d15985d81f
Fixed #21398 -- Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
...
Thanks arjan at anymore.nl for the report.
2013-11-09 10:11:50 -05:00
a9093dd376
Fixed #21387 -- Merge two very similar help texts.
2013-11-06 00:35:20 -03:00
36ded01527
Fixed #21302 -- Fixed unused imports and import *.
2013-11-02 15:24:56 -04:00
726ded5708
Started attackign the next flake8 violation
2013-10-31 08:42:28 -07:00
9bf5610890
Start attacking E231 violations
2013-10-24 10:30:03 -07:00
c3aa2948c6
Fixed #21298 -- Fixed E301 pep8 warnings
2013-10-23 13:45:03 +01:00
1597503a01
Fixed E221 pep8 warnings.
2013-10-22 09:51:39 -04:00
e565e1332d
Fixed #21275 -- Fixed a serializer error when generating migrations for contrib.auth.
...
The migration serializer now looks for a deconstruct method on any object.
2013-10-21 14:54:52 -04:00
7d0d0dbf26
Force update of the password on iteration count changes.
2013-10-21 20:31:28 +02:00
b289fcf1bf
Fixed #21288 -- Fixed E126 pep8 warnings
2013-10-21 08:31:30 -04:00
5f52590368
Fixed #21291 -- Ensured inactive users cannot reset their passwords
...
Thanks kz26 for the report and the suggested fix. Refs #19758 .
2013-10-19 10:43:06 +02:00
59a8808632
Cleaned formatting/comments in PasswordResetFormTest
2013-10-19 10:43:06 +02:00
ac4fec5ca2
Fixed bug causing CSRF token not to rotate on login.
...
Thanks Gavin McQuillan for the report.
2013-10-18 08:31:19 -04:00
a800036981
Fixed #21287 -- Fixed E123 pep8 warnings
2013-10-18 10:07:39 +01:00
bab9123daa
Fixed #21268 -- Fixed E303 pep8 warnings
2013-10-18 01:46:24 +01:00
dfb4cb9970
Fixed #21285 -- Fixed E121,E122 pep8 warnings
2013-10-17 20:20:11 -04:00
2fb5a51fa3
Fixed #18659 -- Deprecated request.REQUEST and MergeDict
...
Thanks Aymeric Augustin for the suggestion.
2013-10-17 09:42:28 -04:00
91c77eeab8
Avoided hardcoding Permission.name max_length
...
refs #18866 .
2013-10-16 11:31:07 -04:00
1ab27e9a65
Fixed #18866 -- added validation error for verbose_name longer than 39 characters
...
Added a validation error check when creating the permissions for model, to avoid
cryptic database error when the verbose_name is longer than 39 characters
thanks elena for reporting it
2013-10-14 14:19:35 +01:00
ef22d512b5
Imported custom user classes in tests depending on it
...
Without those imports, affected test files cannot be run
independently. Refs #21164 .
2013-10-14 10:14:24 +02:00
1dae4ac177
Whitespace cleanup.
...
* Removed trailing whitespace.
* Added newline to EOF if missing.
* Removed blank lines at EOF.
* Removed some stray tabs.
2013-10-10 16:49:20 -04:00
adedc31072
Fixed "redefinition of unused 'foo' from line X" pyflakes warnings.
2013-10-10 11:09:42 -04:00
ddb53856b6
Fixed #21164 -- Added documentation for issue with test users.
...
The package renaming restores the older package names (which were also the
documented package names). This doesn't affect test discovery because the
module in question doesn't contain any tests.
Thanks to Carl for the design discussion.
2013-10-08 10:32:56 +08:00
1285ca67eb
Fixed #16919 -- Passed user to set_password_form in GET requests.
...
Thanks Jaime Irurzun for the report and initial patch and
ejucovy for the test.
2013-10-02 13:28:15 -04:00
5d74853e15
Revert "Ensure that passwords are never long enough for a DoS."
