Commit Graph

694 Commits

Author SHA1 Message Date
Jorge C. Leitão 2e364a0aac Fixed #15716 - Authentication backends can short-circuit authorization.
Authorization backends can now raise PermissionDenied in "has_perm"
and "has_module_perms" to short-circuit authorization process.
2014-05-16 12:57:38 -04:00
Erik Romijn 255449c1ee Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
2014-05-14 10:19:48 +02:00
Alex Gaynor 2bcb8bfc8d Fix many many typos in comments throughout the codebase 2014-04-26 10:18:45 -07:00
Tim Graham 9e7f86b890 Fixed #22515 -- Fixed the object_id of the LogEntry that's created after a user password change in the admin.
Thanks ross at servercode.co.uk for the report.
2014-04-25 08:20:25 -04:00
Aymeric Augustin 428c0bbe1b Appeased flake8 2.1.0. 2014-04-21 12:27:34 +02:00
Tim Graham 11e30b684d Fixed a KeyError on login with legacy sessions; refs #21649.
Thanks Loic for the report.
2014-04-17 19:57:20 -04:00
John Paulett b5a9166f7e Fixed #22364 -- Sanitized getpass input in changepassword.
Python 2 getpass on Windows does not accept unicode, even
when containing on ASCII characters. Related #190807.
2014-04-10 13:15:37 -04:00
Tim Graham b513fa5fc6 Fixed #22195 -- Used constants to define built-in tags for check framework.
Thanks Elvard for the patch.
2014-04-10 08:45:48 -04:00
Aymeric Augustin 2791fbf59d Used more specific test assertions. 2014-04-09 22:20:22 +02:00
Anubhav Joshi cd914e31c9 Fixed #21977 -- Deprecated SimpleTestCase.urls 2014-04-06 17:33:43 -04:00
Tim Graham fd23c06023 Fixed #21649 -- Added optional invalidation of sessions when user password changes.
Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
2014-04-05 12:50:51 -04:00
Tim Graham d73d0e071c Fixed #22218 -- Deprecated django.conf.urls.patterns.
Thanks Carl Meyer for the suggestion and Alex Gaynor and Carl for reviews.
2014-04-03 07:28:10 -04:00
Tim Graham 246face209 Fixed #22362 -- Improved AuthenticationMiddleware assertion message.
Thanks Keryn Knight.
2014-03-31 08:10:59 -04:00
Tim Graham ed4c2e1c0d Fixed #22329 -- Used label_tag() in some admin auth templates.
refs #17922.
2014-03-29 08:54:56 -04:00
Tim Graham 6d1ae5e27c Removed reading of old 'django_language' session variable per deprecation timeline.
refs #5789.
2014-03-21 09:53:16 -04:00
Ramiro Morales 1d42a86ec7 Tweak password admin change form view context. Refs #21293. 2014-03-11 09:52:43 -03:00
James Jenkins ec675ed6cc Fixed #22070 -- Changed verbose_name for apps in django.contrib to use title case
Thanks bendavis78 for the report.
2014-03-06 18:43:04 -05:00
Rodolfo Carvalho 0d91225892 Fixed many typos in comments and docstrings.
Thanks Piotr Kasprzyk for help with the patch.
2014-03-03 07:38:09 -05:00
Russell Keith-Magee 84207b6134 Edited contrib.auth check messages for grammar and consistency. 2014-03-03 13:39:58 +08:00
Claude Paroz 27e9069710 Allowed some auth tests to be run independently 2014-02-23 20:05:45 +01:00
Erik Romijn 8cd32f0965 Fixed #22120 -- Documented persistent activation of languages and cleaned up language session key use 2014-02-22 18:29:06 +01:00
Tim Graham e1c8bc8fea Fixed #21790 -- Removed reliance on an assert in auth.get_user().
Thanks matklad for the report.
2014-02-18 14:23:38 -05:00
Tim Graham 20f455b3d6 flake8 fixes (unused imports and variables). 2014-02-18 11:33:30 -05:00
Baptiste Mispelon 6b310bafc5 Fixed broken tests when running with a non-TTY stdin. 2014-02-18 11:36:07 +01:00
Baptiste Mispelon 2a9ee49f3c Removed BaseCommand.stdin introduced in 116d39842d.
This option is not actually very useful in the general case
because it doesn't override sys.stdin.

