Commit Graph

368 Commits

Author SHA1 Message Date
Aymeric Augustin 5dfa6fca96 Refactored out RedirectURLMixin.get_success_url().
This also adds a default implementation of get_default_redirect_url().
2022-04-20 10:04:29 +02:00
Aymeric Augustin 04bc2564b6 Simplified LogoutView.get_success_url().
This preserves the behavior of redirecting to the logout URL without
query string parameters when an insecure ?next=... parameter is given.

It changes the behavior of a POST to the logout URL, as shown by the
test that is changed. Currently, this results in a GET to the logout
URL. However, such GET requests are deprecated. This change would be
necessary in Django 5.0 anyway. This commit merely anticipates it.
2022-04-20 10:04:29 +02:00
Aymeric Augustin 5591a72571
Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set. 2022-04-18 16:33:10 +02:00
Mariusz Felisiak 8e89dfe1c2 Fixed various tests on MySQL with MyISAM storage engine. 2022-04-18 07:05:52 +02:00
Lucidiot 13a9cde133 Fixed #33613 -- Made createsuperuser detect uniqueness of USERNAME_FIELD when using Meta.constraints. 2022-04-01 11:39:41 +02:00
René Fleschenberg eb07b5be0c Fixed #15619 -- Deprecated log out via GET requests.
Thanks Florian Apolloner for the implementation idea.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2022-03-29 06:42:14 +02:00
Mariusz Felisiak 94d8ed55fa
Refs #15619 -- Logged out with POST requests in admin. 2022-03-24 17:41:53 +01:00
Carlton Gibson bb61f0186d Refs #32365 -- Removed internal uses of utils.timezone.utc alias.
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
2022-03-24 06:29:50 +01:00
Adrian Torres d90e34c61b Fixed #33561 -- Allowed synchronization of user attributes in RemoteUserBackend. 2022-03-10 12:57:19 +01:00
Nick Pope 847f46e9bf
Removed redundant QuerySet.all() calls in docs and tests.
Most QuerySet methods are mapped onto the Manager and, in general,
it isn't necessary to call .all() on the manager.
2022-02-22 10:29:38 +01:00
Mariusz Felisiak 7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot 9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
tschilling 0dcd549bbe Fixed #30360 -- Added support for secret key rotation.
Thanks Florian Apolloner for the implementation idea.

