Commit Graph

321 Commits

Author SHA1 Message Date
Claude Paroz 187482d743
Avoided direct styles in admin templates.
Direct styles might be forbidden by Content Security Policies.
2020-11-10 21:32:15 +01:00
Hasan Ramezani 4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables.
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
2020-10-28 14:21:53 +01:00
Mariusz Felisiak 3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
2020-10-22 13:21:14 +02:00
Jacob Walls 0362b0e986 Fixed #26615 -- Made password reset token invalidate when changing email.
Co-Authored-By: Silas Barta <sbarta@gmail.com>
2020-10-21 09:29:53 +02:00
Hannes Ljungberg f7963615eb Fixed #32121 -- Fixed detecting uniqueness of USERNAME_FIELD when using Meta.constraints.
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
2020-10-20 07:23:51 +02:00
Alexander Todorov 5fab16392f
Fixed #32003 -- Added obj argument to has_perm() methods in tests. 2020-09-14 12:28:17 +02:00
Tom Carrick bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Jon Dufresne 53c0d16ac1
Fixed #31992 -- Made admin password reset templates use title/content_title blocks from the base template. 2020-09-10 11:53:09 +02:00
Collin Anderson daa26acc4e Fixed #31978 -- Added username hint to admin's password reset confirmation form. 2020-09-03 09:25:21 +02:00
Yan Mitrofanov b88f98738f Fixed #31878 -- Made createsuperuser respect --database option in default usernames. 2020-08-14 11:08:20 +02:00
Yan Mitrofanov 552bb82928 Fixed typo in tests/auth_tests/test_management.py docstring. 2020-08-14 11:08:12 +02:00
Jacob Walls c7e7f176c1 Fixed #26977 -- Made abstract models raise TypeError when instantiating. 2020-08-05 06:37:04 +02:00
Mariusz Felisiak d907371ef9 Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting.
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.

Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
2020-08-04 09:35:24 +02:00
Jon Dufresne 5a3d7cf462
Used urllib.parse.urljoin() in auth_tests to join URLs.
As the strings represent URLs and not paths, should use urllib to
manipulate them.
2020-07-09 12:03:03 +02:00
Hasan Ramezani 7af8f41273 Refs #26445 -- Allowed using UserManager.create_user()/create_superuser() in migrations.
Used app config to lookup user model in _create_user().

Thanks Markus Holtermann for the review and initial patch.
Thanks Simon Charette for the implementation idea.
2020-07-06 11:47:22 +02:00
Frantisek Holop cc7c16af98 Fixed #31443 -- Fixed login redirection in auth mixins when LOGIN_URL is off-site URL. 2020-06-23 10:38:35 +02:00
Jon Moroney 136ec9b62b Refs #31358 -- Added decode() to password hashers.
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.

Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
2020-06-23 08:36:59 +02:00
Florian Apolloner 1621f06051 Fixed #30472 -- Made Argon2PasswordHasher use Argon2id. 2020-06-17 08:10:41 +02:00
Florian Apolloner ee49cf4f35 Added test for old Argon2i hashes with version attribute. 2020-06-17 08:10:41 +02:00
Simon Charette 94f63b926f Refs #31395 -- Relied on setUpTestData() test data isolation in various tests. 2020-05-15 20:22:56 +02:00
Jon Dufresne d522b51c40 Fixed #31575 -- Added system check for admin sidebar request context processor dependency.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2020-05-14 11:00:51 +02:00
François Freitag c8bebbd541
Disabled management commands output with verbosity 0 in various tests. 2020-05-13 09:12:43 +02:00
Mariusz Felisiak f2187a227f Increased the default PBKDF2 iterations for Django 3.2. 2020-05-13 09:07:51 +02:00
Jon Dufresne d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__().
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
François Freitag a0df5dea33
Removed unnecessary inner methods in CreatesuperuserManagementCommandTestCase. 2020-05-01 20:51:44 +02:00
Mariusz Felisiak 54646a423b
Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 16:45:00 +02:00
François Freitag 9ef4a18dbe Changed django.forms.ValidationError imports to django.core.exceptions.ValidationError.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-04-28 10:49:00 +02:00
Jon Dufresne 505fec6bad Capitalized Unicode in docs, strings, and comments. 2020-04-20 12:10:33 +02:00
François Freitag c86201b6ed Disabled management commands output with verbosity 0 in various tests.
Instead of capturing the command output and discard it immediately,
tell the command not to log.
2020-04-20 09:09:26 +02:00
François Freitag 45e96b4d9d
Removed unnecessary capturing of stdout/stderr in auth_tests.test_management. 2020-04-20 09:08:43 +02:00
Hasan Ramezani 8aa71f4e87 Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings. 2020-03-31 10:52:56 +02:00
Hasan Ramezani b3ab92cc5a Refs #31375 -- Added test for contrib.auth.hashers.make_password() bytes support. 2020-03-31 10:49:39 +02:00
Jon Dufresne 3857a08bdb Fixed #31361 -- Fixed invalid action="" in admin forms.
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
2020-03-16 07:31:19 +01:00
Mariusz Felisiak 8725d04764
Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_timeout failures.
Random failures depended on the current timestamp.

