p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
31,138 Commits 25 Branches 361 Tags 501 MiB
Commit Graph

375 Commits

Author SHA1 Message Date
Florian Apolloner c76d51b3ad Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. 
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
 2020-12-28 11:02:08 +01:00
Timo Ludwig d8dfff2ab0 Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default. 2020-12-03 09:32:08 +01:00
Mariusz Felisiak 3828427f63 Refs #31978 -- Fixed hint in admin's password reset confirmation form for custom username fields. 
Thanks Jaap Roes for the report.
 2020-11-30 06:34:22 +01:00
Mariusz Felisiak 58740c0d7f Refs #22909 -- Removed camelCasing in auth_tests.test_templates tests. 2020-11-30 06:34:22 +01:00
Claude Paroz 187482d743
Avoided direct styles in admin templates. 
Direct styles might be forbidden by Content Security Policies.
 2020-11-10 21:32:15 +01:00
Hasan Ramezani 4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables. 
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
 2020-10-28 14:21:53 +01:00
Mariusz Felisiak 3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation. 
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
 2020-10-22 13:21:14 +02:00
Jacob Walls 0362b0e986 Fixed #26615 -- Made password reset token invalidate when changing email. 
Co-Authored-By: Silas Barta <sbarta@gmail.com>
 2020-10-21 09:29:53 +02:00
Hannes Ljungberg f7963615eb Fixed #32121 -- Fixed detecting uniqueness of USERNAME_FIELD when using Meta.constraints. 
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
 2020-10-20 07:23:51 +02:00
Alexander Todorov 5fab16392f
Fixed #32003 -- Added obj argument to has_perm() methods in tests. 2020-09-14 12:28:17 +02:00
Tom Carrick bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Jon Dufresne 53c0d16ac1
Fixed #31992 -- Made admin password reset templates use title/content_title blocks from the base template. 2020-09-10 11:53:09 +02:00
Collin Anderson daa26acc4e Fixed #31978 -- Added username hint to admin's password reset confirmation form. 2020-09-03 09:25:21 +02:00
Yan Mitrofanov b88f98738f Fixed #31878 -- Made createsuperuser respect --database option in default usernames. 2020-08-14 11:08:20 +02:00
Yan Mitrofanov 552bb82928 Fixed typo in tests/auth_tests/test_management.py docstring. 2020-08-14 11:08:12 +02:00
Jacob Walls c7e7f176c1 Fixed #26977 -- Made abstract models raise TypeError when instantiating. 2020-08-05 06:37:04 +02:00
Mariusz Felisiak d907371ef9 Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting. 
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.

Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
 2020-08-04 09:35:24 +02:00
Jon Dufresne 5a3d7cf462
Used urllib.parse.urljoin() in auth_tests to join URLs. 
As the strings represent URLs and not paths, should use urllib to
manipulate them.
 2020-07-09 12:03:03 +02:00
Hasan Ramezani 7af8f41273 Refs #26445 -- Allowed using UserManager.create_user()/create_superuser() in migrations. 
Used app config to lookup user model in _create_user().

Thanks Markus Holtermann for the review and initial patch.
Thanks Simon Charette for the implementation idea.
 2020-07-06 11:47:22 +02:00
Frantisek Holop cc7c16af98 Fixed #31443 -- Fixed login redirection in auth mixins when LOGIN_URL is off-site URL. 2020-06-23 10:38:35 +02:00
Jon Moroney 136ec9b62b Refs #31358 -- Added decode() to password hashers. 
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.

Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
 2020-06-23 08:36:59 +02:00
Florian Apolloner 1621f06051 Fixed #30472 -- Made Argon2PasswordHasher use Argon2id. 2020-06-17 08:10:41 +02:00
Florian Apolloner ee49cf4f35 Added test for old Argon2i hashes with version attribute. 2020-06-17 08:10:41 +02:00
Simon Charette 94f63b926f Refs #31395 -- Relied on setUpTestData() test data isolation in various tests. 2020-05-15 20:22:56 +02:00
Jon Dufresne d522b51c40 Fixed #31575 -- Added system check for admin sidebar request context processor dependency. 
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
 2020-05-14 11:00:51 +02:00
François Freitag c8bebbd541
Disabled management commands output with verbosity 0 in various tests. 2020-05-13 09:12:43 +02:00
Mariusz Felisiak f2187a227f Increased the default PBKDF2 iterations for Django 3.2. 2020-05-13 09:07:51 +02:00
Jon Dufresne d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__(). 
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
 2020-05-11 12:01:28 +02:00
François Freitag a0df5dea33
Removed unnecessary inner methods in CreatesuperuserManagementCommandTestCase. 2020-05-01 20:51:44 +02:00
Mariusz Felisiak 54646a423b
Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 16:45:00 +02:00
François Freitag 9ef4a18dbe Changed django.forms.ValidationError imports to django.core.exceptions.ValidationError. 
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2020-04-28 10:49:00 +02:00
Jon Dufresne 505fec6bad Capitalized Unicode in docs, strings, and comments. 2020-04-20 12:10:33 +02:00
François Freitag c86201b6ed Disabled management commands output with verbosity 0 in various tests. 
Instead of capturing the command output and discard it immediately,
tell the command not to log.
 2020-04-20 09:09:26 +02:00
François Freitag 45e96b4d9d
Removed unnecessary capturing of stdout/stderr in auth_tests.test_management. 2020-04-20 09:08:43 +02:00
Hasan Ramezani 8aa71f4e87 Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings. 2020-03-31 10:52:56 +02:00
Hasan Ramezani b3ab92cc5a Refs #31375 -- Added test for contrib.auth.hashers.make_password() bytes support. 2020-03-31 10:49:39 +02:00
Jon Dufresne 3857a08bdb Fixed #31361 -- Fixed invalid action="" in admin forms. 
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
 2020-03-16 07:31:19 +01:00
Mariusz Felisiak 8725d04764
Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_timeout failures. 
Random failures depended on the current timestamp.

Thanks Matthijs Kooijman for the review.
 2020-03-12 10:56:38 +01:00
Colton Hicks f283ffaa84 Fixed #28699 -- Fixed CSRF validation with remote user middleware. 
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
 2020-02-26 17:25:20 +01:00
aryan fba5d3b6e6 Fixed #31289 -- Added hint for USERNAME_FIELD/REQUIRED_FIELDS system check. 2020-02-26 08:40:36 +01:00
Claude Paroz 4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. 
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2020-02-18 20:03:44 +01:00
Claude Paroz da4923ea87 Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm. 2020-02-12 21:46:56 +01:00
Claude Paroz 27f67317da Removed unnecessary token regex in auth_tests URLs. 
All URLs in django.contrib.auth use a "<uidb64>/<token>" pattern.
 2020-02-12 10:45:53 +01:00
Hasan Ramezani fc4f45ebdc Used assertRaisesMessage() in various tests. 2020-02-07 12:46:23 +01:00
Hasan Ramezani 579f33eb79 Replaced assertWarns() with SimpleTestCase.assertWarnsMessage() in tests. 2020-01-30 11:19:50 +01:00
Jon Dufresne f791673537
Made token tests in auth_tests use assertIs() rather than assertTrue/False(). 2020-01-29 09:01:18 +01:00
Michael Mulholland 5a68a223c7 Fixed #31200 -- Added system checks for permissions codenames max length. 2020-01-23 12:22:59 +01:00
Matthijs Kooijman 2a2ea4ee18 Refs #31117 -- Made various tests properly handle unexpected databases aliases. 
- Used selected "databases" instead of django.db.connections.
- Made routers in tests.migrations skip migrations on unexpected
  databases.
- Added DiscoverRunnerGetDatabasesTests.assertSkippedDatabases() hook
  which properly asserts messages about skipped databases.
 2020-01-20 14:39:02 +01:00
Mariusz Felisiak 1960d55f8b
Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py. 
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402.
 2020-01-03 07:47:04 +01:00
Simon Charette 5b1fbcef7a Fixed CVE-2019-19844 -- Used verified user email for password reset requests. 
Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
 2019-12-18 09:11:39 +01:00
Baptiste Mispelon 3df3c5e670 Fixed #26480 -- Fixed crash of contrib.auth.authenticate() on decorated authenticate() methods of authentication backends. 
The Signature API (PEP 362) has better support for decorated functions
(by default, it follows the __wrapped__ attribute set by
functools.wraps for example).
 2019-12-10 09:36:30 +01:00
Carlton Gibson 11c5e0609b Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin. 
Thank you to Shen Ying for reporting this issue.
 2019-12-02 08:56:08 +01:00
Mariusz Felisiak e8fcdaad5c Fixed #31021 -- Fixed proxy model permissions data migration crash with a multiple databases setup. 
Regression in 98296f86b3.
 2019-11-29 08:23:01 +01:00
Jon Dufresne 7f0946298e Replaced encode() usage with bytes literals. 2019-11-18 15:31:42 +01:00
Mariusz Felisiak ca0d50f34a Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_10265 failures. 
Random failures depended on the current timestamp.
 2019-11-13 14:22:23 +01:00
Mariusz Felisiak 3b4b36fb1d Moved MockedPasswordResetTokenGenerator outside of TokenGeneratorTest.test_timeout(). 2019-11-13 14:22:23 +01:00
Sergey Fedoseev d4e767911f Added tests for middlewares' checks. 2019-10-23 08:18:02 +02:00
Hasan Ramezani 226ebb1729 Fixed #28622 -- Allowed specifying password reset link expiration in seconds and deprecated PASSWORD_RESET_TIMEOUT_DAYS. 2019-09-20 13:52:04 +02:00
Sam Reynolds 6c9778a58e Fixed #30776 -- Restored max length validation on AuthenticationForm.UsernameField. 
Regression in 5ceaf14686.

