Commit Graph

34 Commits

Author SHA1 Message Date
Malcolm Tredinnick 4084bc7354 Permit custom from-email address in auth forms email.
Patch from cassidy and Rob Hudson. Fixed #11300.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13817 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-09-12 22:38:01 +00:00
Jacob Kaplan-Moss 6e748b5db4 Fixed #11457: tightened the security check for "next" redirects after logins.
The new behavior still disallows redirects to off-site URLs, but now allows
redirects of the form `/some/other/view?foo=http://...`.

Thanks to brutasse.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12635 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-01 19:58:53 +00:00
Luke Plant 7230a995ce Moved contrib.csrf.* to core code.
There is stub code for backwards compatiblity with Django 1.1 imports.

The documentation has been updated, but has been left in
docs/contrib/csrf.txt for now, in order to avoid dead links to
documentation on the website.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27 00:36:34 +00:00
Luke Plant 8e70cef9b6 Fixed #9977 - CsrfMiddleware gets template tag added, session dependency removed, and turned on by default.
This is a large change to CSRF protection for Django.  It includes:

 * removing the dependency on the session framework.
 * deprecating CsrfResponseMiddleware, and replacing with a core template tag.
 * turning on CSRF protection by default by adding CsrfViewMiddleware to
   the default value of MIDDLEWARE_CLASSES.
 * protecting all contrib apps (whatever is in settings.py)
   using a decorator.

For existing users of the CSRF functionality, it should be a seamless update,
but please note that it includes DEPRECATION of features in Django 1.1,
and there are upgrade steps which are detailed in the docs.

Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work
on the patch, and to lots of other people including Simon Willison and
Russell Keith-Magee who refined the ideas.

Details of the rationale for these changes is found here:

http://code.djangoproject.com/wiki/CsrfProtection

As of this commit, the CSRF code is mainly in 'contrib'.  The code will be
moved to core in a separate commit, to make the changeset as readable as
possible.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26 23:23:07 +00:00
Luke Plant c46ddbf1fc Fixed #8274 - allow custom forms for auth 'login' and 'password_change' views
Thanks to julien for the suggestion and patch, and SmileyChris for work on the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@11618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-12 15:32:24 +00:00
Jacob Kaplan-Moss 3e6f4674e2 Fixed #10460: the logout view can now redirect like the rest of the auth views. Thanks, chronos and steingrd.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10332 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-01 17:02:32 +00:00
Jacob Kaplan-Moss 19b9211a3b Fixed #9881: Added the to the login view context, not just the site's name. Thanks, nessita.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10330 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-01 16:37:48 +00:00
Brian Rosner ab26efc952 Fixed #8493 -- Fixed a NoReverseMatch when redirecting to password_change/done/ in the admin. Added the ability to override redirects to other password change views for consistency. Thanks for the report mtrichardson.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8473 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 03:26:01 +00:00
Gary Wilson Jr 3bb50169d9 Removed unused and redefined imports.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8386 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:42:13 +00:00
Gary Wilson Jr 415bf3efb3 Fixed #7364 -- Never cache the contrib.auth login view.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8383 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 17:10:14 +00:00
Jacob Kaplan-Moss bb30805452 Fixed #8131: use reverse() in auth views. Patch from davenaff.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8334 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-12 23:31:31 +00:00
Brian Rosner a7d3c92767 Fixed #8202 -- Moved user_change_password to UserAdmin. This enables seamless integration of a custom UserAdmin. Thanks ElliottM for catching this.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8283 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-10 09:43:48 +00:00
Luke Plant 079e5bf1ec Added a login link to the password reset completion screen.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8171 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-01 16:13:12 +00:00
Luke Plant fcd837cd0f Fixed #7723 - implemented a secure password reset form that uses a token and prompts user for new password.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8162 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-31 20:47:53 +00:00
Brian Rosner a19ed8aea3 Merged the newforms-admin branch into trunk.
This is a backward incompatible change. The admin contrib app has been
refactored. The newforms module has several improvements including FormSets
and Media definitions.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@7967 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-07-18 23:54:34 +00:00
Adrian Holovaty fbef599f60 Fixed #6306 -- redirect_to_login() helper function now quotes the URL arguments correctly. Thanks, SmileyChris
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7749 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-26 04:11:53 +00:00
Adrian Holovaty 54f7da3a27 Fixed #7274 -- Improved the django.contrib.auth password_reset() view not to require the Sites framework. Thanks, joshrl
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7748 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-26 04:09:29 +00:00
Jacob Kaplan-Moss 2b62e945b0 Fixed #3393: login view no longer assumes that set_test_cookie has been called. This is mildly backwards-incompatible, but in the "now it works the way it should have all along" sense. Thanks to James and lcordier for the patches.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7692 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-18 16:13:14 +00:00
Adrian Holovaty 55d6aebfec Fixed #5394 -- REDIRECT_FIELD_NAME is now configurable. Thanks, Petr Marhoun, DavidReynolds and effbot
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6206 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-14 19:25:37 +00:00
Adrian Holovaty 375c88d2bc Fixed #5227 -- Made the redirect security check in django.contrib.auth.views.login() tighter. Thanks, Sander Dijkhuis
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-25 18:34:28 +00:00
Adrian Holovaty b38375ee4c Fixed bug in [5885]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5886 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-14 22:26:34 +00:00
Adrian Holovaty 6aae9b2aa4 Changed django.contrib.auth.views.login to use RequestSite if the sites framework is not installed -- i.e., the sites framework is no longer required to use this view. See also [5654]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5885 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-08-14 22:08:11 +00:00
Malcolm Tredinnick 953badbea5 Merged Unicode branch into trunk (r4952:5608). This should be fully
backwards compatible for all practical purposes.

