p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
31,707 Commits 28 Branches 411 Tags 641 MiB
Commit Graph

394 Commits

Author SHA1 Message Date
ryowright 1783b3cb24 Fixed #32275 -- Added scrypt password hasher. 
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2021-07-22 12:40:33 +02:00
Mariusz Felisiak 83022d279c
Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in encode() methods of some password hashers. 2021-07-22 09:42:07 +02:00
Chris Jerdonek f3825ee050
Fixed wording of AuthViewsTestCase's docstring. 2021-07-19 06:36:20 +02:00
Mads Jensen c51bf80d56 Used more specific unittest assertions in tests. 2021-07-07 10:51:38 +02:00
Mateo Radman 8a7ac78b70 Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using "assert" in various code. 2021-06-25 06:55:47 +02:00
abhiabhi94 22da686ca9 Refs #24121 -- Added __repr__() to PermWrapper. 2021-05-28 08:03:23 +02:00
David Sanders 736bb9868a Renamed "object" argument of ModelAdmin.log_addition(), log_change(), and log_deletion() methods. 2021-05-20 07:29:16 +02:00
David Sanders 536c155e67 Fixed #32765 -- Removed "for" HTML attribute from ReadOnlyPasswordHashWidget. 
ReadOnlyPasswordHashWidget doesn't have any labelable elements.
 2021-05-19 20:34:57 +02:00
François Freitag 6b0b3eafd6 Fixed #32664 -- Made PasswordResetTokenGenerator.secret validation lazy. 
Django apps initialization to run management command triggers the admin
autodiscovery. Importing django.contrib.auth.tokens creates an instance
of PasswordResetTokenGenerator which required a SECRET_KEY.

For several management commands, the token generator is unused. It
should only complain about a missing SECRET_KEY when it is used.
 2021-04-20 07:34:53 +02:00
François Freitag b13af4752f Refs #28017 -- Added test for PasswordResetTokenGenerator subclass with a custom secret. 2021-04-20 07:28:06 +02:00
Hasan Ramezani a2d5ea626e Refs #32508 -- Raised ImproperlyConfigured instead of using "assert" in middlewares. 2021-03-11 08:34:28 +01:00
ThinkChaos b99d6c9cbc Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView. 2021-02-08 21:08:05 +01:00
Mariusz Felisiak a948d9df39 Increased the default PBKDF2 iterations for Django 4.0. 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 0aa6a602b2 Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting. 
Per deprecation timeline.
 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 6b4941dd57 Refs #27468 -- Removed support for the pre-Django 3.1 user sessions. 
Per deprecation timeline.
 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 66b4046d68 Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens. 
Per deprecation timeline.
 2021-01-14 17:50:04 +01:00
Mariusz Felisiak 12ac4916af Refs #28622 -- Removed settings.PASSWORD_RESET_TIMEOUT_DAYS per deprecation timeline. 2021-01-14 17:50:04 +01:00
Jon Moroney 76ae6ccf85 Fixed #31358 -- Increased salt entropy of password hashers. 
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
 2021-01-14 11:20:28 +01:00
Jon Moroney 6bd206e1ff Refs #31358 -- Added bcrypt password hashers tests for must_update() with salt(). 2021-01-14 11:20:28 +01:00
Florian Apolloner c76d51b3ad Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. 
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
 2020-12-28 11:02:08 +01:00
Timo Ludwig d8dfff2ab0 Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default. 2020-12-03 09:32:08 +01:00
Mariusz Felisiak 3828427f63 Refs #31978 -- Fixed hint in admin's password reset confirmation form for custom username fields. 
Thanks Jaap Roes for the report.
 2020-11-30 06:34:22 +01:00
Mariusz Felisiak 58740c0d7f Refs #22909 -- Removed camelCasing in auth_tests.test_templates tests. 2020-11-30 06:34:22 +01:00
Claude Paroz 187482d743
Avoided direct styles in admin templates. 
Direct styles might be forbidden by Content Security Policies.
 2020-11-10 21:32:15 +01:00
Hasan Ramezani 4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables. 
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
 2020-10-28 14:21:53 +01:00
Mariusz Felisiak 3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation. 
Thanks Gordon Wrigley for the report and implementation idea.

