Natalia 
							
						 
					 
					
						
						
						
						
							
						
						
							3c733c78d6 
							
						 
					 
					
						
						
							
							[5.1.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.  
						
						... 
						
						
						
						On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews. 
						
						
					 
					
						2024-09-03 09:24:21 -03:00 
						 
				 
			
				
					
						
							
							
								nessita 
							
						 
					 
					
						
						
						
						
							
						
						
							7acec02554 
							
						 
					 
					
						
						
							
							[5.1.x] Sorted alphabetically forms list in docs/topics/auth/default.txt.  
						
						... 
						
						
						
						Backport of 7adb6dd98d50a238f3eca8c15b16b5aec12575fd from main. 
						
						
					 
					
						2024-08-22 09:15:28 -03:00 
						 
				 
			
				
					
						
							
							
								Natalia 
							
						 
					 
					
						
						
						
						
							
						
						
							da22e6cb3c 
							
						 
					 
					
						
						
							
							[5.1.x]  Fixed   #35678  -- Removed "usable_password" field from BaseUserCreationForm.  
						
						... 
						
						
						
						Refs #34429 : Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
Backport of 0ebed5fa95f53b87383901bbd9341ef3c974344f from main. 
						
						
					 
					
						2024-08-19 12:41:23 -03:00 
						 
				 
			
				
					
						
							
							
								Adam Johnson 
							
						 
					 
					
						
						
						
						
							
						
						
							291fa5fbbe 
							
						 
					 
					
						
						
							
							[5.1.x] Refs  #31405  -- Improved LoginRequiredMiddleware documentation.  
						
						... 
						
						
						
						co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 49815f70e4508ae21135f725da177fc2935de32c from main. 
						
						
					 
					
						2024-08-08 10:07:12 +02:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
						
						
							
						
						
							b4dd76c315 
							
						 
					 
					
						
						
							
							[5.1.x] Migrated setuptools configuration to pyproject.toml.  
						
						... 
						
						
						
						This branch migrates setuptools configuration from setup.py/setup.cfg to
pyproject.toml. In order to ensure that the generated binary files have
consistent casing (both the tarball and the wheel), setuptools version
is limited to ">=61.0.0,<69.3.0".
Configuration for flake8 was moved to a dedicated .flake8 file since
it cannot be configured via pyproject.toml.
Also, __pycache__ exclusion was removed from MANIFEST and the
extras/Makefile was replaced with a simpler build command.
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
Backport of 4686541691dbe986f58ac87630c3b7a04db4ff93 from main. 
						
						
					 
					
						2024-06-24 22:31:17 -03:00 
						 
				 
			
				
					
						
							
							
								Hisham Mahmood 
							
						 
					 
					
						
						
						
						
							
						
						
							c7fc9f20b4 
							
						 
					 
					
						
						
							
							Fixed   #31405  -- Added LoginRequiredMiddleware.  
						
						... 
						
						
						
						Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 
						
						
					 
					
						2024-05-22 08:51:17 +02:00 
						 
				 
			
				
					
						
							
							
								Dingning 
							
						 
					 
					
						
						
						
						
							
						
						
							549320946d 
							
						 
					 
					
						
						
							
							Fixed   #35030  -- Made django.contrib.auth decorators to work with async functions.  
						
						
						
						
					 
					
						2024-03-07 09:59:33 +01:00 
						 
				 
			
				
					
						
							
							
								Fabian Braun 
							
						 
					 
					
						
						
						
						
							
						
						
							e626716c28 
							
						 
					 
					
						
						
							
							Fixed   #34429  -- Allowed setting unusable passwords for users in the auth forms.  
						
						... 
						
						
						
						Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> 
						
						
					 
					
						2024-02-20 12:13:32 -03:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							305757aec1 
							
						 
					 
					
						
						
							
							Applied Black's 2024 stable style.  
						
						... 
						
						
						
						https://github.com/psf/black/releases/tag/24.1.0  
					
						2024-01-26 12:45:07 +01:00 
						 
				 
			
				
					
						
							
							
								Adrienne Franke 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							8570e091d0 
							
						 
					 
					
						
						
							
							Fixed typo in docs/topics/auth/default.txt.  
						
						
						
						
					 
					
						2024-01-22 17:43:13 +01:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							86c45d8bc6 
							
						 
					 
					
						
						
							
							Fixed typos in docs.  
						
						
						
						
					 
					
						2023-12-15 07:54:02 +01:00 
						 
				 
			
				
					
						
							
							
								Markus Amalthea Magnuson 
							
						 
					 
					
						
						
						
						
							
						
						
							61c305f298 
							
						 
					 
					
						
						
							
							Fixed   #34970  -- Clarified Password Validation docs regarding the password_changed callback.  
						
