Tim Graham
1285ca67eb
Fixed #16919 -- Passed user to set_password_form in GET requests.
...
Thanks Jaime Irurzun for the report and initial patch and
ejucovy for the test.
2013-10-02 13:28:15 -04:00
Florian Apolloner
5d74853e15
Revert "Ensure that passwords are never long enough for a DoS."
...
This reverts commit aae5a96d57
.
This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
2013-09-24 21:01:21 +02:00
Michał Lech
53c7d66869
Marked PermissionsMixin.user_permissions help_text for translation
2013-09-24 07:36:24 -04:00
Aymeric Augustin
a5b062576b
Removed a few trailing backslashes.
...
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Paul McMillan
a075e2ad0d
Increase default PBKDF2 iterations
...
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Tim Graham
18ffdb1772
Fixed #17627 -- Renamed util.py files to utils.py
...
Thanks PaulM for the suggestion and Luke Granger-Brown and
Wiktor Kołodziej for the initial patch.
2013-09-16 12:52:05 -04:00
Russell Keith-Magee
aae5a96d57
Ensure that passwords are never long enough for a DoS.
...
* Limit the password length to 4096 bytes
* Password hashers will raise a ValueError
* django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change
Thanks to Josh Wright for the report, and Donald Stufft for the patch.
This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
Gregor MacGregor
b2b763448f
Fixed #20841 -- Added messages to NotImplementedErrors
...
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
Alex Gaynor
96fd5557f9
Removed a ton of unused local vars
2013-09-08 08:05:16 -07:00
Alex Gaynor
2530735d2d
Fixed a number of flake8 errors -- particularly around unused imports and local variables
2013-09-06 21:56:40 -07:00
Aymeric Augustin
6a6428a36f
Took advantage of django.utils.six.moves.urllib.*.
2013-09-05 14:39:23 -05:00
Aymeric Augustin
365c3e8b73
Replaced "not PY3" by "PY2", new in six 1.4.0.
2013-09-02 12:11:02 +02:00
Simon Charette
11cd7388f7
Fixed #20989 -- Removed useless explicit list comprehensions.
2013-08-30 10:57:51 -04:00
Tim Graham
c7d0ff0cad
Fixed #20989 -- Removed explicit list comprehension inside dict() and tuple()
...
Thanks jeroen.pulles at redslider.net for the suggestion and
helper script.
2013-08-29 12:11:03 -04:00
Tim Graham
cf8d6e9108
Fixed #20881 -- Removed contrib.auth.models.AbstractUser.get_absolute_url()
...
The definition is arbitrary and creates a broken "view on site"
link in the admin if a project doesn't define such a URL.
2013-08-29 06:36:35 -04:00
Michał Górny
b89c2a5d9e
Fixed #18171 -- Checked signature of authenticate() to avoid supressing TypeErrors.
...
The current auth backend code catches TypeError to detect backends that
do not support specified argumetnts. As a result, any TypeErrors raised
within the actual backend code are silenced.
In Python 2.7+ and 3.2+ this can be avoided by using inspect.getcallargs().
With this method, we can test whether arguments match the signature without
actually calling the function.
Thanks David Eyk for the report.
2013-08-28 07:51:45 -04:00
Andrew Godwin
b6a957f0ba
Merge remote-tracking branch 'core/master' into schema-alteration
...
Conflicts:
docs/ref/django-admin.txt
2013-08-19 18:30:48 +01:00
Claude Paroz
165f44aaaa
Combine consecutive with statements
...
Python 2.7 allows to combine several 'with' instructions.
2013-08-16 20:12:10 +02:00
SusanTan
71c491972e
Fixed #11400 -- Passed kwargs from AbstractUser.email_user() to send_mail()
...
Thanks Jug_ for suggestion, john_scott for the initial patch,
and Tim Graham for code review.
2013-08-14 07:46:11 -04:00
Jacob Kaplan-Moss
ae3535169a
Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
...
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
ersran9
00d23a13eb
Fixed #20828 -- Allowed @permission_required to take a list of permissions
...
Thanks Giggaflop for the suggestion.
2013-08-10 10:10:18 -04:00
Tim Graham
453915bb12
SQLite test fix -- refs #9057
2013-08-09 10:57:25 -04:00
Andrew Godwin
588b523233
Merge remote-tracking branch 'core/master' into schema-alteration
...
Conflicts:
django/db/models/options.py
2013-08-09 14:37:37 +01:00
Tim Graham
ddae74b64c
Fixed #9057 -- Added default_permissions model meta option.
...
Thanks hvendelbo for the suggestion and koenb for the draft patch.
2013-08-09 09:19:52 -04:00
Andrew Godwin
de64c4d6e9
Merge remote-tracking branch 'core/master' into schema-alteration
...