It's still marginally useful for testing some features of
the createsuperuser command so it was moved there.
This commit also makes the detection of a TTY in createsuperuser
a bit more robust, after a suggestion of appolo13.
2014-02-18 11:36:06 +01:00
Baptiste Mispelon b78f9a12c8 Consolidated all tests for createsuperuser in the same TestCase. 2014-02-18 11:36:06 +01:00
Baptiste Mispelon a7639722f5 Fixed #7423 -- Skip superuser creation when not running in a TTY.
Thanks to trac user galaxy4sale for the original report
and to AeroNotix for the patch.
2014-02-17 04:58:31 +01:00
Berker Peksag 5d263dee30 Fixed #21674 -- Deprecated the import_by_path() function in favor of import_string().
Thanks Aymeric Augustin for the suggestion and review.
2014-02-08 11:12:19 -05:00
Aymeric Augustin f9698c4391 Suppressed the `if Site._meta.installed` pattern.
The purpose of this construct is to test if the django.contrib.sites
application is installed. But in Django 1.9 it will be forbidden to
import the Site model when the django.contrib.sites application isn't
installed.

No model besides Site used this pattern.

Refs #21719, #21923.
2014-02-01 20:38:15 +01:00
Aymeric Augustin f901b4d6c8 Took advantage of the new get_model API. Refs #21702. 2014-01-26 13:08:05 +01:00
Aymeric Augustin 9ffab9cee1 Moved RequestSite and get_current_site.
Following the app-loading refactor, these objects must live outside of
django.contrib.sites.models because they must be available without
importing the django.contrib.sites.models module when
django.contrib.sites isn't installed.

Refs #21680. Thanks Carl and Loic for reporting this issue.
2014-01-26 08:50:47 +01:00
Aymeric Augustin 2ff93e027c Fixed #21829 -- Added default AppConfigs.
Thanks Russell for the report, Marc for the initial patch, Carl for the
final review, and everyone who contributed to the design discussion.
2014-01-25 10:41:56 +01:00
Russell Keith-Magee d818e0c9b2 Fixed #16905 -- Added extensible checks (nee validation) framework
This is the result of Christopher Medrela's 2013 Summer of Code project.

Thanks also to Preston Holmes, Tim Graham, Anssi Kääriäinen, Florian
Apolloner, and Alex Gaynor for review notes along the way.

Also: Fixes #8579, fixes #3055, fixes #19844.
2014-01-20 10:45:21 +08:00
Marc Tamlyn 2607fa9016 Fixed #21774 -- Isolate all test urls from eachother.
This (nearly) completes the work to isolate all the test modules from
each other. This is now more important as importing models from another
module will case PendingDeprecationWarnings if those modules are not in
INSTALLED_APPS. The only remaining obvious dependencies are:

