summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Zaccardi <nicholas.zaccardi@gmail.com>2017-05-27 16:27:13 -0400
committerTim Graham <timograham@gmail.com>2017-05-29 09:22:22 -0400
commit95993a89ce6ca5f5e26b1c22b65c57dcb8c005e9 (patch)
treec3fec8384bf4571661bb5d1a84fceeddb4c5c076
parent8c45b5b903e1ee4611577b98d43074b6f26089ef (diff)
Fixed #28248 -- Fixed password reset tokens being valid for 1 day longer than PASSWORD_RESET_TIMEOUT_DAYS.
-rw-r--r--django/contrib/auth/tokens.py2
-rw-r--r--docs/releases/2.0.txt6
-rw-r--r--tests/auth_tests/test_tokens.py7
3 files changed, 11 insertions, 4 deletions
diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py
index eefa00c330..f4ed175e44 100644
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -42,7 +42,7 @@ class PasswordResetTokenGenerator:
return False
# Check the timestamp is within limit
- if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
+ if (self._num_days(self._today()) - ts) >= settings.PASSWORD_RESET_TIMEOUT_DAYS:
return False
return True
diff --git a/docs/releases/2.0.txt b/docs/releases/2.0.txt
index e4b7110560..39df2d891d 100644
--- a/docs/releases/2.0.txt
+++ b/docs/releases/2.0.txt
@@ -355,6 +355,12 @@ Miscellaneous
connection, those queries could be included as part of the
``assertNumQueries()`` count.
+* The ``PASSWORD_RESET_TIMEOUT_DAYS`` setting is more properly respected in
+ ``contrib.auth`` password reset. Previously, resets were allowed for one day
+ longer than expected. For example, with the default of
+ ``PASSWORD_RESET_TIMEOUT_DAYS = 3``, password reset tokens are now valid for
+ 72 hours rather than 96 hours.
+
.. _deprecated-features-2.0:
Features deprecated in 2.0
diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py
index eb06e00425..0bc5b07599 100644
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@@ -43,11 +43,12 @@ class TokenGeneratorTest(TestCase):
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
p0 = PasswordResetTokenGenerator()
tk1 = p0.make_token(user)
- p1 = Mocked(date.today() + timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS))
+ p1 = Mocked(date.today() + timedelta(days=settings.PASSWORD_RESET_TIMEOUT_DAYS, seconds=-1))
self.assertTrue(p1.check_token(user, tk1))
-
- p2 = Mocked(date.today() + timedelta(settings.PASSWORD_RESET_TIMEOUT_DAYS + 1))
+ p2 = Mocked(date.today() + timedelta(days=settings.PASSWORD_RESET_TIMEOUT_DAYS))
self.assertFalse(p2.check_token(user, tk1))
+ p3 = Mocked(date.today() + timedelta(days=settings.PASSWORD_RESET_TIMEOUT_DAYS, seconds=1))
+ self.assertFalse(p3.check_token(user, tk1))
def test_check_token_with_nonexistent_token_and_user(self):
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')