Co-authored-by: Andreas Pelme <andreas@pelme.se>
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com>
2022-02-01 11:12:24 +01:00
Florian Apolloner 968a3d01fa Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator.
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
2022-01-04 10:02:05 +01:00
Lie Ryan 05cde4764d Fixed #33269 -- Made AnonymousUser/PermissionsMixin.has_perms() raise ValueError on string or non-iterable perm_list. 2021-11-11 20:26:29 +01:00
Christophe Henry b1b26b37af Fixed #33178 -- Made createsuperuser validate required fields passed in options in interactive mode. 2021-10-12 08:08:05 +02:00
Christophe Henry 57273e1569 Refs #33178 -- Added createsuperuser tests for validation of foreign keys. 2021-10-12 07:54:50 +02:00
Christophe Henry 4ff500f294 Refs #21755 -- Fixed createsuperuser crash for required foreign keys passed in options in interactive mode.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-10-12 06:59:46 +02:00
Mariusz Felisiak da266b3c5c
Refs #29628, Refs #33178 -- Made createsuperuser validate password against required fields passed in options. 2021-10-12 06:21:14 +02:00
Christophe Henry df2d2bc95c Fixed #33151 -- Fixed createsuperuser crash for many-to-many required fields in non-interactive mode. 2021-10-07 12:37:16 +02:00
Mariusz Felisiak 32b7ffc2bb Increased the default PBKDF2 iterations for Django 4.1. 2021-09-20 21:23:01 +02:00
Mateo Radman a7f27fca52 Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in encode() methods of remaining password hashers. 2021-09-06 07:47:53 +02:00
Mariusz Felisiak 54a30a7a00 Refs #29898 -- Changed ProjectState.real_apps to set. 2021-08-11 09:01:14 +02:00
David Smith 6802ac4415
Refs #32956 -- Corrected usage of "insure" and "assure". 2021-08-02 07:45:26 +02:00
ryowright 1783b3cb24 Fixed #32275 -- Added scrypt password hasher.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-07-22 12:40:33 +02:00
Mariusz Felisiak 83022d279c
Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in encode() methods of some password hashers. 2021-07-22 09:42:07 +02:00
Chris Jerdonek f3825ee050
Fixed wording of AuthViewsTestCase's docstring. 2021-07-19 06:36:20 +02:00
Mads Jensen c51bf80d56 Used more specific unittest assertions in tests. 2021-07-07 10:51:38 +02:00
Mateo Radman 8a7ac78b70 Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using "assert" in various code. 2021-06-25 06:55:47 +02:00
abhiabhi94 22da686ca9 Refs #24121 -- Added __repr__() to PermWrapper. 2021-05-28 08:03:23 +02:00
David Sanders 736bb9868a Renamed "object" argument of ModelAdmin.log_addition(), log_change(), and log_deletion() methods. 2021-05-20 07:29:16 +02:00
David Sanders 536c155e67 Fixed #32765 -- Removed "for" HTML attribute from ReadOnlyPasswordHashWidget.
ReadOnlyPasswordHashWidget doesn't have any labelable elements.
2021-05-19 20:34:57 +02:00
François Freitag 6b0b3eafd6 Fixed #32664 -- Made PasswordResetTokenGenerator.secret validation lazy.
Django apps initialization to run management command triggers the admin
autodiscovery. Importing django.contrib.auth.tokens creates an instance
of PasswordResetTokenGenerator which required a SECRET_KEY.

For several management commands, the token generator is unused. It
should only complain about a missing SECRET_KEY when it is used.
2021-04-20 07:34:53 +02:00
François Freitag b13af4752f Refs #28017 -- Added test for PasswordResetTokenGenerator subclass with a custom secret. 2021-04-20 07:28:06 +02:00
Hasan Ramezani a2d5ea626e Refs #32508 -- Raised ImproperlyConfigured instead of using "assert" in middlewares. 2021-03-11 08:34:28 +01:00
ThinkChaos b99d6c9cbc Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView. 2021-02-08 21:08:05 +01:00
Mariusz Felisiak a948d9df39 Increased the default PBKDF2 iterations for Django 4.0. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 0aa6a602b2 Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak 6b4941dd57 Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak 66b4046d68 Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens.
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak 12ac4916af Refs #28622 -- Removed settings.PASSWORD_RESET_TIMEOUT_DAYS per deprecation timeline. 2021-01-14 17:50:04 +01:00
Jon Moroney 76ae6ccf85 Fixed #31358 -- Increased salt entropy of password hashers.
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2021-01-14 11:20:28 +01:00
Jon Moroney 6bd206e1ff Refs #31358 -- Added bcrypt password hashers tests for must_update() with salt(). 2021-01-14 11:20:28 +01:00
Florian Apolloner c76d51b3ad Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
2020-12-28 11:02:08 +01:00
Timo Ludwig d8dfff2ab0 Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default. 2020-12-03 09:32:08 +01:00
Mariusz Felisiak 3828427f63 Refs #31978 -- Fixed hint in admin's password reset confirmation form for custom username fields.
Thanks Jaap Roes for the report.
2020-11-30 06:34:22 +01:00
Mariusz Felisiak 58740c0d7f Refs #22909 -- Removed camelCasing in auth_tests.test_templates tests. 2020-11-30 06:34:22 +01:00
Claude Paroz 187482d743
Avoided direct styles in admin templates.
Direct styles might be forbidden by Content Security Policies.
2020-11-10 21:32:15 +01:00
Hasan Ramezani 4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables.
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
2020-10-28 14:21:53 +01:00
Mariusz Felisiak 3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
2020-10-22 13:21:14 +02:00