- d.c.auth depends on d.c.admin (because of the is_admin flag to some
  views), but this is not so important and d.c.admin is in
  always_installed_apps
- test_client_regress depends on test_client. Eventually these should
  become a single module, as the split serves no useful purpose.
2014-01-14 15:43:27 +00:00
Aymeric Augustin d562527a16 Fixed #21477 -- Renamed db to using in pre/post_migrate signals. 2014-01-12 22:24:33 +01:00
Andrew Godwin f343f5e538 Fix wording of auth superuser post-migrate handler 2014-01-08 13:06:53 +00:00
Aymeric Augustin 27afd302c6 Fixed #21675 -- Added app configs for contrib apps. 2014-01-05 21:18:33 +01:00
Aymeric Augustin e5bcd1d455 Changed get_validation_errors to use an app config. 2013-12-29 21:48:58 +01:00
Aymeric Augustin 21f22f9544 Added Apps.clear_cache().
This avoid leaking implementation details to tests that swap models.
2013-12-29 20:43:10 +01:00
Aymeric Augustin 82aadbb5d5 Fixed a typo.
Thanks Simon.
2013-12-29 20:35:58 +01:00
Aymeric Augustin 7b88a96553 Added AppConfig.get_models(). 2013-12-29 20:31:59 +01:00
Aymeric Augustin 308960b92a Cleared get_models cache when swapping User model.
Thanks Florian for isolating the shortest way to reproduce this issue:

./runtests.py \
    django.contrib.auth.tests.test_context_processors.AuthContextProcessorTests.test_perms_attrs \
    django.contrib.auth.tests.test_auth_backends.ChangedBackendSettingsTest.test_changed_backend_settings \
    django.contrib.auth.tests.test_auth_backends.CustomUserModelBackendAuthenticateTest.test_authenticate \
    django.contrib.auth.tests.test_basic.BasicTestCase.test_createsuperuser_management_command
2013-12-29 18:25:22 +01:00
Aymeric Augustin 00110904ac Refactored the migration signals to use app configs.
De-aliased pre/post_syncdb to pre/post_migrate to increase
backwards-compatibility.
2013-12-29 17:53:42 +01:00
Aymeric Augustin ba7206cd81 Changed get_model to raise an exception on errors.
Returning None on errors required unpythonic error checking and was
inconsistent with get_app_config.

get_model was a private API until the previous commit, but given that it
was certainly used in third party software, the change is explained in
the release notes.

Applied the same change to get_registered_model, which is a new private
API introduced during the recent refactoring.
2013-12-28 20:53:00 +01:00
Aymeric Augustin 8f04f53dd8 Removed a few gratuitous lambdas. 2013-12-26 14:03:50 +01:00
Tim Graham 4e7aa573ec Added missing newline in previous commit. 2013-12-26 07:52:31 -05:00
Jon Lønne 398642fd9b Fixed #21627 -- Added unicode_literals to changepassword command.
Fixed a crash when executing changepassword command when the user object
representation contained non-ASCII characters.
2013-12-26 07:35:50 -05:00
Aymeric Augustin 1716b7ce5a Renamed AppCache to Apps.
Also renamed app_cache to apps and "app cache" to "app registry".

Deprecated AppCache.app_cache_ready() in favor of Apps.ready().
2013-12-24 12:25:17 +01:00
Aymeric Augustin e32095616c Imported override_settings from its new location. 2013-12-23 21:37:56 +01:00
Aymeric Augustin 5891990b6e Refactored INSTALLED_APPS overrides.
* Introduced [un]set_installed_apps to handle changes to the
  INSTALLED_APPS setting.
* Refactored [un]set_available_apps to share its implementation
  with [un]set_installed_apps.
* Implemented a receiver to clear some app-related caches.
* Removed test_missing_app as it is basically impossible to reproduce
  this situation with public methods of the new app cache.
2013-12-23 20:15:08 +01:00
Aymeric Augustin 2fef9e5375 Moved apps back in the toplevel django namespace.
Reverted 4a56a93cc4.
2013-12-22 11:39:55 +01:00
Aymeric Augustin 4a56a93cc4 Moved the new app cache inside core. 2013-12-17 10:17:46 +01:00
Aymeric Augustin 69039becde Deprecated get_app(). 2013-12-17 10:17:45 +01:00
Aymeric Augustin 8662654d6d Removed module-level functions for the app cache.
Since the original ones in django.db.models.loading were kept only for
backwards compatibility, there's no need to recreate them. However, many
internals of Django still relied on them.

