:00
Preston Holmes
5f8b97f9fb
Fixed #19057 -- support custom user models in mod_wsgi auth handler
...
thanks @freakboy3742 for the catch and review
2012-10-02 06:42:05 -07:00
Michael Farrell
7cc4068c44
Fixed #18616 -- added user_login_fail signal to contrib.auth
...
Thanks to Brad Pitcher for documentation
2012-09-30 22:34:50 -07:00