Regression in 226ebb1729.
 2020-10-22 13:21:14 +02:00
Jacob Walls 0362b0e986 Fixed #26615 -- Made password reset token invalidate when changing email. 
Co-Authored-By: Silas Barta <sbarta@gmail.com>
 2020-10-21 09:29:53 +02:00
Hannes Ljungberg f7963615eb Fixed #32121 -- Fixed detecting uniqueness of USERNAME_FIELD when using Meta.constraints. 
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
 2020-10-20 07:23:51 +02:00
Alexander Todorov 5fab16392f
Fixed #32003 -- Added obj argument to has_perm() methods in tests. 2020-09-14 12:28:17 +02:00
Tom Carrick bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Jon Dufresne 53c0d16ac1
Fixed #31992 -- Made admin password reset templates use title/content_title blocks from the base template. 2020-09-10 11:53:09 +02:00
Collin Anderson daa26acc4e Fixed #31978 -- Added username hint to admin's password reset confirmation form. 2020-09-03 09:25:21 +02:00
Yan Mitrofanov b88f98738f Fixed #31878 -- Made createsuperuser respect --database option in default usernames. 2020-08-14 11:08:20 +02:00
Yan Mitrofanov 552bb82928 Fixed typo in tests/auth_tests/test_management.py docstring. 2020-08-14 11:08:12 +02:00
Jacob Walls c7e7f176c1 Fixed #26977 -- Made abstract models raise TypeError when instantiating. 2020-08-05 06:37:04 +02:00
Mariusz Felisiak d907371ef9 Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting. 
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.

Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
 2020-08-04 09:35:24 +02:00
Jon Dufresne 5a3d7cf462
Used urllib.parse.urljoin() in auth_tests to join URLs. 
As the strings represent URLs and not paths, should use urllib to
manipulate them.
 2020-07-09 12:03:03 +02:00
Hasan Ramezani 7af8f41273 Refs #26445 -- Allowed using UserManager.create_user()/create_superuser() in migrations. 
Used app config to lookup user model in _create_user().

Thanks Markus Holtermann for the review and initial patch.
Thanks Simon Charette for the implementation idea.
 2020-07-06 11:47:22 +02:00
Frantisek Holop cc7c16af98 Fixed #31443 -- Fixed login redirection in auth mixins when LOGIN_URL is off-site URL. 2020-06-23 10:38:35 +02:00
Jon Moroney 136ec9b62b Refs #31358 -- Added decode() to password hashers. 
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.

Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
 2020-06-23 08:36:59 +02:00
Florian Apolloner 1621f06051 Fixed #30472 -- Made Argon2PasswordHasher use Argon2id. 2020-06-17 08:10:41 +02:00
Florian Apolloner ee49cf4f35 Added test for old Argon2i hashes with version attribute. 2020-06-17 08:10:41 +02:00
Simon Charette 94f63b926f Refs #31395 -- Relied on setUpTestData() test data isolation in various tests. 2020-05-15 20:22:56 +02:00
Jon Dufresne d522b51c40 Fixed #31575 -- Added system check for admin sidebar request context processor dependency. 
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
 2020-05-14 11:00:51 +02:00
François Freitag c8bebbd541
Disabled management commands output with verbosity 0 in various tests. 2020-05-13 09:12:43 +02:00
Mariusz Felisiak f2187a227f Increased the default PBKDF2 iterations for Django 3.2. 2020-05-13 09:07:51 +02:00
Jon Dufresne d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__(). 
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
 2020-05-11 12:01:28 +02:00
François Freitag a0df5dea33
Removed unnecessary inner methods in CreatesuperuserManagementCommandTestCase. 2020-05-01 20:51:44 +02:00
Mariusz Felisiak 54646a423b
Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 16:45:00 +02:00
François Freitag 9ef4a18dbe Changed django.forms.ValidationError imports to django.core.exceptions.ValidationError. 
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2020-04-28 10:49:00 +02:00
Jon Dufresne 505fec6bad Capitalized Unicode in docs, strings, and comments. 2020-04-20 12:10:33 +02:00
François Freitag c86201b6ed Disabled management commands output with verbosity 0 in various tests. 
Instead of capturing the command output and discard it immediately,
tell the command not to log.
 2020-04-20 09:09:26 +02:00
François Freitag 45e96b4d9d
Removed unnecessary capturing of stdout/stderr in auth_tests.test_management. 2020-04-20 09:08:43 +02:00
Hasan Ramezani 8aa71f4e87 Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings. 2020-03-31 10:52:56 +02:00
Hasan Ramezani b3ab92cc5a Refs #31375 -- Added test for contrib.auth.hashers.make_password() bytes support. 2020-03-31 10:49:39 +02:00
Jon Dufresne 3857a08bdb Fixed #31361 -- Fixed invalid action="" in admin forms. 
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
 2020-03-16 07:31:19 +01:00
Mariusz Felisiak 8725d04764
Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_timeout failures. 
Random failures depended on the current timestamp.