...
This reverts commit aae5a96d57
2013-09-24 21:01:21 +02:00
53c7d66869
Marked PermissionsMixin.user_permissions help_text for translation
2013-09-24 07:36:24 -04:00
a5b062576b
Removed a few trailing backslashes.
...
We have always been at war with trailing backslashes.
2013-09-22 14:04:10 +02:00
a075e2ad0d
Increase default PBKDF2 iterations
...
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
18ffdb1772
Fixed #17627 -- Renamed util.py files to utils.py
...
Thanks PaulM for the suggestion and Luke Granger-Brown and
Wiktor Kołodziej for the initial patch.
2013-09-16 12:52:05 -04:00
aae5a96d57
Ensure that passwords are never long enough for a DoS.
...
* Limit the password length to 4096 bytes
* Password hashers will raise a ValueError
* django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change
Thanks to Josh Wright for the report, and Donald Stufft for the patch.
This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
b2b763448f
Fixed #20841 -- Added messages to NotImplementedErrors
...
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
96fd5557f9
Removed a ton of unused local vars
2013-09-08 08:05:16 -07:00
2530735d2d
Fixed a number of flake8 errors -- particularly around unused imports and local variables
2013-09-06 21:56:40 -07:00
6a6428a36f
Took advantage of django.utils.six.moves.urllib.*.
2013-09-05 14:39:23 -05:00
365c3e8b73
Replaced "not PY3" by "PY2", new in six 1.4.0.
2013-09-02 12:11:02 +02:00
11cd7388f7
Fixed #20989 -- Removed useless explicit list comprehensions.
2013-08-30 10:57:51 -04:00
c7d0ff0cad
Fixed #20989 -- Removed explicit list comprehension inside dict() and tuple()
...
Thanks jeroen.pulles at redslider.net for the suggestion and
helper script.
2013-08-29 12:11:03 -04:00
cf8d6e9108
Fixed #20881 -- Removed contrib.auth.models.AbstractUser.get_absolute_url()
...
The definition is arbitrary and creates a broken "view on site"
link in the admin if a project doesn't define such a URL.
2013-08-29 06:36:35 -04:00
b89c2a5d9e
Fixed #18171 -- Checked signature of authenticate() to avoid supressing TypeErrors.
...
The current auth backend code catches TypeError to detect backends that
do not support specified argumetnts. As a result, any TypeErrors raised
within the actual backend code are silenced.
In Python 2.7+ and 3.2+ this can be avoided by using inspect.getcallargs().
With this method, we can test whether arguments match the signature without
actually calling the function.
Thanks David Eyk for the report.
2013-08-28 07:51:45 -04:00
b6a957f0ba
Merge remote-tracking branch 'core/master' into schema-alteration
...
Conflicts:
docs/ref/django-admin.txt
2013-08-19 18:30:48 +01:00
165f44aaaa
Combine consecutive with statements
...
Python 2.7 allows to combine several 'with' instructions.
2013-08-16 20:12:10 +02:00
71c491972e
Fixed #11400 -- Passed kwargs from AbstractUser.email_user() to send_mail()
...
Thanks Jug_ for suggestion, john_scott for the initial patch,
and Tim Graham for code review.
2013-08-14 07:46:11 -04:00
ae3535169a
Fixed is_safe_url() to reject URLs that use a scheme other than HTTP/S.
...
This is a security fix; disclosure to follow shortly.
2013-08-13 11:06:22 -05:00
00d23a13eb
Fixed #20828 -- Allowed @permission_required to take a list of permissions
...
Thanks Giggaflop for the suggestion.
2013-08-10 10:10:18 -04:00
453915bb12
SQLite test fix -- refs #9057
2013-08-09 10:57:25 -04:00
588b523233
Merge remote-tracking branch 'core/master' into schema-alteration
...
