Removed Django 1.2 compatibility fallback for password reset hash

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15950 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:34:38 +00:00 · 2011-03-30 17:34:38 +00:00 · 25aaa359a2
parent 8823021625
commit 25aaa359a2
2 changed files with 1 additions and 36 deletions
--- a/django/contrib/auth/tests/tokens.py
+++ b/django/contrib/auth/tests/tokens.py
@ -51,28 +51,6 @@ class TokenGeneratorTest(TestCase):
        p2 = Mocked(date.today() + timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1))
        self.assertFalse(p2.check_token(user, tk1))

-    def test_django12_hash(self):
-        """
-        Ensure we can use the hashes generated by Django 1.2
-        """
-        # Hard code in the Django 1.2 algorithm (not the result, as it is time
-        # dependent)
-        def _make_token(user):
-            import hashlib
-            from django.utils.http import int_to_base36
-
-            timestamp = (date.today() - date(2001,1,1)).days
-            ts_b36 = int_to_base36(timestamp)
-            hash = hashlib.sha1(settings.SECRET_KEY + unicode(user.id) +
-                               user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') +
-                               unicode(timestamp)).hexdigest()[::2]
-            return "%s-%s" % (ts_b36, hash)
-
-        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
-        p0 = PasswordResetTokenGenerator()
-        tk1 = _make_token(user)
-        self.assertTrue(p0.check_token(user, tk1))
-
    def test_date_length(self):
        """
        Make sure we don't allow overly long dates, causing a potential DoS.
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@ -1,5 +1,4 @@
 from datetime import date
-import hashlib
 from django.conf import settings
 from django.utils.http import int_to_base36, base36_to_int
 from django.utils.crypto import constant_time_compare, salted_hmac
@ -33,11 +32,7 @@ class PasswordResetTokenGenerator(object):

        # Check that the timestamp/uid has not been tampered with
        if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
-            # Fallback to Django 1.2 method for compatibility.
-            # PendingDeprecationWarning <- here to remind us to remove this in
-            # Django 1.5
-            if not constant_time_compare(self._make_token_with_timestamp_old(user, ts), token):
-                return False
+            return False

        # Check the timestamp is within limit
        if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
@ -63,14 +58,6 @@ class PasswordResetTokenGenerator(object):
        hash = salted_hmac(key_salt, value).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash)

-    def _make_token_with_timestamp_old(self, user, timestamp):
-        # The Django 1.2 method
-        ts_b36 = int_to_base36(timestamp)
-        hash = hashlib.sha1(settings.SECRET_KEY + unicode(user.id) +
-                           user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') +
-                           unicode(timestamp)).hexdigest()[::2]
-        return "%s-%s" % (ts_b36, hash)
-
    def _num_days(self, dt):
        return (dt - date(2001,1,1)).days