33242fe015
Fixed #19019 -- Fixed UserAdmin to log password change.
...
Thanks Tuttle for the report.
2013-07-23 08:33:07 -04:00
3a00229189
Cleaned up UserAdmin.get_form() that worked around a bug fixed in 23e1b59.
...
Refs #18681 .
2013-07-18 23:59:45 +07:00
f407f75aae
Fixed #20673 -- Clarified that HttpRequest.user uses AUTH_USER_MODEL.
...
Thanks littlepig for the report.
2013-07-04 09:32:32 -04:00
8759778185
Fixed #20675 -- `check_password` should work when no password is specified.
...
The regression was introduced by 2c4fe761a#20593 .
2013-07-03 14:09:58 -04:00
cfcf4b3605
Stopped using django.utils.unittest in the test suite.
...
Refs #20680 .
2013-07-01 14:29:33 +02:00
d51b7794bf
Removed django.contrib.auth.views.password_reset_confirm_uidb36() view to finish its accelerated deprecation schedule.
2013-06-29 12:22:15 -03:00
6118d6d1c9
More import removals
...
Following the series of commits removing deprecated features in
Django 1.7, here are some more unneeded imports removed and other
minor cleanups.
2013-06-29 11:58:36 +02:00
c8756e17fb
Removed obsolete comment. Refs #20079 .
...
Thanks Gavin Wahl.
2013-06-29 11:42:34 +02:00
c196564132
Removed custom profile model functionality as per deprecation TL.
2013-06-28 21:48:16 -03:00
f02a703ca6
Removed AuthenticationForm.check_for_test_cookie() as per deprecation TL.
2013-06-28 21:48:15 -03:00
f325f86971
Fixed #20244 : PermissionsMixin now defines a related_query_name for M2Ms
2013-06-27 15:44:22 +01:00
cab333cb16
Fixed #20541 -- don't raise db signals twice when creating superuser
2013-06-27 05:58:01 -04:00
1184d07789
Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
...
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.
Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
b91787910c
Fixed #20642 -- Deprecated `Option.get_(add|change|delete)_permission`.
...
Those methods were only used by `contrib.admin` internally and exclusively
related to `contrib.auth`. Since they were undocumented but used
in the wild the raised deprecation warning point to an also undocumented
alternative that lives in `contrib.auth`.
Also did some PEP8 and other cleanups in the affected modules.
2013-06-25 12:22:37 -04:00
7462a78c1b
Fixed #20288 -- Fixed inconsistency in the naming of the popup GET parameter.
...
Thanks to Keryn Knight for the initial report and reviews,
and to tomask for the original patch.
2013-06-19 22:16:16 +02:00
ffcf24c9ce
Removed several unused imports.
2013-06-19 17:18:40 +02:00
aeb1389442
Fixed #20079 -- Improve security of password reset tokens
2013-06-18 20:02:00 +02:00
2c4fe761a0
Fixed #20593 -- Allow blank passwords in check_password() and set_password()
2013-06-18 13:32:54 -04:00
ee77d4b253
Fixed #20199 -- Allow ModelForm fields to override error_messages from model fields
2013-06-18 08:01:17 -04:00
beb652e069
Worked around Python 3.3 modified exception repr
...
Refs #20599 .
2013-06-15 11:14:59 +02:00
990f8d92dc
Fixed #20599 -- Changed wording of ValueError raised by _load_library
...
The _load_library method on BasePasswordHasher turns ImportErrors
into ValueErrors, this masks ImportErrors in the algorithm library.
Changed it to a clearer worded error message that includes
the ImportError string.
2013-06-15 10:50:55 +02:00
c6e6d4eeb7
Defined available_apps in relevant tests.
...
Fixed #20483 .
2013-06-10 11:30:01 +02:00
4daf570b98
Added TransactionTestCase.available_apps.
...
This can be used to make Django's test suite significantly faster by
reducing the number of models for which content types and permissions
must be created and tables must be flushed in each non-transactional
test.
It's documented for Django contributors and committers but it's branded
as a private API to preserve our freedom to change it in the future.
Most of the credit goes to Anssi. He got the idea and did the research.
Fixed #20483 .
2013-06-10 11:24:10 +02:00
69373f3420
Fixed #19925 - Added validation for REQUIRED_FIELDS being a list
...
Thanks Roman Alexander for the suggestion.
2013-06-07 19:58:41 -04:00
4f4e9243e4
Fixed #20532 -- Reverse auth views by name, not by path.
...
Auth views should be reversed by name, not their locations in
`django.contrib.auth.views`. This allows substituting your own
implementations of the auth views.
2013-06-03 13:30:40 -04:00
01ae881bb4
Don't hard-code class names when calling static methods
...
normalize_email should be called on the instance, not the class. This
has the same effect normally but is more helpful to subclassers. When
methods are called directly on the class, subclasses can't override
them.