They were also imported in django.db.models. They never appear in the
documentation, except a quick mention of get_models and get_app in the
1.2 release notes to document an edge case in GIS. I don't think that
makes them a public API.

This commit doesn't change the overall amount of global state but
clarifies that it's tied to the app_cache object instead of hiding it
behind half a dozen functions.
2013-12-17 10:17:44 +01:00
Aymeric Augustin 860c2c8bc5 Moved django.db.models.loading to django.apps.cache.
This commit doesn't contain any code changes; it's purely a refactoring.
2013-12-17 10:17:43 +01:00
Bartolomé Sánchez 8f994f1bcc Fixed #21250 -- Made HTTP auth user header configurable in tests
Currently, if the authentication mechanism uses a custom HTTP header
and not REMOTE_USER, it is not easy to test. This commit modifies
remote user tests in order to make them more generic.
2013-12-14 13:02:56 -05:00
Loic Bistuer 6685713869 Fixed E127 pep8 warnings. 2013-12-14 11:59:15 -05:00
Ludwik Trammer 9922ed46e2 Fixed #21473 -- Limited language preservation to logout
Current language is no longer saved to session by LocaleMiddleware
on  every response (the behavior introduced in #14825).
Instead language stored in session is reintroduced into new session
after logout.

Forward port of c558a43fd6 to master.
2013-12-12 10:24:43 +01:00
Loic Bistuer a2814846ca Fixed E124 pep8 warnings. 2013-12-10 15:12:48 -05:00
Tim Graham fddb0131d3 Fixed #21535 -- Fixed password hash iteration upgrade.
Thanks jared_mess for the report.
2013-11-30 14:18:37 -05:00
Tim Graham f3e7ab366c Removed gender-based pronouns per [c0a2daad78]. 2013-11-30 08:37:15 -05:00
Alex Gaynor 9af7e18f35 Fixed an unescisarily gendered pronoun in a docstring 2013-11-29 16:57:36 -06:00
Christopher Medrela 7477a4ffde Fixed E125 pep8 warnings 2013-11-28 08:50:11 -05:00
Matt Robenolt 3560ef043e Propagate get_user_model exception from get_user
Fixes #21439
2013-11-14 12:02:26 -08:00
Bouke Haarsma 4142d15102 Fixed #21388 -- Corrected language code for Frisian 2013-11-11 13:34:01 +01:00
Tim Graham d15985d81f Fixed #21398 -- Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
Thanks arjan at anymore.nl for the report.
2013-11-09 10:11:50 -05:00
Ramiro Morales a9093dd376 Fixed #21387 -- Merge two very similar help texts. 2013-11-06 00:35:20 -03:00
Tim Graham 36ded01527 Fixed #21302 -- Fixed unused imports and import *. 2013-11-02 15:24:56 -04:00
Alex Gaynor 726ded5708 Started attackign the next flake8 violation 2013-10-31 08:42:28 -07:00
Alex Gaynor 9bf5610890 Start attacking E231 violations 2013-10-24 10:30:03 -07:00
Alasdair Nicol c3aa2948c6 Fixed #21298 -- Fixed E301 pep8 warnings 2013-10-23 13:45:03 +01:00
Tim Graham 1597503a01 Fixed E221 pep8 warnings. 2013-10-22 09:51:39 -04:00
Loic Bistuer e565e1332d Fixed #21275 -- Fixed a serializer error when generating migrations for contrib.auth.
The migration serializer now looks for a deconstruct method on any object.
2013-10-21 14:54:52 -04:00
Florian Apolloner 7d0d0dbf26 Force update of the password on iteration count changes. 2013-10-21 20:31:28 +02:00
Alasdair Nicol b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Claude Paroz 5f52590368 Fixed #21291 -- Ensured inactive users cannot reset their passwords
Thanks kz26 for the report and the suggested fix. Refs #19758.
2013-10-19 10:43:06 +02:00
Claude Paroz 59a8808632 Cleaned formatting/comments in PasswordResetFormTest 2013-10-19 10:43:06 +02:00
Tim Graham ac4fec5ca2 Fixed bug causing CSRF token not to rotate on login.
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
Alasdair Nicol a800036981 Fixed #21287 -- Fixed E123 pep8 warnings 2013-10-18 10:07:39 +01:00
Alasdair Nicol bab9123daa Fixed #21268 -- Fixed E303 pep8 warnings 2013-10-18 01:46:24 +01:00
Alasdair Nicol dfb4cb9970 Fixed #21285 -- Fixed E121,E122 pep8 warnings 2013-10-17 20:20:11 -04:00
Bouke Haarsma 2fb5a51fa3 Fixed #18659 -- Deprecated request.REQUEST and MergeDict
Thanks Aymeric Augustin for the suggestion.
2013-10-17 09:42:28 -04:00
Tim Graham 91c77eeab8 Avoided hardcoding Permission.name max_length
refs #18866.
2013-10-16 11:31:07 -04:00
joaoxsouls 1ab27e9a65 Fixed #18866 -- added validation error for verbose_name longer than 39 characters
Added a validation error check when creating the permissions for model, to avoid
cryptic database error when the verbose_name is longer than 39 characters
thanks elena for reporting it
2013-10-14 14:19:35 +01:00
Claude Paroz ef22d512b5 Imported custom user classes in tests depending on it
Without those imports, affected test files cannot be run
independently. Refs #21164.
2013-10-14 10:14:24 +02:00
Tim Graham 1dae4ac177 Whitespace cleanup.
* Removed trailing whitespace.
* Added newline to EOF if missing.
* Removed blank lines at EOF.
* Removed some stray tabs.
2013-10-10 16:49:20 -04:00
Tim Graham adedc31072 Fixed "redefinition of unused 'foo' from line X" pyflakes warnings. 2013-10-10 11:09:42 -04:00
Russell Keith-Magee ddb53856b6 Fixed #21164 -- Added documentation for issue with test users.
The package renaming restores the older package names (which were also the
documented package names). This doesn't affect test discovery because the
module in question doesn't contain any tests.