Fixed #2391, #2489, #2996, #3322, #3344, #3370, #3406, #3432, #3454, #3492, #3582, #3690, #3878, #3891, #3937, #4039, #4141, #4227, #4286, #4291, #4300, #4452, #4702


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5609 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-04 12:11:04 +00:00
Malcolm Tredinnick 5dfe74f221 Fixed #3185 -- Made values for login, logout and post-login redirect URLs
configurable. This is a combined patch from Vasily Sulatskov, Marc Fargas and
Collin Grady.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@5072 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-04-25 08:49:57 +00:00
Malcolm Tredinnick 6c4757729b Revert [4485] in order to fix accidental mod_python breakage. Refs #2920.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4486 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-02-11 23:50:35 +00:00
Russell Keith-Magee 0e924c70b1 Refs #2920 -- Replaced implicit uses of _() with explicit imports or calls to gettext(). At some point post 0.96, we need to remove the calls that put _ into the builtins.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-02-11 06:20:52 +00:00
Adrian Holovaty 706fcec164 Copied django.forms to django.oldforms and changed all code to reference django.oldforms instead of django.forms. Updated docs/forms.txt to add 'Forwards-compatibility' section that says you should not be using django.oldforms for any new projects.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4208 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-12-15 18:00:50 +00:00
Adrian Holovaty 2a0af00524 Fixed #2375 -- Changed password_reset auth view to make e-mail template name variable. Thanks, treborhudson@gmail.com
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3462 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-27 17:48:35 +00:00
Adrian Holovaty 564d556519 Fixed #2405 -- Fixed recursion error in auth.views.logout(), caused by [3402]. Thanks, Jay Skabber
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3431 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-23 23:14:36 +00:00
Jacob Kaplan-Moss 17d0bd1512 Fixed a bunch of spurious imports, typos, and other small errors turned up by a pass through PyFlakes. This covers about the first third of the errors.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3411 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-07-21 17:11:13 +00:00
Jacob Kaplan-Moss aab3a418ac Merged multi-auth branch to trunk. See the authentication docs for the ramifications of this change. Many, many thanks to Joseph Kocherhans for the hard work!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3226 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-28 16:37:02 +00:00
Adrian Holovaty 29f55c8dbb Fixed #2106 -- Made collapse-block JavaScript translatable. Thanks, ramiro
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3114 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-08 05:04:10 +00:00
Adrian Holovaty 6dfea737f6 Made template names in django.contrib.auth.views passable as template_name argument to the view
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3087 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-06-06 05:16:05 +00:00
Adrian Holovaty f69cf70ed8 MERGED MAGIC-REMOVAL BRANCH TO TRUNK. This change is highly backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-02 01:31:56 +00:00