						
						
						
					 
					
						2023-11-15 15:35:25 -03:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
						
						
							
						
						
							00e1879610 
							
						 
					 
					
						
						
							
							Refs  #33764  -- Removed BaseUserManager.make_random_password() per deprecation timeline.  
						
						
						
						
					 
					
						2023-09-18 22:12:40 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
						
						
							
						
						
							295467c04a 
							
						 
					 
					
						
						
							
							Removed versionadded/changed annotations for 4.2.  
						
						... 
						
						
						
						This also removes remaining versionadded/changed annotations for older
versions. 
						
						
					 
					
						2023-09-18 22:12:40 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							e2a3a896cf 
							
						 
					 
					
						
						
							
							Refs  #15619  -- Removed deprecated annotation about logging out via GET requests.  
						
						... 
						
						
						
						Follow up to 6c57c08ae52f86df843fccb5a3c1c6c45a10a26f. 
						
						
					 
					
						2023-09-14 19:49:06 +02:00 
						 
				 
			
				
					
						
							
							
								Jon Janzen 
							
						 
					 
					
						
						
						
						
							
						
						
							5e98959d92 
							
						 
					 
					
						
						
							
							Fixed   #34391  -- Added async-compatible interface to auth functions and related methods test clients.  
						
						
						
						
					 
					
						2023-06-27 11:17:17 +02:00 
						 
				 
			
				
					
						
							
							
								HappyDingning 
							
						 
					 
					
						
						
						
						
							
						
						
							674c23999c 
							
						 
					 
					
						
						
							
							Fixed   #34565  -- Added support for async checking of user passwords.  
						
						
						
						
					 
					
						2023-05-18 09:39:04 +02:00 
						 
				 
			
				
					
						
							
							
								Tim Graham 
							
						 
					 
					
						
						
						
						
							
						
						
							2c4dc64760 
							
						 
					 
					
						
						
							
							Used extlinks for PyPI links.  
						
						... 
						
						
						
						Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> 
						
						
					 
					
						2023-04-17 06:55:32 +02:00 
						 
				 
			
				
					
						
							
							
								David Wobrock 
							
						 
					 
					
						
						
						
						
							
						
						
							2396933ca9 
							
						 
					 
					
						
						
							
							Fixed   #34384  -- Fixed session validation when rotation secret keys.  
						
						... 
						
						
						
						Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.
Thanks Eric Zarowny for the report. 
						
						
					 
					
						2023-03-08 10:48:04 +01:00 
						 
				 
			
				
					
						
							
							
								Jon Janzen 
							
						 
					 
					
						
						
						
						
							
						
						
							e846c5e724 
							
						 
					 
					
						
						
							
							Fixed   #31920  -- Made AuthenticationMiddleware add request.auser().  
						
						
						
						
					 
					
						2023-03-07 13:11:22 +01:00 
						 
				 
			
				
					
						
							
							
								django-bot 
							
						 
					 
					
						
						
						
						
							
						
						
							14459f80ee 
							
						 
					 
					
						
						
							
							Fixed   #34140  -- Reformatted code blocks in docs with blacken-docs.  
						
						
						
						
					 
					
						2023-03-01 13:03:56 +01:00 
						 
				 
			
				
					
						
							
							
								Joseph Victor Zammit 
							
						 
					 
					
						
						
						
						
							
						
						
							ba755ca131 
							
						 
					 
					
						
						
							
							Refs  #34140  -- Corrected rst code-block and various formatting issues in docs.  
						
						
						
						
					 
					
						2023-02-28 12:21:37 +01:00 
						 
				 
			
				
					
						
							
							
								Carlton Gibson 
							
						 
					 
					
						
						
						
						
							
						
						
							534ac48297 
							
						 
					 
					
						
						
							
							Refs  #34140  -- Applied rst code-block to non-Python examples.  
						
						... 
						
						
						
						Thanks to J.V. Zammit, Paolo Melchiorre, and Mariusz Felisiak for
reviews. 
						
						
					 
					
						2023-02-10 19:19:13 +01:00 
						 
				 
			
				
					
						
							
							
								fschwebel 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0265b1b49b 
							
						 
					 
					
						
						
							
							Fixed typo in docs/topics/auth/passwords.txt.  
						
						... 
						
						
						
						Wrapped hashing is only possible if the inner wrapped function is the
same as the previous hasher. 
						
						
					 
					
						2023-01-30 08:31:39 +01:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
						
						
							
						
						
							9a01311d20 
							
						 
					 
					
						
						
							
							Refs  #15619  -- Removed support for logging out via GET requests.  
						
						... 
						
						
						
						Per deprecation timeline. 
						