Thanks gopackgo90 for the report and Mariusz Felisiak for tests.
 2019-09-18 11:37:38 +02:00
Carlton Gibson b5db65c4fb Increased the default PBKDF2 iterations for Django 3.1. 2019-09-12 17:24:01 +02:00
Mariusz Felisiak d17be88afd Refs #30037 -- Required the RemoteUserBackend.configure_user() to have request as the first positional argument. 
Per deprecation timeline.
 2019-09-10 12:01:00 +02:00
Berker Peksag 400ec5125e Fixed #18763 -- Added ModelBackend/UserManager.with_perm() methods. 
Co-authored-by: Nick Pope <nick.pope@flightdataservices.com>
 2019-08-29 19:32:12 +02:00
daniel a rios b5a5c92c72 Fixed #30066 -- Enabled super user creation without email and password 2019-08-29 12:49:16 +02:00
Carlton Gibson 57b9604451 Converted auth test to use subTest(). 2019-08-29 12:49:16 +02:00
Hasan Ramezani 03dbdfd9bb Fixed #29019 -- Added ManyToManyField support to REQUIRED_FIELDS. 2019-08-26 14:48:40 +02:00
Hasan Ramezani a5308514fb Fixed #27801 -- Made createsuperuser fall back to environment variables for password and required fields. 2019-07-02 12:55:09 +02:00
Jon Dufresne 42b9a23267 Fixed #30400 -- Improved typography of user facing strings. 
Thanks Claude Paroz for assistance with translations.
 2019-06-28 16:46:18 +02:00
Sanyam Khurana 87f5d07eed Fixed #12952 -- Adjusted admin log change messages to use form labels instead of field names. 2019-06-14 18:20:29 +02:00
Aymeric Augustin 3ee0834a46 Fixed #30556 -- Avoided useless query and hasher call in ModelBackend.authenticate() when credentials aren't provided. 
There's no need to fetch a user instance from the database unless
a username and a password are provided as credentials.
 2019-06-10 11:12:31 +02:00
Hasan Ramezani dcb8f00d06 Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields. 
Thank you to Nick Pope for review.