Thanks Matthijs Kooijman for the review.
 2020-03-12 10:56:38 +01:00
Colton Hicks f283ffaa84 Fixed #28699 -- Fixed CSRF validation with remote user middleware. 
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
 2020-02-26 17:25:20 +01:00
aryan fba5d3b6e6 Fixed #31289 -- Added hint for USERNAME_FIELD/REQUIRED_FIELDS system check. 2020-02-26 08:40:36 +01:00
Claude Paroz 4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. 
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2020-02-18 20:03:44 +01:00
Claude Paroz da4923ea87 Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm. 2020-02-12 21:46:56 +01:00
Claude Paroz 27f67317da Removed unnecessary token regex in auth_tests URLs. 
All URLs in django.contrib.auth use a "<uidb64>/<token>" pattern.
 2020-02-12 10:45:53 +01:00
Hasan Ramezani fc4f45ebdc Used assertRaisesMessage() in various tests. 2020-02-07 12:46:23 +01:00
Hasan Ramezani 579f33eb79 Replaced assertWarns() with SimpleTestCase.assertWarnsMessage() in tests. 2020-01-30 11:19:50 +01:00
Jon Dufresne f791673537
Made token tests in auth_tests use assertIs() rather than assertTrue/False(). 2020-01-29 09:01:18 +01:00
Michael Mulholland 5a68a223c7 Fixed #31200 -- Added system checks for permissions codenames max length. 2020-01-23 12:22:59 +01:00
Matthijs Kooijman 2a2ea4ee18 Refs #31117 -- Made various tests properly handle unexpected databases aliases. 
- Used selected "databases" instead of django.db.connections.
- Made routers in tests.migrations skip migrations on unexpected
  databases.
- Added DiscoverRunnerGetDatabasesTests.assertSkippedDatabases() hook
  which properly asserts messages about skipped databases.
 2020-01-20 14:39:02 +01:00
Mariusz Felisiak 1960d55f8b
Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py. 
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402.
 2020-01-03 07:47:04 +01:00
Simon Charette 5b1fbcef7a Fixed CVE-2019-19844 -- Used verified user email for password reset requests. 
Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
 2019-12-18 09:11:39 +01:00
Baptiste Mispelon 3df3c5e670 Fixed #26480 -- Fixed crash of contrib.auth.authenticate() on decorated authenticate() methods of authentication backends. 
The Signature API (PEP 362) has better support for decorated functions
(by default, it follows the __wrapped__ attribute set by
functools.wraps for example).
 2019-12-10 09:36:30 +01:00
Carlton Gibson 11c5e0609b Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin. 
Thank you to Shen Ying for reporting this issue.
 2019-12-02 08:56:08 +01:00
Mariusz Felisiak e8fcdaad5c Fixed #31021 -- Fixed proxy model permissions data migration crash with a multiple databases setup. 
Regression in 98296f86b3.
 2019-11-29 08:23:01 +01:00
Jon Dufresne 7f0946298e Replaced encode() usage with bytes literals. 2019-11-18 15:31:42 +01:00
Mariusz Felisiak ca0d50f34a Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_10265 failures. 
Random failures depended on the current timestamp.
 2019-11-13 14:22:23 +01:00
Mariusz Felisiak 3b4b36fb1d Moved MockedPasswordResetTokenGenerator outside of TokenGeneratorTest.test_timeout(). 2019-11-13 14:22:23 +01:00
Sergey Fedoseev d4e767911f Added tests for middlewares' checks. 2019-10-23 08:18:02 +02:00
Hasan Ramezani 226ebb1729 Fixed #28622 -- Allowed specifying password reset link expiration in seconds and deprecated PASSWORD_RESET_TIMEOUT_DAYS. 2019-09-20 13:52:04 +02:00
Sam Reynolds 6c9778a58e Fixed #30776 -- Restored max length validation on AuthenticationForm.UsernameField. 
Regression in 5ceaf14686.

