Mariusz Felisiak
a948d9df39
Increased the default PBKDF2 iterations for Django 4.0.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak
0aa6a602b2
Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting.
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak
6b4941dd57
Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak
66b4046d68
Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens.
...
Per deprecation timeline.
2021-01-14 17:50:04 +01:00
Mariusz Felisiak
12ac4916af
Refs #28622 -- Removed settings.PASSWORD_RESET_TIMEOUT_DAYS per deprecation timeline.
2021-01-14 17:50:04 +01:00
Jon Moroney
76ae6ccf85
Fixed #31358 -- Increased salt entropy of password hashers.
...
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2021-01-14 11:20:28 +01:00
Jon Moroney
6bd206e1ff
Refs #31358 -- Added bcrypt password hashers tests for must_update() with salt().
2021-01-14 11:20:28 +01:00
Florian Apolloner
c76d51b3ad
Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.
...
Argon2 encodes the salt as base64 for representation in the final hash
output. To be able to accurately return the used salt from decode(),
add padding, b64decode, and decode from latin1 (for the remote
possibility that someone supplied a custom hash consisting solely of
bytes -- this would require a manual construction of the hash though,
Django's interface does not allow for that).
2020-12-28 11:02:08 +01:00
Timo Ludwig
d8dfff2ab0
Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default.
2020-12-03 09:32:08 +01:00
Mariusz Felisiak
3828427f63
Refs #31978 -- Fixed hint in admin's password reset confirmation form for custom username fields.
...
Thanks Jaap Roes for the report.
2020-11-30 06:34:22 +01:00
Mariusz Felisiak
58740c0d7f
Refs #22909 -- Removed camelCasing in auth_tests.test_templates tests.
2020-11-30 06:34:22 +01:00
Claude Paroz
187482d743
Avoided direct styles in admin templates.
...
Direct styles might be forbidden by Content Security Policies.
2020-11-10 21:32:15 +01:00
Hasan Ramezani
4eb756793b
Refs #28215 -- Marked auth credentials as sensitive variables.
...
Co-authored-by: Collin Anderson <collin@onetencommunications.com>
2020-10-28 14:21:53 +01:00
Mariusz Felisiak
3418092238
Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.
...
Thanks Gordon Wrigley for the report and implementation idea.
Regression in 226ebb1729
.
2020-10-22 13:21:14 +02:00
Jacob Walls
0362b0e986
Fixed #26615 -- Made password reset token invalidate when changing email.
...
Co-Authored-By: Silas Barta <sbarta@gmail.com>
2020-10-21 09:29:53 +02:00
Hannes Ljungberg
f7963615eb
Fixed #32121 -- Fixed detecting uniqueness of USERNAME_FIELD when using Meta.constraints.
...
Co-authored-by: Simon Charette <charettes@users.noreply.github.com>
2020-10-20 07:23:51 +02:00
Alexander Todorov
5fab16392f
Fixed #32003 -- Added obj argument to has_perm() methods in tests.
2020-09-14 12:28:17 +02:00
Tom Carrick
bcc2befd0e
Fixed #31789 -- Added a new headers interface to HttpResponse.
2020-09-14 08:41:59 +02:00
Jon Dufresne
53c0d16ac1
Fixed #31992 -- Made admin password reset templates use title/content_title blocks from the base template.
2020-09-10 11:53:09 +02:00
Collin Anderson
daa26acc4e
Fixed #31978 -- Added username hint to admin's password reset confirmation form.
2020-09-03 09:25:21 +02:00
Yan Mitrofanov
b88f98738f
Fixed #31878 -- Made createsuperuser respect --database option in default usernames.
2020-08-14 11:08:20 +02:00
Yan Mitrofanov
552bb82928
Fixed typo in tests/auth_tests/test_management.py docstring.
2020-08-14 11:08:12 +02:00
Jacob Walls
c7e7f176c1
Fixed #26977 -- Made abstract models raise TypeError when instantiating.
2020-08-05 06:37:04 +02:00
Mariusz Felisiak
d907371ef9
Fixed #31842 -- Added DEFAULT_HASHING_ALGORITHM transitional setting.
...
It's a transitional setting helpful in migrating multiple instance of
the same project to Django 3.1+.
Thanks Markus Holtermann for the report and review, Florian
Apolloner for the implementation idea and review, and Carlton Gibson
for the review.
2020-08-04 09:35:24 +02:00
Jon Dufresne
5a3d7cf462
Used urllib.parse.urljoin() in auth_tests to join URLs.
...
As the strings represent URLs and not paths, should use urllib to
manipulate them.