						
					 
					
						2023-01-17 11:49:15 +01:00 
						 
				 
			
				
					
						
							
							
								Paul Schilling 
							
						 
					 
					
						
						
						
						
							
						
						
							298d02a77a 
							
						 
					 
					
						
						
							
							Fixed   #25617  -- Added case-insensitive unique username validation in UserCreationForm.  
						
						... 
						
						
						
						Co-Authored-By: Neven Mundar <nmundar@gmail.com> 
						
						
					 
					
						2022-12-29 09:42:22 +01:00 
						 
				 
			
				
					
						
							
							
								sdolemelipone 
							
						 
					 
					
						
						
						
						
							
						
						
							9d726c7902 
							
						 
					 
					
						
						
							
							Fixed   #34187  -- Made UserCreationForm save many-to-many fields.  
						
						
						
						
					 
					
						2022-11-29 05:56:53 +01:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							662497cece 
							
						 
					 
					
						
						
							
							Doc's check_password()'s setter and preferred arguments.  
						
						... 
						
						
						
						Follow up to 90e05aaeac612a4251640564aa65f103ac635e12. 
						
						
					 
					
						2022-11-28 08:13:51 +01:00 
						 
				 
			
				
					
						
							
							
								Tony Lechner 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b088cc2fea 
							
						 
					 
					
						
						
							
							Fixed   #34154  -- Made mixin headers consistent in auth docs.  
						
						
						
						
					 
					
						2022-11-14 05:28:27 +01:00 
						 
				 
			
				
					
						
							
							
								Trey Hunner 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							fad070b07b 
							
						 
					 
					
						
						
							
							Improved readability of string interpolation in frequently used examples in docs.  
						
						
						
						
					 
					
						2022-11-10 13:18:38 +01:00 
						 
				 
			
				
					
						
							
							
								Paolo Melchiorre 
							
						 
					 
					
						
						
						
						
							
						
						
							fa3afc5d86 
							
						 
					 
					
						
						
							
							Fixed   #34056  -- Updated the list of common passwords for CommonPasswordValidator.  
						
						
						
						
					 
					
						2022-09-28 18:40:05 +02:00 
						 
				 
			
				
					
						
							
							
								Ritik Soni 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c11336cd99 
							
						 
					 
					
						
						
							
							Fixed   #34017  -- Doc'd that Argon2id variant is used by Argon2PasswordHasher.  
						
						
						
						
					 
					
						2022-09-17 09:49:09 +02:00 
						 
				 
			
				
					
						
							
							
								DevilsAutumn 
							
						 
					 
					
						
						
						
						
							
						
						
							6b0bbaf453 
							
						 
					 
					
						
						
							
							Fixed   #34019  -- Removed obsolete references to "model design considerations" note.  
						
						
						
						
					 
					
						2022-09-17 08:02:13 +02:00 
						 
				 
			
				
					
						
							
							
								Alex Morega 
							
						 
					 
					
						
						
						
						
							
						
						
							de6c9c7054 
							
						 
					 
					
						
						
							
							Refs  #30947  -- Changed tuples to lists where appropriate.  
						
						
						
						
					 
					
						2022-08-30 09:57:17 +02:00 
						 
				 
			
				
					
						
							
							
								Claude Paroz 
							
						 
					 
					
						
						
						
						
							
						
						
							3b79dab19a 
							
						 
					 
					
						
						
							
							Refs  #33691  -- Deprecated insecure password hashers.  
						
						... 
						
						
						
						SHA1PasswordHasher, UnsaltedSHA1PasswordHasher, and UnsaltedMD5PasswordHasher
are now deprecated. 
						
						
					 
					
						2022-07-23 21:29:31 +02:00 
						 
				 
			
				
					
						
							
							
								Ciaran McCormick 
							
						 
					 
					
						
						
						
						
							
						
						
							286e7d076c 
							
						 
					 
					
						
						
							
							Fixed   #33764  -- Deprecated BaseUserManager.make_random_password().  
						
						
						
						
					 
					
						2022-06-03 07:30:57 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
						
						
							
						
						
							ac90529cc5 
							
						 
					 
					
						
						
							
							Fixed docs build with sphinxcontrib-spelling 7.5.0+.  
						
						... 
						
						
						
						sphinxcontrib-spelling 7.5.0+ includes captions of figures in the set
of nodes for which the text is checked. 
						
						
					 
					
						2022-05-31 11:17:01 +02:00 
						 
				 
			
				
					
						
							
							
								Carlton Gibson 
							
						 
					 
					
						
						
						
						
							
						
						
							ca1c3151c3 
							
						 
					 
					
						
						
							
							Removed versionadded/changed annotations for 4.0.  
						