Conflicts:
django/db/models/options.py
2013-08-09 14:37:37 +01:00
ddae74b64c
Fixed #9057 -- Added default_permissions model meta option.
...
Thanks hvendelbo for the suggestion and koenb for the draft patch.
2013-08-09 09:19:52 -04:00
de64c4d6e9
Merge remote-tracking branch 'core/master' into schema-alteration
...
Conflicts:
django/core/management/commands/flush.py
django/core/management/commands/syncdb.py
django/db/models/loading.py
docs/internals/deprecation.txt
docs/ref/django-admin.txt
docs/releases/1.7.txt
2013-08-09 14:17:30 +01:00
6d88d47be6
Fixed #20832 -- Enabled HTML password reset email
...
Added optional html_email_template_name parameter to password_reset view
and PasswordResetForm.
2013-08-05 09:47:28 -04:00
3e0eb2d788
Fixed a number of lint warnings, particularly around unused variables.
2013-08-04 09:17:10 -07:00
07876cf02b
Deprecated SortedDict (replaced with collections.OrderedDict)
...
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
425d076d0c
Fixed #18923 -- Corrected usage of sensitive_post_parameters in contrib.auth
...
Thanks Collin Anderson for the report.
2013-08-02 14:46:17 -04:00
a1889397a9
Fixed #12103 -- Added AuthenticationForm.confirm_login_allowed to allow customizing the logic policy.
...
Thanks ejucovy and lasko for work on the patch.
2013-07-31 13:54:05 -04:00
5b47a9c5a0
Fixed a test that could fail depending on PASSWORD_HASHERS.
...
Thanks Claude. Refs #20760 .
2013-07-30 16:14:53 +02:00
12e9804d16
Rename allow_syncdb to allow_migrate
2013-07-30 12:08:59 +01:00
68e0a169c4
Rename pre_ and post_syncdb to *_migrate, with aliases from old names
2013-07-30 11:52:52 +01:00
fdd7a355bf
Deprecated django.utils.importlib
...
This was a shim for pre-Python 2.7 support.
2013-07-29 17:10:22 +02:00
e07e4030b9
Fixed #18511 -- Cleaned up admin password reset template titles.
2013-07-27 14:23:04 -04:00
5dbca13f3b
Fixed #20760 -- Reduced timing variation in ModelBackend.
...
Thanks jpaglier and erikr.
2013-07-23 15:43:12 +02:00
33242fe015
Fixed #19019 -- Fixed UserAdmin to log password change.
...
Thanks Tuttle for the report.
2013-07-23 08:33:07 -04:00
3a00229189
Cleaned up UserAdmin.get_form() that worked around a bug fixed in 23e1b59.
...
Refs #18681 .
2013-07-18 23:59:45 +07:00
f407f75aae
Fixed #20673 -- Clarified that HttpRequest.user uses AUTH_USER_MODEL.
...
Thanks littlepig for the report.
2013-07-04 09:32:32 -04:00
8759778185
Fixed #20675 -- `check_password` should work when no password is specified.
...
The regression was introduced by 2c4fe761a#20593 .
2013-07-03 14:09:58 -04:00
cfcf4b3605
Stopped using django.utils.unittest in the test suite.
...
Refs #20680 .
2013-07-01 14:29:33 +02:00
d51b7794bf
Removed django.contrib.auth.views.password_reset_confirm_uidb36() view to finish its accelerated deprecation schedule.
2013-06-29 12:22:15 -03:00
6118d6d1c9
More import removals
...
Following the series of commits removing deprecated features in
Django 1.7, here are some more unneeded imports removed and other
minor cleanups.
2013-06-29 11:58:36 +02:00
c8756e17fb
Removed obsolete comment. Refs #20079 .
...
Thanks Gavin Wahl.
2013-06-29 11:42:34 +02:00
c196564132
Removed custom profile model functionality as per deprecation TL.
2013-06-28 21:48:16 -03:00
f02a703ca6
Removed AuthenticationForm.check_for_test_cookie() as per deprecation TL.
