Commit Graph

239 Commits

Author SHA1 Message Date
Aymeric Augustin a5b062576b Removed a few trailing backslashes.
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
Paul McMillan a075e2ad0d Increase default PBKDF2 iterations
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Russell Keith-Magee aae5a96d57 Ensure that passwords are never long enough for a DoS.
* Limit the password length to 4096 bytes
  * Password hashers will raise a ValueError
  * django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch.

This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
Alex Gaynor 96fd5557f9 Removed a ton of unused local vars 2013-09-08 08:05:16 -07:00
Aymeric Augustin 6a6428a36f Took advantage of django.utils.six.moves.urllib.*. 2013-09-05 14:39:23 -05:00
Aymeric Augustin 365c3e8b73 Replaced "not PY3" by "PY2", new in six 1.4.0. 2013-09-02 12:11:02 +02:00
Michał Górny b89c2a5d9e Fixed #18171 -- Checked signature of authenticate() to avoid supressing TypeErrors.
The current auth backend code catches TypeError to detect backends that
do not support specified argumetnts. As a result, any TypeErrors raised
within the actual backend code are silenced.

In Python 2.7+ and 3.2+ this can be avoided by using inspect.getcallargs().
With this method, we can test whether arguments match the signature without
actually calling the function.

Thanks David Eyk for the report.
2013-08-28 07:51:45 -04:00
Claude Paroz 165f44aaaa Combine consecutive with statements
Python 2.7 allows to combine several 'with' instructions.
2013-08-16 20:12:10 +02:00
SusanTan 71c491972e Fixed #11400 -- Passed kwargs from AbstractUser.email_user() to send_mail()
Thanks Jug_ for suggestion, john_scott for the initial patch,
and Tim Graham for code review.
2013-08-14 07:46:11 -04:00
Jacob Kaplan-Moss ae3535169a Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
ersran9 00d23a13eb Fixed #20828 -- Allowed @permission_required to take a list of permissions
Thanks Giggaflop for the suggestion.
2013-08-10 10:10:18 -04:00
Tim Graham 453915bb12 SQLite test fix -- refs #9057 2013-08-09 10:57:25 -04:00
Tim Graham ddae74b64c Fixed #9057 -- Added default_permissions model meta option.
Thanks hvendelbo for the suggestion and koenb for the draft patch.
2013-08-09 09:19:52 -04:00
Justin Michalicek 6d88d47be6 Fixed #20832 -- Enabled HTML password reset email
Added optional html_email_template_name parameter to password_reset view
and PasswordResetForm.
2013-08-05 09:47:28 -04:00
Alex Gaynor 3e0eb2d788 Fixed a number of lint warnings, particularly around unused variables. 2013-08-04 09:17:10 -07:00
Tim Graham a1889397a9 Fixed #12103 -- Added AuthenticationForm.confirm_login_allowed to allow customizing the logic policy.
Thanks ejucovy and lasko for work on the patch.
2013-07-31 13:54:05 -04:00
Aymeric Augustin 5b47a9c5a0 Fixed a test that could fail depending on PASSWORD_HASHERS.
Thanks Claude. Refs #20760.
2013-07-30 16:14:53 +02:00
Serge G. Spaolonzi e07e4030b9 Fixed #18511 -- Cleaned up admin password reset template titles. 2013-07-27 14:23:04 -04:00
Aymeric Augustin 5dbca13f3b Fixed #20760 -- Reduced timing variation in ModelBackend.
Thanks jpaglier and erikr.
2013-07-23 15:43:12 +02:00
Kirill Fomichev 33242fe015 Fixed #19019 -- Fixed UserAdmin to log password change.
Thanks Tuttle for the report.
2013-07-23 08:33:07 -04:00
Simon Charette 8759778185 Fixed #20675 -- `check_password` should work when no password is specified.
The regression was introduced by 2c4fe761a. refs #20593.
2013-07-03 14:09:58 -04:00
Aymeric Augustin cfcf4b3605 Stopped using django.utils.unittest in the test suite.
Refs #20680.
2013-07-01 14:29:33 +02:00
Ramiro Morales d51b7794bf Removed django.contrib.auth.views.password_reset_confirm_uidb36() view to finish its accelerated deprecation schedule. 2013-06-29 12:22:15 -03:00
Claude Paroz 6118d6d1c9 More import removals
Following the series of commits removing deprecated features in
Django 1.7, here are some more unneeded imports removed and other
minor cleanups.
2013-06-29 11:58:36 +02:00
Ramiro Morales c196564132 Removed custom profile model functionality as per deprecation TL. 2013-06-28 21:48:16 -03:00
Andrew Godwin f325f86971 Fixed #20244: PermissionsMixin now defines a related_query_name for M2Ms 2013-06-27 15:44:22 +01:00
Anton Baklanov cab333cb16 Fixed #20541 -- don't raise db signals twice when creating superuser 2013-06-27 05:58:01 -04:00
Tim Graham 1184d07789 Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.

Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
Aymeric Augustin ffcf24c9ce Removed several unused imports. 2013-06-19 17:18:40 +02:00
Erik Romijn aeb1389442 Fixed #20079 -- Improve security of password reset tokens 2013-06-18 20:02:00 +02:00
Erik Romijn 2c4fe761a0 Fixed #20593 -- Allow blank passwords in check_password() and set_password() 2013-06-18 13:32:54 -04:00
Claude Paroz beb652e069 Worked around Python 3.3 modified exception repr
Refs #20599.
2013-06-15 11:14:59 +02:00
Jaap Roes 990f8d92dc Fixed #20599 -- Changed wording of ValueError raised by _load_library
The _load_library method on BasePasswordHasher turns ImportErrors
into ValueErrors, this masks ImportErrors in the algorithm library.
Changed it to a clearer worded error message that includes
the ImportError string.
2013-06-15 10:50:55 +02:00
Aymeric Augustin c6e6d4eeb7 Defined available_apps in relevant tests.
Fixed #20483.
2013-06-10 11:30:01 +02:00
Chris Streeter 69373f3420 Fixed #19925 - Added validation for REQUIRED_FIELDS being a list
Thanks Roman Alexander for the suggestion.
2013-06-07 19:58:41 -04:00
Gavin Wahl 4f4e9243e4 Fixed #20532 -- Reverse auth views by name, not by path.
Auth views should be reversed by name, not their locations in
`django.contrib.auth.views`. This allows substituting your own
implementations of the auth views.
2013-06-03 13:30:40 -04:00
Gavin Wahl 01ae881bb4 Don't hard-code class names when calling static methods
normalize_email should be called on the instance, not the class. This
has the same effect normally but is more helpful to subclassers. When
methods are called directly on the class, subclasses can't override
them.
2013-05-29 16:11:26 -06:00
Preston Holmes d228c1192e Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.

Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
Andrew Godwin 1514f17aa6 Rotate CSRF token on login 2013-05-24 22:15:08 +01:00
Baptiste Mispelon 3cb1e9b93c Fix test failure introduced by 980ae2ab29. 2013-05-19 16:51:36 +02:00
Baptiste Mispelon 980ae2ab29 Fix #20447: URL names given to contrib.auth.views are now resolved.
This commit also adds tests for the redirect feature of most auth views.
It also cleans up the tests, most notably using @override_settings instead
of ad-hoc setUp/tearDown methods.

Thanks to caumons for the report.

Conflicts:
	docs/releases/1.6.txt
2013-05-19 14:36:38 +02:00
Jorge Bastida dc43fbc2f2 Fixed #18998 - Prevented session crash when auth backend removed
Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.
2013-05-18 15:58:29 +02:00
Jacob Burch 340115200f Fixed #20432 -- Test failure in admin_views.
The failure was triggered by a cache leak.
2013-05-18 13:13:33 +02:00
Mark Huang 0732c8e8c6 Fixed #20357 -- Allow empty username field label in `AuthentificationForm`. 2013-05-16 11:41:52 -04:00
Donald Stufft 8f0a4665d6 Recommend using the bcrypt library instead of py-bcrypt
* py-bcrypt has not been updated in some time
* py-bcrypt does not support Python3
* py3k-bcrypt, a port of py-bcrypt to python3 is not compatible
  with Django
* bcrypt is supported on all versions of Python that Django
  supports
2013-05-13 23:49:00 -04:00
Carl Meyer 9012833af8 Fixed #17365, #17366, #18727 -- Switched to discovery test runner.
Thanks to Preston Timmons for the bulk of the work on the patch, especially
updating Django's own test suite to comply with the requirements of the new
runner. Thanks also to Jannis Leidel and Mahdi Yusuf for earlier work on the
patch and the discovery runner.

Refs #11077, #17032, and #18670.
2013-05-10 23:08:45 -04:00
Preston Holmes a49e7dd2a3 Fixed #20114 -- support custom project login_url in tests
Thanks to Matias Bordese for the patch
2013-04-05 09:03:28 -07:00
Preston Timmons fde2e4fd6e Modified auth to work with unittest2 discovery. 2013-04-02 21:59:45 -06:00
Jacob Kaplan-Moss 9e462f8101 Fixed #20078: don't allow filtering on password in the user admin. 2013-03-27 11:24:36 -05:00
Donald Stufft 25f2acfed0 Fixed #20138 -- Added BCryptSHA256PasswordHasher
BCryptSHA256PasswordHasher pre-hashes the users password using
SHA256 to prevent the 72 byte truncation inherient in the BCrypt
algorithm.
2013-03-26 13:26:57 -04:00