2013-05-29 16:11:26 -06:00
0fa8d43e74
Replaced `and...or...` constructs with PEP 308 conditional expressions.
2013-05-26 23:47:50 -03:00
d228c1192e
Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
...
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
1514f17aa6
Rotate CSRF token on login
2013-05-24 22:15:08 +01:00
3cb1e9b93c
Fix test failure introduced by 980ae2ab29.
2013-05-19 16:51:36 +02:00
980ae2ab29
Fix #20447 : URL names given to contrib.auth.views are now resolved.
...
This commit also adds tests for the redirect feature of most auth views.
It also cleans up the tests, most notably using @override_settings instead
of ad-hoc setUp/tearDown methods.
Thanks to caumons for the report.
Conflicts:
docs/releases/1.6.txt
2013-05-19 14:36:38 +02:00
cafcc22b01
Typo in comment
2013-05-19 09:28:36 +02:00
710c59bf9b
Slightly reworked imports in contrib.auth.__init__
2013-05-18 16:01:47 +02:00
dc43fbc2f2
Fixed #18998 - Prevented session crash when auth backend removed
...
Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.
2013-05-18 15:58:29 +02:00
340115200f
Fixed #20432 -- Test failure in admin_views.
...
The failure was triggered by a cache leak.
2013-05-18 13:13:33 +02:00
0732c8e8c6
Fixed #20357 -- Allow empty username field label in `AuthentificationForm`.
2013-05-16 11:41:52 -04:00
8f0a4665d6
Recommend using the bcrypt library instead of py-bcrypt
...
* py-bcrypt has not been updated in some time
* py-bcrypt does not support Python3
* py3k-bcrypt, a port of py-bcrypt to python3 is not compatible
with Django
* bcrypt is supported on all versions of Python that Django
supports
2013-05-13 23:49:00 -04:00
3070e8f711
Properly force bytes or str for bcrypt on Python3
2013-05-11 11:16:06 -04:00
9012833af8
Fixed #17365 , #17366 , #18727 -- Switched to discovery test runner.
...
Thanks to Preston Timmons for the bulk of the work on the patch, especially
updating Django's own test suite to comply with the requirements of the new
runner. Thanks also to Jannis Leidel and Mahdi Yusuf for earlier work on the
patch and the discovery runner.
Refs #11077 , #17032 , and #18670 .
2013-05-10 23:08:45 -04:00
f026a519ae
Fixed #19733 - deprecated ModelForms without 'fields' or 'exclude', and added '__all__' shortcut
...
This also updates all dependent functionality, including modelform_factory
and modelformset_factory, and the generic views `ModelFormMixin`,
`CreateView` and `UpdateView` which gain a new `fields` attribute.
2013-05-09 16:44:36 +01:00
9f7a01ef2b
Updated translation templates and removed en translations
...
"en" translations have been mistakenly committed in 87cc3da81
2013-05-02 16:25:23 +02:00
a49e7dd2a3
Fixed #20114 -- support custom project login_url in tests
...
Thanks to Matias Bordese for the patch
2013-04-05 09:03:28 -07:00
fde2e4fd6e
Modified auth to work with unittest2 discovery.
2013-04-02 21:59:45 -06:00
80b658f5aa
Remove unnecessary if conditions
...
if obj it None, it's None, there's no need to check it
2013-03-30 12:22:28 +01:00
244e765a94
Updated translation templates
2013-03-28 10:06:11 +01:00
0a22f7aad2
Added Burmese language
...
Thanks to Yhal Htet Aung for the translation work.
2013-03-28 10:01:30 +01:00
ab76467d54
Added Ossetic language
...
Thanks to Xwybylty Soslan for the translation work.
2013-03-28 09:54:16 +01:00
c5084e7557
Updated translations from Transifex
...
Polish, Telugu, Georgian, Azerbaijani, Norwegian Bokmål, Basque,
Dutch, Thai, Spanish (Argentina), Afrikaans.
2013-03-28 09:24:07 +01:00
9e462f8101
Fixed #20078 : don't allow filtering on password in the user admin.
2013-03-27 11:24:36 -05:00
25f2acfed0
Fixed #20138 -- Added BCryptSHA256PasswordHasher
...
BCryptSHA256PasswordHasher pre-hashes the users password using
SHA256 to prevent the 72 byte truncation inherient in the BCrypt
algorithm.
2013-03-26 13:26:57 -04:00
2f121dfe63
Fixed #17051 -- Removed some 'invalid' field error messages
...
When the 'invalid' error message is set at field level, it masks
the error message raised by the validator, if any.
2013-03-14 17:03:43 +01:00
3710a918b2
Switched the admin to use @transaction.atomic.