						
						
						
					 
					
						2022-05-17 14:22:06 +02:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							02dbf1667c 
							
						 
					 
					
						
						
							
							Fixed   #33691  -- Deprecated django.contrib.auth.hashers.CryptPasswordHasher.  
						
						
						
						
					 
					
						2022-05-11 09:13:45 +02:00 
						 
				 
			
				
					
						
							
							
								David 
							
						 
					 
					
						
						
						
						
							
						
						
							ce586ed693 
							
						 
					 
					
						
						
							
							Removed hyphen from pre-/re- prefixes.  
						
						... 
						
						
						
						"prepopulate", "preload", and "preprocessing" are already in the
spelling_wordlist.
This also removes hyphen from double "e" combinations with "pre" and
"re", e.g. preexisting, preempt, reestablish, or reenter.
See also:
- https://ahdictionary.com/word/search.html?q=rerun 
- https://ahdictionary.com/word/search.html?q=recreate 
- https://ahdictionary.com/word/search.html?q=predetermined 
- https://ahdictionary.com/word/search.html?q=reuse 
- https://ahdictionary.com/word/search.html?q=reopening  
						
						
					 
					
						2022-04-28 10:44:14 +02:00 
						 
				 
			
				
					
						
							
							
								Lucidiot 
							
						 
					 
					
						
						
						
						
							
						
						
							13a9cde133 
							
						 
					 
					
						
						
							
							Fixed   #33613  -- Made createsuperuser detect uniqueness of USERNAME_FIELD when using Meta.constraints.  
						
						
						
						
					 
					
						2022-04-01 11:39:41 +02:00 
						 
				 
			
				
					
						
							
							
								René Fleschenberg 
							
						 
					 
					
						
						
						
						
							
						
						
							eb07b5be0c 
							
						 
					 
					
						
						
							
							Fixed   #15619  -- Deprecated log out via GET requests.  
						
						... 
						
						
						
						Thanks Florian Apolloner for the implementation idea.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> 
						
						
					 
					
						2022-03-29 06:42:14 +02:00 
						 
				 
			
				
					
						
							
							
								tschilling 
							
						 
					 
					
						
						
						
						
							
						
						
							0dcd549bbe 
							
						 
					 
					
						
						
							
							Fixed   #30360  -- Added support for secret key rotation.  
						
						... 
						
						
						
						Thanks Florian Apolloner for the implementation idea.
Co-authored-by: Andreas Pelme <andreas@pelme.se>
Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es>
Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> 
						
						
					 
					
						2022-02-01 11:12:24 +01:00 
						 
				 
			
				
					
						
							
							
								Brad Solomon 
							
						 
					 
					
						
						
						
						
							
						
						
							b55ebe3241 
							
						 
					 
					
						
						
							
							Fixed   #33443  -- Clarified when PasswordResetView sends an email.  
						
						
						
						
					 
					
						2022-01-17 07:44:46 +01:00 
						 
				 
			
				
					
						
							
							
								Adam Johnson 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							652c68ffee 
							
						 
					 
					
						
						
							
							Clarified how contrib.auth picks a password hasher for verification.  
						
						
						
						
					 
					
						2022-01-13 20:46:18 +01:00 
						 
				 
			
				
					
						
							
							
								David 
							
						 
					 
					
						
						
						
						
							
						
						
							cc8e771c64 
							
						 
					 
					
						
						
							
							Fixed malformed attribute directives in docs.  
						
						
						
						
					 
					
						2022-01-05 08:11:13 +01:00 
						 
				 
			
				
					
						
							
							
								Florian Apolloner 
							
						 
					 
					
						
						
						
						
							
						
						
							968a3d01fa 
							
						 
					 
					
						
						
							
							Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator.  
						
						... 
						
						
						
						Thanks Chris Bailey for the report.
Co-authored-by: Adam Johnson <me@adamj.eu> 
						
						
					 
					
						2022-01-04 10:02:05 +01:00 
						 
				 
			
				
					
						
							
							
								Mariusz Felisiak 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							ad6bb20557 
							
						 
					 
					
						
						
							
							Avoided counting attributes and methods in docs.  
						
						
						
						
					 
					
						2021-12-28 12:36:57 +01:00 
						 
				 
			
				
					
						
							
							
								Adam Johnson 
							
						 
					 
					
						
						
						
						
							
						
						
							b0d16d0129 
							
						 
					 
					
						
						
							
							Changed signatures of setting_changed signal receivers.  
						
						
						
						
					 
					
						2021-12-17 13:07:04 +01:00 
						 
				 
			
				
					
						
							
							
								Adam Johnson 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							41329b9852 
							
						 
					 
					
						
						
							
							Improved wording in password validators docs and docstrings.  
						
						
						
						
					 
					
						2021-12-13 18:53:07 +01:00