2013-06-28 21:48:15 -03:00
f325f86971
Fixed #20244 : PermissionsMixin now defines a related_query_name for M2Ms
2013-06-27 15:44:22 +01:00
cab333cb16
Fixed #20541 -- don't raise db signals twice when creating superuser
2013-06-27 05:58:01 -04:00
1184d07789
Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
...
uid is now base64 encoded in password reset URLs/views. A backwards compatible
password_reset_confirm view/URL will allow password reset links generated before
this change to continue to work. This view will be removed in Django 1.7.
Thanks jonash for the initial patch and claudep for the review.
2013-06-26 13:11:47 -04:00
b91787910c
Fixed #20642 -- Deprecated `Option.get_(add|change|delete)_permission`.
...
Those methods were only used by `contrib.admin` internally and exclusively
related to `contrib.auth`. Since they were undocumented but used
in the wild the raised deprecation warning point to an also undocumented
alternative that lives in `contrib.auth`.
Also did some PEP8 and other cleanups in the affected modules.
2013-06-25 12:22:37 -04:00
7462a78c1b
Fixed #20288 -- Fixed inconsistency in the naming of the popup GET parameter.
...
Thanks to Keryn Knight for the initial report and reviews,
and to tomask for the original patch.
2013-06-19 22:16:16 +02:00
ffcf24c9ce
Removed several unused imports.
2013-06-19 17:18:40 +02:00
aeb1389442
Fixed #20079 -- Improve security of password reset tokens
2013-06-18 20:02:00 +02:00
2c4fe761a0
Fixed #20593 -- Allow blank passwords in check_password() and set_password()
2013-06-18 13:32:54 -04:00
ee77d4b253
Fixed #20199 -- Allow ModelForm fields to override error_messages from model fields
2013-06-18 08:01:17 -04:00
beb652e069
Worked around Python 3.3 modified exception repr
...
Refs #20599 .
2013-06-15 11:14:59 +02:00
990f8d92dc
Fixed #20599 -- Changed wording of ValueError raised by _load_library
...
The _load_library method on BasePasswordHasher turns ImportErrors
into ValueErrors, this masks ImportErrors in the algorithm library.
Changed it to a clearer worded error message that includes
the ImportError string.
2013-06-15 10:50:55 +02:00
c6e6d4eeb7
Defined available_apps in relevant tests.
...
Fixed #20483 .
2013-06-10 11:30:01 +02:00
4daf570b98
Added TransactionTestCase.available_apps.
...
This can be used to make Django's test suite significantly faster by
reducing the number of models for which content types and permissions
must be created and tables must be flushed in each non-transactional
test.
It's documented for Django contributors and committers but it's branded
as a private API to preserve our freedom to change it in the future.
Most of the credit goes to Anssi. He got the idea and did the research.
Fixed #20483 .
2013-06-10 11:24:10 +02:00
69373f3420
Fixed #19925 - Added validation for REQUIRED_FIELDS being a list
...
Thanks Roman Alexander for the suggestion.
2013-06-07 19:58:41 -04:00
4f4e9243e4
Fixed #20532 -- Reverse auth views by name, not by path.
...
Auth views should be reversed by name, not their locations in
`django.contrib.auth.views`. This allows substituting your own
implementations of the auth views.
2013-06-03 13:30:40 -04:00
01ae881bb4
Don't hard-code class names when calling static methods
...
normalize_email should be called on the instance, not the class. This
has the same effect normally but is more helpful to subclassers. When
methods are called directly on the class, subclasses can't override
them.
2013-05-29 16:11:26 -06:00
0fa8d43e74
Replaced `and...or...` constructs with PEP 308 conditional expressions.
2013-05-26 23:47:50 -03:00
d228c1192e
Fixed #19866 -- Added security logger and return 400 for SuspiciousOperation.
...