Conflicts:
django/core/management/commands/flush.py
django/core/management/commands/syncdb.py
django/db/models/loading.py
docs/internals/deprecation.txt
docs/ref/django-admin.txt
docs/releases/1.7.txt
2013-08-09 14:17:30 +01:00
Justin Michalicek
6d88d47be6
Fixed #20832 -- Enabled HTML password reset email
...
Added optional html_email_template_name parameter to password_reset view
and PasswordResetForm.
2013-08-05 09:47:28 -04:00
Alex Gaynor
3e0eb2d788
Fixed a number of lint warnings, particularly around unused variables.
2013-08-04 09:17:10 -07:00
Curtis Maloney
07876cf02b
Deprecated SortedDict (replaced with collections.OrderedDict)
...
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
Tim Graham
425d076d0c
Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
...
Thanks Collin Anderson for the report.
2013-08-02 14:46:17 -04:00
Tim Graham
a1889397a9
Fixed #12103 -- Added AuthenticationForm.confirm_login_allowed to allow customizing the logic policy.
...
Thanks ejucovy and lasko for work on the patch.
2013-07-31 13:54:05 -04:00
Aymeric Augustin
5b47a9c5a0
Fixed a test that could fail depending on PASSWORD_HASHERS.
...
Thanks Claude. Refs #20760 .
2013-07-30 16:14:53 +02:00
Andrew Godwin
12e9804d16
Rename allow_syncdb to allow_migrate
2013-07-30 12:08:59 +01:00
Andrew Godwin
68e0a169c4
Rename pre_ and post_syncdb to *_migrate, with aliases from old names
2013-07-30 11:52:52 +01:00
Claude Paroz
fdd7a355bf
Deprecated django.utils.importlib
...
This was a shim for pre-Python 2.7 support.
2013-07-29 17:10:22 +02:00
Serge G. Spaolonzi
e07e4030b9
Fixed #18511 -- Cleaned up admin password reset template titles.
2013-07-27 14:23:04 -04:00
Aymeric Augustin
5dbca13f3b
Fixed #20760 -- Reduced timing variation in ModelBackend.
...
Thanks jpaglier and erikr.
2013-07-23 15:43:12 +02:00
Kirill Fomichev
33242fe015
Fixed #19019 -- Fixed UserAdmin to log password change.
...
Thanks Tuttle for the report.
2013-07-23 08:33:07 -04:00
Loic Bistuer
3a00229189
Cleaned up UserAdmin.get_form() that worked around a bug fixed in 23e1b59
.
...
Refs #18681 .
2013-07-18 23:59:45 +07:00
Tim Graham
f407f75aae
Fixed #20673 -- Clarified that HttpRequest.user uses AUTH_USER_MODEL.
...
Thanks littlepig for the report.
2013-07-04 09:32:32 -04:00
Simon Charette
8759778185
Fixed #20675 -- `check_password` should work when no password is specified.
...
The regression was introduced by 2c4fe761a
. refs #20593 .
2013-07-03 14:09:58 -04:00
Aymeric Augustin
cfcf4b3605
Stopped using django.utils.unittest in the test suite.
...
Refs #20680 .
2013-07-01 14:29:33 +02:00
Ramiro Morales
d51b7794bf
Removed django.contrib.auth.views.password_reset_confirm_uidb36() view to finish its accelerated deprecation schedule.
2013-06-29 12:22:15 -03:00
Claude Paroz
6118d6d1c9
More import removals
...
Following the series of commits removing deprecated features in
Django 1.7, here are some more unneeded imports removed and other
minor cleanups.
2013-06-29 11:58:36 +02:00
Aymeric Augustin
c8756e17fb
Removed obsolete comment. Refs #20079 .
...
Thanks Gavin Wahl.
2013-06-29 11:42:34 +02:00
Ramiro Morales
c196564132
Removed custom profile model functionality as per deprecation TL.
2013-06-28 21:48:16 -03:00
Ramiro Morales
f02a703ca6
Removed AuthenticationForm.check_for_test_cookie() as per deprecation TL.
2013-06-28 21:48:15 -03:00
Andrew Godwin
f325f86971
Fixed #20244 : PermissionsMixin now defines a related_query_name for M2Ms
2013-06-27 15:44:22 +01:00
Anton Baklanov
cab333cb16
Fixed #20541 -- don't raise db signals twice when creating superuser
2013-06-27 05:58:01 -04:00
Tim Graham
1184d07789
Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
...
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.
Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
Simon Charette
b91787910c
Fixed #20642 -- Deprecated `Option.get_(add|change|delete)_permission`.
...
Those methods were only used by `contrib.admin` internally and exclusively
related to `contrib.auth`. Since they were undocumented but used
in the wild the raised deprecation warning point to an also undocumented
alternative that lives in `contrib.auth`.
Also did some PEP8 and other cleanups in the affected modules.
2013-06-25 12:22:37 -04:00