mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-01 08:19:19 +00:00
Code Issues 32 Releases Wiki Activity
33,654 Commits 29 Branches 450 Tags
Commit Graph

97 Commits

Author SHA1 Message Date
Sarah Boyce
d755a98b84 Fixed #35959 -- Displayed password reset button in admin only when user has sufficient permissions. 
This change ensures that the "Reset password" button in the admin is
shown only when the user has the necessary permission to perform a
password change operation. It reuses the password hashing rendering
logic in `display_for_field` to show the appropriate read-only widget
for users with view-only access.
 2025-04-17 12:00:20 -03:00
antoliny0919
849f8307a5 Fixed #34917 -- Underlined links in the main content area of the admin. 2025-03-27 13:27:33 +01:00
Sarah Boyce
23c6effac0 Fixed #36087 -- Supported password reset on a custom user model with a composite primary key. 2025-01-13 15:51:21 +01:00
SaJH
0c81775515 Refs #35727 -- Updated response.content.decode calls to use the HttpResponse.text property. 
Signed-off-by: SaJH <wogur981208@gmail.com>
 2024-10-16 11:52:22 +02:00
Hisham Mahmood
c7fc9f20b4 Fixed #31405 -- Added LoginRequiredMiddleware. 
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2024-05-22 08:51:17 +02:00
Fabian Braun
944745afe2 Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing the reset password link with a button. 
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2024-03-27 16:40:41 -03:00
Fabian Braun
e626716c28 Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms. 
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2024-02-20 12:13:32 -03:00
Mariusz Felisiak
305757aec1
Applied Black's 2024 stable style. 
https://github.com/psf/black/releases/tag/24.1.0
 2024-01-26 12:45:07 +01:00
Lily Foote
45078a204b Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests. 
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly
depends on the password hasher having the three components algorithm,
salt and hash.

The default password hasher (PBKDF2PasswordHasher) has an extra
iterations component, breaking the test.
 2023-09-20 05:35:49 +02:00
Mariusz Felisiak
9a01311d20 Refs #15619 -- Removed support for logging out via GET requests. 
Per deprecation timeline.
 2023-01-17 11:49:15 +01:00
David Wobrock
99bd5fb4c2 Refs #34074 -- Used headers argument for RequestFactory and Client in docs and tests. 2023-01-04 09:11:36 +01:00
Shai Berger
fdf0f62521 Fixed ReadOnlyPasswordHashWidget's template for RTL languages. 2022-09-01 21:20:15 +02:00
Aymeric Augustin
5dfa6fca96 Refactored out RedirectURLMixin.get_success_url(). 
This also adds a default implementation of get_default_redirect_url().
 2022-04-20 10:04:29 +02:00
Aymeric Augustin
04bc2564b6 Simplified LogoutView.get_success_url(). 
This preserves the behavior of redirecting to the logout URL without
query string parameters when an insecure ?next=... parameter is given.

It changes the behavior of a POST to the logout URL, as shown by the
test that is changed. Currently, this results in a GET to the logout
URL. However, such GET requests are deprecated. This change would be
necessary in Django 5.0 anyway. This commit merely anticipates it.
 2022-04-20 10:04:29 +02:00
Aymeric Augustin
5591a72571
Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page when LOGOUT_REDIRECT_URL is set. 2022-04-18 16:33:10 +02:00
René Fleschenberg
eb07b5be0c Fixed #15619 -- Deprecated log out via GET requests. 
Thanks Florian Apolloner for the implementation idea.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2022-03-29 06:42:14 +02:00
Mariusz Felisiak
94d8ed55fa
Refs #15619 -- Logged out with POST requests in admin. 2022-03-24 17:41:53 +01:00
Mariusz Felisiak
7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Chris Jerdonek
f3825ee050
Fixed wording of AuthViewsTestCase's docstring. 2021-07-19 06:36:20 +02:00
Mateo Radman
8a7ac78b70 Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using "assert" in various code. 2021-06-25 06:55:47 +02:00
ThinkChaos
b99d6c9cbc Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView. 2021-02-08 21:08:05 +01:00
Mariusz Felisiak
6b4941dd57 Refs #27468 -- Removed support for the pre-Django 3.1 user sessions. 
Per deprecation timeline.
 2021-01-14 17:50:04 +01:00
Jon Moroney
76ae6ccf85 Fixed #31358 -- Increased salt entropy of password hashers. 
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
 2021-01-14 11:20:28 +01:00
Tom Carrick
bcc2befd0e Fixed #31789 -- Added a new headers interface to HttpResponse. 2020-09-14 08:41:59 +02:00
Jon Dufresne
5a3d7cf462
Used urllib.parse.urljoin() in auth_tests to join URLs. 
As the strings represent URLs and not paths, should use urllib to
manipulate them.
 2020-07-09 12:03:03 +02:00
Jon Dufresne
d6aff369ad Refs #30116 -- Simplified regex match group access with Match.__getitem__(). 
The method has been available since Python 3.6. The shorter syntax is
also marginally faster.
 2020-05-11 12:01:28 +02:00
Mariusz Felisiak
54646a423b
Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 16:45:00 +02:00
Jon Dufresne
3857a08bdb Fixed #31361 -- Fixed invalid action="" in admin forms. 
The attribute action="" (empty string) on the <form> element is invalid
HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says:

> The action and formaction content attributes, if specified, must have
> a value that is a valid non-empty URL potentially surrounded by
> spaces.

Emphasis on non-empty. The action attribute is allowed to be omitted, in
which case the current URL is used which is the same behavior as now.
 2020-03-16 07:31:19 +01:00
Claude Paroz
4d973f5939 Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. 
This is the new contract since middleware refactoring in Django 1.10.

Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2020-02-18 20:03:44 +01:00
Carlton Gibson
11c5e0609b Fixed CVE-2019-19118 -- Required edit permissions on parent model for editable inlines in admin. 
Thank you to Shen Ying for reporting this issue.
 2019-12-02 08:56:08 +01:00
Jon Dufresne
7f0946298e Replaced encode() usage with bytes literals. 2019-11-18 15:31:42 +01:00
Sanyam Khurana
87f5d07eed Fixed #12952 -- Adjusted admin log change messages to use form labels instead of field names. 2019-06-14 18:20:29 +02:00
Mattia Procopio
aff61790a3 Refs #24944 -- Added test for overriding domain in email context in PasswordResetView. 2019-05-27 11:50:30 +02:00
Rob
58df8aa40f Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. 
Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
 2019-05-24 08:40:25 +02:00
Jon Dufresne
95b7699ffc Cleaned up exception message checking in some tests. 2019-03-15 19:27:57 -04:00
Claude Paroz
a8e2a9bac6 Refs #15902 -- Deprecated storing user's language in the session. 2019-02-14 10:23:02 -05:00
Tim Graham
043bd70942 Updated test URL patterns to use path() and re_path(). 2018-12-31 10:47:32 -05:00
Simon Charette
84e7a9f4a7 Switched setUp() to setUpTestData() where possible in Django's tests. 2018-11-27 09:35:17 -05:00
Jon Dufresne
c82893cb8c Refs #27795 -- Removed force_bytes() usage from django/utils/http.py. 
django.utils.http.urlsafe_base64_encode() now returns a string, not a
bytestring. Since URLs are represented as strings,
urlsafe_base64_encode() should return a string. All uses immediately
decoded the bytestring to a string anyway.

As the inverse operation, urlsafe_base64_decode() accepts a string.
 2018-10-10 14:38:22 -04:00
Tim Graham
a7284cc0c3 Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin user change form. 2018-10-01 10:09:50 +02:00
Carlton Gibson
bf39978a53 Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users. 
Thanks Claude Paroz & Tim Graham for collaborating on the patch.
 2018-10-01 10:05:01 +02:00
Alexander Todorov
53ebd4cb13 Fixed #29686 -- Made UserAdmin.user_change_password() pass user to has_change_permission(). 2018-08-17 17:43:00 -04:00
Tim Graham
5d98d53fab Refs #27398 -- Simplified some tests with assertRedirects(). 2018-06-20 14:08:56 -04:00
Jan Pieter Waagmeester
24959e48d9 Fixed #27398 -- Added an assertion to compare URLs, ignoring the order of their query strings. 2018-06-20 13:26:12 -04:00
Claude Paroz
607970f31c Replaced django.test.utils.patch_logger() with assertLogs(). 
Thanks Tim Graham for the review.
 2018-05-07 09:34:00 -04:00
Nick Pope
df90e462d9 Fixed #29212 -- Doc'd redirect loop if @permission_required used with redirect_authenticated_user. 2018-04-19 10:21:24 -04:00
Mattia Procopio
aeb8c38178 Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a non-UUID where one is expected. 2018-03-15 21:33:15 -04:00
Tim Graham
fa75b2cb51
Refs #27795 -- Removed force_bytes/text() usage in tests. 2018-02-07 14:20:04 -05:00
Tim Graham
6e40b70bf4 Refs #26929 -- Removed extra_context parameter of contrib.auth.views.logout_then_login(). 
Per deprecation timeline.
 2017-09-22 12:51:17 -04:00