SuspiciousOperations have been differentiated into subclasses, and
are now logged to a 'django.security.*' logger. SuspiciousOperations
that reach django.core.handlers.base.BaseHandler will now return a 400
instead of a 500.
Thanks to tiwoc for the report, and Carl Meyer and Donald Stufft
for review.
2013-05-25 16:27:34 -07:00
1514f17aa6
Rotate CSRF token on login
2013-05-24 22:15:08 +01:00
3cb1e9b93c
Fix test failure introduced by 980ae2ab29.
2013-05-19 16:51:36 +02:00
980ae2ab29
Fix #20447 : URL names given to contrib.auth.views are now resolved.
...
This commit also adds tests for the redirect feature of most auth views.
It also cleans up the tests, most notably using @override_settings instead
of ad-hoc setUp/tearDown methods.
Thanks to caumons for the report.
Conflicts:
docs/releases/1.6.txt
2013-05-19 14:36:38 +02:00
cafcc22b01
Typo in comment
2013-05-19 09:28:36 +02:00
710c59bf9b
Slightly reworked imports in contrib.auth.__init__
2013-05-18 16:01:47 +02:00
dc43fbc2f2
Fixed #18998 - Prevented session crash when auth backend removed
...
Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.
2013-05-18 15:58:29 +02:00
340115200f
Fixed #20432 -- Test failure in admin_views.
...
The failure was triggered by a cache leak.
2013-05-18 13:13:33 +02:00
0732c8e8c6
Fixed #20357 -- Allow empty username field label in `AuthentificationForm`.
2013-05-16 11:41:52 -04:00
8f0a4665d6
Recommend using the bcrypt library instead of py-bcrypt
...
* py-bcrypt has not been updated in some time
* py-bcrypt does not support Python3
* py3k-bcrypt, a port of py-bcrypt to python3 is not compatible
with Django
* bcrypt is supported on all versions of Python that Django
supports
2013-05-13 23:49:00 -04:00
3070e8f711
Properly force bytes or str for bcrypt on Python3
2013-05-11 11:16:06 -04:00
9012833af8
Fixed #17365 , #17366 , #18727 -- Switched to discovery test runner.
...
Thanks to Preston Timmons for the bulk of the work on the patch, especially
updating Django's own test suite to comply with the requirements of the new
runner. Thanks also to Jannis Leidel and Mahdi Yusuf for earlier work on the
patch and the discovery runner.
Refs #11077 , #17032 , and #18670 .
2013-05-10 23:08:45 -04:00
f026a519ae
Fixed #19733 - deprecated ModelForms without 'fields' or 'exclude', and added '__all__' shortcut
...
This also updates all dependent functionality, including modelform_factory
and modelformset_factory, and the generic views `ModelFormMixin`,
`CreateView` and `UpdateView` which gain a new `fields` attribute.
2013-05-09 16:44:36 +01:00
9f7a01ef2b
Updated translation templates and removed en translations
...
"en" translations have been mistakenly committed in 87cc3da81
2013-05-02 16:25:23 +02:00
Tim Graham
Ramiro Morales
Alex Gaynor
Alasdair Nicol
Loic Bistuer
Florian Apolloner
Alasdair Nicol
Claude Paroz
Bouke Haarsma
joaoxsouls
Russell Keith-Magee
Michał Lech
Aymeric Augustin
Paul McMillan
Gregor MacGregor
Simon Charette
Michał Górny
Andrew Godwin
SusanTan
Jacob Kaplan-Moss
ersran9
Justin Michalicek
Curtis Maloney
Serge G. Spaolonzi
Kirill Fomichev
Anton Baklanov
Erik Romijn
Jaap Roes
Chris Streeter
Gavin Wahl
Preston Holmes
Baptiste Mispelon
Peter Inglesby
Jorge Bastida
Jacob Burch
Mark Huang
Donald Stufft
Carl Meyer
Luke Plant