2020-07-09 12:03:03 +02:00
Hasan Ramezani
7af8f41273
Refs #26445 -- Allowed using UserManager.create_user()/create_superuser() in migrations.
...
Used app config to lookup user model in _create_user().
Thanks Markus Holtermann for the review and initial patch.
Thanks Simon Charette for the implementation idea.
2020-07-06 11:47:22 +02:00
Frantisek Holop
cc7c16af98
Fixed #31443 -- Fixed login redirection in auth mixins when LOGIN_URL is off-site URL.
2020-06-23 10:38:35 +02:00
Jon Moroney
136ec9b62b
Refs #31358 -- Added decode() to password hashers.
...
By convention a hasher which does not use a salt should populate the
decode dict with `None` rather than omit the dict key.
Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
2020-06-23 08:36:59 +02:00
Florian Apolloner
1621f06051
Fixed #30472 -- Made Argon2PasswordHasher use Argon2id.
2020-06-17 08:10:41 +02:00
Florian Apolloner
ee49cf4f35
Added test for old Argon2i hashes with version attribute.
2020-06-17 08:10:41 +02:00
Simon Charette
94f63b926f
Refs #31395 -- Relied on setUpTestData() test data isolation in various tests.
2020-05-15 20:22:56 +02:00
Jon Dufresne
d522b51c40
Fixed #31575 -- Added system check for admin sidebar request context processor dependency.
...
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
2020-05-14 11:00:51 +02:00
François Freitag
c8bebbd541
Disabled management commands output with verbosity 0 in various tests.
2020-05-13 09:12:43 +02:00
Mariusz Felisiak
f2187a227f
Increased the default PBKDF2 iterations for Django 3.2.
2020-05-13 09:07:51 +02:00
Jon Dufresne
d6aff369ad
Refs #30116 -- Simplified regex match group access with Match.__getitem__().
...
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
2020-05-11 12:01:28 +02:00
François Freitag
a0df5dea33
Removed unnecessary inner methods in CreatesuperuserManagementCommandTestCase.
2020-05-01 20:51:44 +02:00
Mariusz Felisiak
54646a423b
Refs #27468 -- Made user sessions use SHA-256 algorithm.
2020-04-29 16:45:00 +02:00
François Freitag
9ef4a18dbe
Changed django.forms.ValidationError imports to django.core.exceptions.ValidationError.
...
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-04-28 10:49:00 +02:00
Jon Dufresne
505fec6bad
Capitalized Unicode in docs, strings, and comments.
2020-04-20 12:10:33 +02:00
François Freitag
c86201b6ed
Disabled management commands output with verbosity 0 in various tests.
...
Instead of capturing the command output and discard it immediately,
tell the command not to log.
2020-04-20 09:09:26 +02:00
François Freitag
45e96b4d9d
Removed unnecessary capturing of stdout/stderr in auth_tests.test_management.
2020-04-20 09:08:43 +02:00
Hasan Ramezani
8aa71f4e87
Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes or strings.
2020-03-31 10:52:56 +02:00
Hasan Ramezani
b3ab92cc5a
Refs #31375 -- Added test for contrib.auth.hashers.make_password() bytes support.
2020-03-31 10:49:39 +02:00
Jon Dufresne
3857a08bdb
Fixed #31361 -- Fixed invalid action="" in admin forms.
...
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action ) says:
> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.
Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
2020-03-16 07:31:19 +01:00
Mariusz Felisiak
8725d04764
Fixed random auth_tests.test_tokens.TokenGeneratorTest.test_timeout failures.
...
Random failures depended on the current timestamp.
Thanks Matthijs Kooijman for the review.
2020-03-12 10:56:38 +01:00
Colton Hicks
f283ffaa84
Fixed #28699 -- Fixed CSRF validation with remote user middleware.
...
Ensured process_view() always accesses the CSRF token from the session
or cookie, rather than the request, as rotate_token() may have been called
by an authentication middleware during the process_request() phase.
2020-02-26 17:25:20 +01:00
aryan
fba5d3b6e6
Fixed #31289 -- Added hint for USERNAME_FIELD/REQUIRED_FIELDS system check.
2020-02-26 08:40:36 +01:00
Claude Paroz
4d973f5939
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes.
...
This is the new contract since middleware refactoring in Django 1.10.
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2020-02-18 20:03:44 +01:00
Claude Paroz
da4923ea87
Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm.
2020-02-12 21:46:56 +01:00
Claude Paroz
27f67317da
Removed unnecessary token regex in auth_tests URLs.
...
All URLs in django.contrib.auth use a "<uidb64>/<token>" pattern.
2020-02-12 10:45:53 +01:00