Co-authored-by: CHI Cheng <cloudream@gmail.com>
 2019-06-07 12:44:39 +02:00
Tobias Bengfort 581a0f4545 Refs #30226 -- Added User.get_user_permissions() method. 
Added to mirror the existing User.get_group_permissions().
 2019-06-05 13:56:37 +02:00
Tobias Bengfort 75337a6050 Fixed #30226 -- Added BaseBackend for authentication. 2019-06-05 13:39:46 +02:00
Mattia Procopio aff61790a3 Refs #24944 -- Added test for overriding domain in email context in PasswordResetView. 2019-05-27 11:50:30 +02:00
Rob 58df8aa40f Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. 
Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
 2019-05-24 08:40:25 +02:00
Ally Weir bd228cb599 Fixed mis-capitalisation in comment. 2019-05-15 12:14:59 +02:00
Carlton Gibson 98296f86b3
Fixed #30351 -- Handled pre-existing permissions in proxy model permissions data migration. 
Regression in 181fb60159.
 2019-04-27 20:18:22 +02:00
Jon Dufresne 8d76443aba Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape(). 2019-04-25 15:09:07 +02:00
Markus Holtermann da0b2554ec Renamed camelCaseTestMethods to snake_case_test_methods 2019-04-14 16:14:14 +02:00
pmisteli 9410db9683 Fixed #30236 -- Made UsernameField render with autocapitalize="none" HTML attribute. 
This prevents automatic capitalization, which is the default behavior in
some browsers.
 2019-03-29 15:24:44 +01:00
Ryan J Schave cbf7e71558 Fixed #30257 -- Made UsernameValidators prohibit trailing newlines. 2019-03-22 13:16:25 -04:00
Jon Dufresne 95b7699ffc Cleaned up exception message checking in some tests. 2019-03-15 19:27:57 -04:00
Claude Paroz a8e2a9bac6 Refs #15902 -- Deprecated storing user's language in the session. 2019-02-14 10:23:02 -05:00
Tim Graham 06670015f7 Increased the default PBKDF2 iterations for Django 3.0. 2019-01-17 11:15:27 -05:00
Arthur Rio 181fb60159 Fixed #11154, #22270 -- Made proxy model permissions use correct content type. 
Co-Authored-By: Simon Charette <charette.s@gmail.com>
Co-Authored-By: Antoine Catton <acatton@fusionbox.com>
 2019-01-16 10:07:28 -05:00
Simon Charette 8c775391b7 Refs #28478 -- Deprecated TestCase's allow_database_queries and multi_db in favor of databases. 2019-01-10 19:11:21 -05:00
Joshua Cannon db1b10ef0d Fixed #30037 -- Added request arg to RemoteUserBackend.configure_user(). 2019-01-09 20:01:04 -05:00
Tim Graham 043bd70942 Updated test URL patterns to use path() and re_path(). 2018-12-31 10:47:32 -05:00
Tim Graham 194a4b526c Added tests for ContentType/Group/Permission.__str__(). 2018-12-21 12:45:02 -05:00
Simon Charette 0f212db29d Made reused RequestFactory instances class attributes. 2018-11-27 09:49:02 -05:00
Simon Charette 84e7a9f4a7 Switched setUp() to setUpTestData() where possible in Django's tests. 2018-11-27 09:35:17 -05:00
Tim Graham 193c109327 Switched TestCase to SimpleTestCase where possible in Django's tests. 2018-11-27 08:58:44 -05:00
Mathew Payne 26bb2611a5 Fixed #29952 -- Lowercased all passwords in contrib.auth's auth/common-passwords.txt.gz. 2018-11-15 14:11:03 -05:00
Jon Dufresne c82893cb8c Refs #27795 -- Removed force_bytes() usage from django/utils/http.py. 
django.utils.http.urlsafe_base64_encode() now returns a string, not a
bytestring. Since URLs are represented as strings,
urlsafe_base64_encode() should return a string. All uses immediately
decoded the bytestring to a string anyway.

As the inverse operation, urlsafe_base64_decode() accepts a string.
 2018-10-10 14:38:22 -04:00
Tim Graham a7284cc0c3 Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form. 2018-10-01 10:09:50 +02:00
Carlton Gibson bf39978a53 Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users. 
Thanks Claude Paroz & Tim Graham for collaborating on the patch.
 2018-10-01 10:05:01 +02:00
Ramon Saraiva 2349cbd909 Fixed #29782 -- Added better error message when filtering queryset with AnonymousUser. 2018-09-26 15:36:19 -04:00
Jon Dufresne 82f286cf6f Refs #29784 -- Switched to https:// links where available. 2018-09-26 08:48:47 +02:00
Alexey 8624459586 Added a test for password_changed() with a custom validator. 2018-09-25 11:58:05 -04:00
Josh Schneier 3daac76cfb Simplified how createsuperuser tests generate passwords. 2018-08-18 16:26:13 -04:00
Alexander Todorov 53ebd4cb13 Fixed #29686 -- Made UserAdmin.user_change_password() pass user to has_change_permission(). 2018-08-17 17:43:00 -04:00