Thanks gopackgo90 for the report and Mariusz Felisiak for tests.
 2019-09-18 11:37:38 +02:00
Carlton Gibson b5db65c4fb Increased the default PBKDF2 iterations for Django 3.1. 2019-09-12 17:24:01 +02:00
Mariusz Felisiak d17be88afd Refs #30037 -- Required the RemoteUserBackend.configure_user() to have request as the first positional argument. 
Per deprecation timeline.
 2019-09-10 12:01:00 +02:00
Berker Peksag 400ec5125e Fixed #18763 -- Added ModelBackend/UserManager.with_perm() methods. 
Co-authored-by: Nick Pope <nick.pope@flightdataservices.com>
 2019-08-29 19:32:12 +02:00
daniel a rios b5a5c92c72 Fixed #30066 -- Enabled super user creation without email and password 2019-08-29 12:49:16 +02:00
Carlton Gibson 57b9604451 Converted auth test to use subTest(). 2019-08-29 12:49:16 +02:00
Hasan Ramezani 03dbdfd9bb Fixed #29019 -- Added ManyToManyField support to REQUIRED_FIELDS. 2019-08-26 14:48:40 +02:00
Hasan Ramezani a5308514fb Fixed #27801 -- Made createsuperuser fall back to environment variables for password and required fields. 2019-07-02 12:55:09 +02:00
Jon Dufresne 42b9a23267 Fixed #30400 -- Improved typography of user facing strings. 
Thanks Claude Paroz for assistance with translations.
 2019-06-28 16:46:18 +02:00
Sanyam Khurana 87f5d07eed Fixed #12952 -- Adjusted admin log change messages to use form labels instead of field names. 2019-06-14 18:20:29 +02:00
Aymeric Augustin 3ee0834a46 Fixed #30556 -- Avoided useless query and hasher call in ModelBackend.authenticate() when credentials aren't provided. 
There's no need to fetch a user instance from the database unless
a username and a password are provided as credentials.
 2019-06-10 11:12:31 +02:00
Hasan Ramezani dcb8f00d06 Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields. 
Thank you to Nick Pope for review.

Co-authored-by: CHI Cheng <cloudream@gmail.com>
 2019-06-07 12:44:39 +02:00
Tobias Bengfort 581a0f4545 Refs #30226 -- Added User.get_user_permissions() method. 
Added to mirror the existing User.get_group_permissions().
 2019-06-05 13:56:37 +02:00
Tobias Bengfort 75337a6050 Fixed #30226 -- Added BaseBackend for authentication. 2019-06-05 13:39:46 +02:00
Mattia Procopio aff61790a3 Refs #24944 -- Added test for overriding domain in email context in PasswordResetView. 2019-05-27 11:50:30 +02:00
Rob 58df8aa40f Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. 
Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
 2019-05-24 08:40:25 +02:00
Ally Weir bd228cb599 Fixed mis-capitalisation in comment. 2019-05-15 12:14:59 +02:00
Carlton Gibson 98296f86b3
Fixed #30351 -- Handled pre-existing permissions in proxy model permissions data migration. 
Regression in 181fb60159.
 2019-04-27 20:18:22 +02:00
Jon Dufresne 8d76443aba Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape(). 2019-04-25 15:09:07 +02:00
Markus Holtermann da0b2554ec Renamed camelCaseTestMethods to snake_case_test_methods 2019-04-14 16:14:14 +02:00
pmisteli 9410db9683 Fixed #30236 -- Made UsernameField render with autocapitalize="none" HTML attribute. 
This prevents automatic capitalization, which is the default behavior in
some browsers.
 2019-03-29 15:24:44 +01:00
Ryan J Schave cbf7e71558 Fixed #30257 -- Made UsernameValidators prohibit trailing newlines. 2019-03-22 13:16:25 -04:00
Jon Dufresne 95b7699ffc Cleaned up exception message checking in some tests. 2019-03-15 19:27:57 -04:00