2013-03-11 19:58:08 +01:00
6983a1a540
Fixed #15363 -- Renamed and normalized to `get_queryset` the methods that return a QuerySet.
2013-03-08 10:11:45 -05:00
03e40140ff
Merge pull request #871 from matiasb/ticket_19945
...
Fixed #19945 -- Fixed default User model Meta inheritance.
2013-03-03 14:30:36 -08:00
8e8c9b908a
Fixed getting default encoding in get_system_username
...
Refs #19933 .
2013-03-02 22:41:08 +01:00
f39fead1c3
Fixed #19945 -- Fixed default User model Meta inheritance.
...
Updated default User model Meta class to extend AbstractUser Meta
where translated verbose_name and verbose_name_plural are
defined.
2013-03-01 19:32:20 -03:00
2ee21d9f0d
Implemented persistent database connections.
...
Thanks Anssi Kääriäinen and Karen Tracey for their inputs.
2013-02-28 15:28:13 +01:00
87cc3da814
Merged contrib translations from 1.5 branch
2013-02-26 21:51:06 +01:00
f1255a3c09
Fixed #18144 -- Restored compatibility with SHA1 hashes with empty salt.
...
Thanks dahool for the report and initial version of the patch.
2013-02-25 20:21:58 +01:00
f56ca3f0e6
Fixed the usage of the deprecated assertEquals.
2013-02-24 11:15:17 +01:00
22d82a7742
Fixed #15198 -- pass request to AuthenticationForm
...
Thanks to Ciantic for the report, claudep and slurms for initial work
2013-02-23 15:28:49 -08:00
9d2c0a0ae6
Removed superfluous cookie check from auth login.
...
This is ensured through the CSRF protection of the view
2013-02-23 15:28:49 -08:00
2f4a4703e1
Fixed #19758 -- Avoided leaking email existence through the password reset form.
2013-02-23 14:31:21 +01:00
d51fb74360
Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
...
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
5ec0405a09
Fixed #19839 -- Isolated auth tests from customized TEMPLATE_LOADERS
...
Thanks limscoder for the report.
2013-02-18 09:22:25 +01:00
a8d1421dd9
Avoided unneeded assertion on Python 3
...
Fixes failure introduced in 02e5909f7a
2013-02-15 16:09:31 +01:00
02e5909f7a
Fixed #19807 -- Sanitized getpass input in createsuperuser
...
Python 2 getpass on Windows doesn't accept unicode, even when
containing only ascii chars.
Thanks Semmel for the report and tests.
2013-02-15 15:44:27 +01:00
f5e4a699ca
Fixed #19822 -- Added validation for uniqueness on USERNAME_FIELD on custom User models.
...
Thanks to Claude Peroz for the draft patch.
2013-02-15 09:00:55 +08:00
f1029b308f
Fixed a misnamed variable introduced in commit 142ec8b283
...
Refs #8404 .
2013-02-14 08:33:10 +01:00
142ec8b283
Fixed #8404 -- Isolated auth password-related tests from custom templates
2013-02-13 23:11:49 +01:00
e94f405d94
Fixed #18558 -- Added url property to HttpResponseRedirect*
...
Thanks coolRR for the report.
2013-02-13 10:29:32 +01:00
0e18fb04ba
Made modwsgi groups_for_user consistent with check_password
...
2b5f848207#19061
that made the is_active attribute mandatory for user models.
The try/except was not removed for the groups_for_user function.
refs #19780
2013-02-09 09:31:04 -08:00
c44d748272
Fixed #19662 -- alter auth modelbackend to accept custom username fields
...
Thanks to Aymeric and Carl for the review.
2013-02-07 16:07:56 -08:00
2b916895a1
Updated createsuperuser to use unicode_literals. Refs #19757 .
2013-02-07 14:33:36 +01:00
2390fe3f4f
Fixed #19745 -- Forced resolution of verbose names in createsupersuser
...
Thanks Baptiste Mispelon for the report and Preston Holmes for the review.
2013-02-06 10:06:21 +01:00
ec469ade2b
Fixed #19689 -- Renamed `Model._meta.module_name` to `model_name`.
2013-02-05 04:16:07 -05:00
7c5b244826
Fixed #17061 -- Factored out importing object from a dotted path
...
Thanks Carl Meyer for the report.
2013-02-04 16:38:25 +01:00
55c585f1c7
Fixed #19725 -- Made createsuperuser handle non-ascii prompts
...
Thanks Michisu for the report.
2013-02-04 10:09:10 +01:00
1f8e7bb075
Added missing parentheses in if clause
2013-02-02 12:13:47 +01:00
63d6a50dd8
Fixed #18144 -- Added backwards compatibility with old unsalted MD5 passwords
...
Thanks apreobrazhensky at gmail.com for the report.