Thanks to Carl for the design discussion.
2013-10-08 10:32:56 +08:00
Tim Graham 1285ca67eb Fixed #16919 -- Passed user to set_password_form in GET requests.
Thanks Jaime Irurzun for the report and initial patch and
ejucovy for the test.
2013-10-02 13:28:15 -04:00
Florian Apolloner 5d74853e15 Revert "Ensure that passwords are never long enough for a DoS."
This reverts commit aae5a96d57.

This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
2013-09-24 21:01:21 +02:00
Michał Lech 53c7d66869 Marked PermissionsMixin.user_permissions help_text for translation 2013-09-24 07:36:24 -04:00
Aymeric Augustin a5b062576b Removed a few trailing backslashes.
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Paul McMillan a075e2ad0d Increase default PBKDF2 iterations
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Tim Graham 18ffdb1772 Fixed #17627 -- Renamed util.py files to utils.py
Thanks PaulM for the suggestion and Luke Granger-Brown and
Wiktor Kołodziej for the initial patch.
2013-09-16 12:52:05 -04:00
Russell Keith-Magee aae5a96d57 Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
Gregor MacGregor b2b763448f Fixed #20841 -- Added messages to NotImplementedErrors
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
Alex Gaynor 96fd5557f9 Removed a ton of unused local vars 2013-09-08 08:05:16 -07:00
Alex Gaynor 2530735d2d Fixed a number of flake8 errors -- particularly around unused imports and local variables 2013-09-06 21:56:40 -07:00
Aymeric Augustin 6a6428a36f Took advantage of django.utils.six.moves.urllib.*. 2013-09-05 14:39:23 -05:00
Aymeric Augustin 365c3e8b73 Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 12:11:02 +02:00