Thanks Matthijs Kooijman for the review.
2020-03-12 10:56:38 +01:00
Colton Hicks f283ffaa84 Fixed #28699 -- Fixed CSRF validation with remote user middleware.
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
2020-02-26 17:25:20 +01:00
aryan fba5d3b6e6 Fixed #31289 -- Added hint for USERNAME_FIELD/REQUIRED_FIELDS system check. 2020-02-26 08:40:36 +01:00
Claude Paroz 4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Claude Paroz da4923ea87 Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm. 2020-02-12 21:46:56 +01:00
Claude Paroz 27f67317da Removed unnecessary token regex in auth_tests URLs.
All URLs in django.contrib.auth use a "<uidb64>/<token>" pattern.
2020-02-12 10:45:53 +01:00
Hasan Ramezani fc4f45ebdc Used assertRaisesMessage() in various tests. 2020-02-07 12:46:23 +01:00
Hasan Ramezani 579f33eb79 Replaced assertWarns() with SimpleTestCase.assertWarnsMessage() in tests. 2020-01-30 11:19:50 +01:00
Jon Dufresne f791673537
Made token tests in auth_tests use assertIs() rather than assertTrue/False(). 2020-01-29 09:01:18 +01:00
Michael Mulholland 5a68a223c7 Fixed #31200 -- Added system checks for permissions codenames max length. 2020-01-23 12:22:59 +01:00
Matthijs Kooijman 2a2ea4ee18 Refs #31117 -- Made various tests properly handle unexpected databases aliases.
- Used selected "databases" instead of django.db.connections.
- Made routers in tests.migrations skip migrations on unexpected
  databases.
- Added DiscoverRunnerGetDatabasesTests.assertSkippedDatabases() hook
  which properly asserts messages about skipped databases.
2020-01-20 14:39:02 +01:00
Mariusz Felisiak 1960d55f8b
Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py.
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402.
2020-01-03 07:47:04 +01:00
Simon Charette 5b1fbcef7a Fixed CVE-2019-19844 -- Used verified user email for password reset requests.
Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
2019-12-18 09:11:39 +01:00
Baptiste Mispelon 3df3c5e670 Fixed #26480 -- Fixed crash of contrib.auth.authenticate() on decorated authenticate() methods of authentication backends.
The Signature API (PEP 362) has better support for decorated functions
(by default, it follows the __wrapped__ attribute set by
functools.wraps for example).
2019-12-10 09:36:30 +01:00
Carlton Gibson 11c5e0609b Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin.
Thank you to Shen Ying for reporting this issue.
2019-12-02 08:56:08 +01:00
Mariusz Felisiak e8fcdaad5c Fixed #31021 -- Fixed proxy model permissions data migration crash with a multiple databases setup.
Regression in 98296f86b3.
2019-11-29 08:23:01 +01:00
Jon Dufresne 7f0946298e Replaced encode() usage with bytes literals. 2019-11-18 15:31:42 +01:00