mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity
33,465 Commits 30 Branches 460 Tags
a150160c9fc6ba6220f1e63863b03e7f7978b747
Commit Graph

441 Commits

Author SHA1 Message Date
Sarah Boyce
9db932ab4c [5.2.x] Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing aprocess_request(). 
Regression in 50f89ae850.
Thank you to shamoon for the report and Natalia Bidart for the review.

Backport of 1704c49a9b from main.
 2025-05-23 10:24:09 +02:00
Ahmed Nassar
adf2991d32 [5.2.x] Fixed #36314 -- Fixed MinimumLengthValidator error message translation. 
Regression in ec7d69035a.

Thank you Gabriel Trouvé for the report and Claude Paroz for the review.

Backport of d469db978e from main.
 2025-04-17 12:32:24 +02:00
Mariusz Felisiak
53bb1d5a24 [5.2.x] Applied Black's 2025 stable style. 
https://github.com/psf/black/releases/tag/25.1.0
Backport of ff3aaf036f from main
 2025-03-01 19:47:17 +01:00
mimi89999
cb2ab4ee84 [5.2.x] Fixed #36179 -- Unhexed entries and removed duplicates in auth/common-passwords.txt.gz. 
Backport of 727731d76d from main.
 2025-02-18 09:00:31 +01:00
nessita
affad13d0c [5.2.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non required password fields. 
Regression in e626716c28.

Thanks buffgecko12 for the report and Sarah Boyce for the review.

Backport of d15454a6e8 from main.
 2025-02-01 22:50:26 -03:00
Sarah Boyce
23c6effac0 Fixed #36087 -- Supported password reset on a custom user model with a composite primary key. 2025-01-13 15:51:21 +01:00
Jaap Roes
ceecd518b1 Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin. 2024-11-28 17:43:46 +01:00
Jaap Roes
28b9b8d6d9 Refs #35530 -- Added basic test cases for auth.login. 2024-11-28 17:43:46 +01:00
Tommy Allen
c635decb00 Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when username is unavailable. 
Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews.
 2024-11-26 17:15:00 -03:00
GappleBee
037e740ec5 Refs #28215 -- Marked auth form passwords as sensitive variables. 2024-11-15 13:53:13 +01:00
Mariusz Felisiak
bd3b1dfa24 Refs #35844 -- Used asgiref.sync.iscoroutinefunction() instead of deprecated asyncio.iscoroutinefunction(). 
Fixes DeprecationWarning:

'asyncio.iscoroutinefunction' is deprecated and slated for removal in
Python 3.16; use inspect.iscoroutinefunction() instead.
 2024-10-17 10:15:10 -03:00
SaJH
0c81775515 Refs #35727 -- Updated response.content.decode calls to use the HttpResponse.text property. 
Signed-off-by: SaJH <wogur981208@gmail.com>
 2024-10-16 11:52:22 +02:00
Ben Cail
ec7d69035a Fixed #35782 -- Allowed overriding password validation error messages. 2024-10-15 17:23:39 +02:00
Jon Janzen
50f89ae850 Fixed #35303 -- Implemented async auth backends and utils. 2024-10-07 14:19:41 +02:00
Natalia
8c35a0a903 Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails. 
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.

Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
 2024-09-03 09:22:32 -03:00
sanjeevholla26
387475c5b2 Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors. 
This improves the screen reader experience.
 2024-09-02 15:19:33 +02:00
nessita
046a354217 Added helper and refactored PasswordResetFormTest to unify email sending tests. 2024-08-23 11:13:31 -03:00
Natalia
0ebed5fa95 Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm. 
Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.

Regression in e626716c28.

Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
 2024-08-19 12:39:57 -03:00
Natalia
b60fd8722f Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User model. 
This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage.
 2024-08-19 12:39:57 -03:00
Jacob Walls
b99c608ea1 Refs #35402 -- Added tests for invalid usage of submodules in some settings. 2024-08-13 16:09:52 +02:00
Natalia
e1606d27b4 Added test for acheck_password() to ensure make_password is called for unusable passwords. 
This is a follow up for the fix of CVE-2024-39329
(5d86458579) where the timing of
verify_password() was standardized when checking unusable passwords.
 2024-08-08 12:53:36 -03:00
Michael Manfre
5d86458579 Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. 
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
 2024-07-09 09:21:19 -03:00
Jake Howard
53e674d574 Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests. 2024-07-04 11:38:58 +02:00
Jacob Walls
31837dbcb3 Fixed #35569 -- Improved wording of invalid ForeignKey error message. 2024-07-04 11:35:03 +02:00
Fabian Braun
339977d444 Fixed #35477 -- Corrected 'required' errors in auth password set/change forms. 
The auth forms using SetPasswordMixin were incorrectly including the
'This field is required.' error when additional validations (e.g.,
overriding `clean_password1`) were performed and failed.
This fix ensures accurate error reporting for password fields.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2024-05-30 16:31:01 -03:00
Natalia
04a208d7f1 Increased the default PBKDF2 iterations for Django 5.2. 2024-05-22 15:44:07 -03:00
Hisham Mahmood
c7fc9f20b4 Fixed #31405 -- Added LoginRequiredMiddleware. 
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2024-05-22 08:51:17 +02:00
SaJH
8f205acea9 Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher. 2024-05-17 17:13:58 +02:00
Adam Johnson
d2c5a30e5a Fixed #35408 -- Optimized post-migrate permission creation. 
co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2024-05-13 08:34:57 +02:00
Fabian Braun
944745afe2 Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing the reset password link with a button. 
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2024-03-27 16:40:41 -03:00
Dingning
549320946d Fixed #35030 -- Made django.contrib.auth decorators to work with async functions. 2024-03-07 09:59:33 +01:00
Mariusz Felisiak
c4df2a7776 Refs #35030 -- Added more tests for @user_passes_test decorator. 2024-03-06 13:28:32 +01:00
Fabian Braun
e626716c28 Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms. 
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2024-02-20 12:13:32 -03:00
Natalia
8a757244f9 Refs #34429 -- Defined test user with unusable password for auth forms tests. 2024-02-20 12:12:37 -03:00
Mariusz Felisiak
305757aec1 Applied Black's 2024 stable style. 
https://github.com/psf/black/releases/tag/24.1.0
 2024-01-26 12:45:07 +01:00
nessita
02eaee1209 Added test ensuring that validate_password is used in AdminPasswordChangeForm. 
Co-authored-by: Fabian Braun <fsbraun@gmx.de>
 2024-01-12 17:27:55 -03:00
Mariusz Felisiak
0c5456ef37 Used enterClassContext() where appropriate. 2024-01-04 05:55:29 +01:00
Mariusz Felisiak
d88ec42bd0 Used addCleanup() in tests where appropriate. 2023-12-31 10:01:31 +01:00
Mariusz Felisiak
05ba4130ee Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
 2023-11-01 06:10:30 +01:00
Lily Foote
45078a204b Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests. 
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly
depends on the password hasher having the three components algorithm,
salt and hash.

The default password hasher (PBKDF2PasswordHasher) has an extra
iterations component, breaking the test.
 2023-09-20 05:35:49 +02:00
Mariusz Felisiak
0e560edf32 Increased the default PBKDF2 iterations for Django 5.1. 2023-09-18 22:12:40 +02:00
Mariusz Felisiak
6e4e5523a8 Refs #33691 -- Removed insecure password hashers per deprecation timeline. 2023-09-18 22:12:40 +02:00
Mariusz Felisiak
00e1879610 Refs #33764 -- Removed BaseUserManager.make_random_password() per deprecation timeline. 2023-09-18 22:12:40 +02:00
konsti
48a1929ca0 Removed unnecessary trailing commas in tests. 2023-08-22 12:42:57 +02:00
Mateusz Więckowski
5aa4c0b675 Fixed #34542 -- Made createsuperuser handle required blank fields in non-interactive mode. 2023-08-08 09:26:28 +02:00
Jon Janzen
5e98959d92 Fixed #34391 -- Added async-compatible interface to auth functions and related methods test clients. 2023-06-27 11:17:17 +02:00
HappyDingning
674c23999c Fixed #34565 -- Added support for async checking of user passwords. 2023-05-18 09:39:04 +02:00
Gary Jarrel
fcc7dc5781 Fixed #34438 -- Reallowed extending UserCreationForm. 
Regression in 298d02a77a.
 2023-03-28 11:33:20 +02:00
Liyang Zhang
f9f9215d3e Fixed some typos in comments, docstrings, and tests. 2023-03-20 08:07:23 +01:00
Hrushikesh Vaidya
a52bdea5a2 Fixed #33985 -- Used app_config.verbose_name in ContentType.__str__(). 2023-03-09 10:27:08 +01:00