2013-02-02 12:02:36 +01:00
1686e0d184
Fixed #18460 -- Fixed change detection of ReadOnlyPasswordHashField
...
Thanks jose.sanchez et ezeep.com for the report and Vladimir Ulupov
for the initial patch.
2013-01-25 21:27:49 +01:00
cc4de61a2b
Fixed #19596 -- Use `_default_manager` instead of `objects` in the auth app.
...
This is needed to support custom user models which don't define a manager
named `objects`.
2013-01-22 12:47:34 +01:00
cdad0b28d4
Fixed #19573 -- Allow override of username field label in AuthenticationForm
2013-01-10 09:06:04 +01:00
34ee7d9875
Updated deprecated test assertions
2013-01-08 19:08:15 +01:00
a2396a4c8f
Fixed #19173 -- Made EmptyQuerySet a marker class only
...
The guarantee that no queries will be made when accessing results is
done by new EmptyWhere class which is used for query.where and having.
Thanks to Simon Charette for reviewing and valuable suggestions.
2013-01-06 19:18:28 +02:00
4e5369a596
Silenced warnings in the tests of deprecated features.
2012-12-29 22:32:07 +01:00
ef017a5f00
Advanced pending deprecation warnings.
...
Also added stacklevel argument, fixed #18127 .
2012-12-29 21:59:07 +01:00
35d1cd0b28
Fixed #19505 -- A more flexible implementation for customizable admin redirect urls.
...
Work by Julien Phalip.
Refs #8001 , #18310 , #19505 . See also 0b908b92a2
2012-12-24 15:44:19 -03:00
0dc3fc954f
Fixed #19509 -- Fixed crypt/bcrypt non-ascii password encoding
...
Also systematically added non-ascii passwords in hashers test suite.
Thanks Vaal for the report.
2012-12-22 16:04:10 +01:00
9facca28b6
Corrected tests depending on the error message on the AuthenticationForm.
...
Refs #19368 , and the fix introduced in 27f8129d64
2012-12-16 07:18:45 +08:00
27f8129d64
Fixed #19368 -- Ensured that login error messages adapt to changes in the User model.
...
Thanks to un33k for the report.
2012-12-15 22:44:47 +08:00
47e1df896b
Fixed #19412 -- Added PermissionsMixin to the auth.User heirarchy.
...
This makes it easier to make a ModelBackend-compliant (with regards to
permissions) User model.
Thanks to cdestigter for the report about the relationship between
ModelBackend and permissions, and to the many users on django-dev that
contributed to the discussion about mixins.
2012-12-15 22:44:47 +08:00
a2f2a39956
Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.
2012-12-10 22:11:39 +01:00
c91667338a
Fixed #19357 -- Allow non-ASCII chars in filesystem paths
...
Thanks kujiu for the report and Aymeric Augustin for the review.
2012-12-08 11:13:52 +01:00
b64d30405a
Fixed #18697 -- Made values accepted for two customizable admin templates consistent.
...
Thanks and at cloverfastfood dot com for the report.
2012-12-04 01:13:01 -03:00
a0cd6dd11e
Fixed #19349 -- Fixed re-rendering of ReadOnlyPasswordHashWidget
...
Thanks tim.bowden at mapforge.com.au for the report, Andreas Hug
for the patch and Anton Baklanov for the review.
2012-12-01 12:22:43 +01:00
84a5294788
Added missing custom user skip decorator
...
PermissionDeniedBackendTest references User model.
2012-11-30 22:54:42 -08:00
0eeae15056
Fixed #19354 -- Do not assume usermodel.pk == usermodel.id
...
Thanks markteisman at hotmail.com for the report.
2012-11-29 21:45:43 +01:00
a962bc7c45
Updated User manager when testing custom AUTH_USER_MODEL
...
This is giving more real test conditions when AUTH_USER_MODEL is
set with override_settings.
2012-11-24 16:00:00 +01:00
a026e480da
Fixed #16039 -- Made post_syncdb handlers multi-db aware.
...
Also reverted 8fb7a90026#17055 .
2012-11-22 20:53:59 +01:00
Kirill Fomichev
Loic Bistuer
Tim Graham
Simon Charette
Aymeric Augustin
Ramiro Morales
Claude Paroz
Andrew Godwin
Anton Baklanov
Erik Romijn
Jaap Roes
Chris Streeter
Gavin Wahl
Preston Holmes
Baptiste Mispelon
Peter Inglesby
Jorge Bastida
Jacob Burch
Mark Huang
Donald Stufft
Carl Meyer
Luke Plant
Preston Timmons
Alisson
Jacob Kaplan-Moss
matiasb
Florian Apolloner
Horst Gutmann
Russell Keith-Magee
Hiroki Kiyohara
Nick Sandford
Anssi Kääriäinen
Julien Phalip