summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-06-21 16:59:33 -0400
committerTim Graham <timograham@gmail.com>2013-06-26 13:11:47 -0400
commit1184d077893ff1bc947e45b00a4d565f3df81776 (patch)
tree1011df8828a780f762197352d2145e1735315dd7 /docs
parentb6a87f5c93efa5192433be1e45fc4e79d54efdc7 (diff)
Fixed #14881 -- Modified password reset to work with a non-integer UserModel.pk.
uid is now base64 encoded in password reset URLs/views. A backwards compatible password_reset_confirm view/URL will allow password reset links generated before this change to continue to work. This view will be removed in Django 1.7. Thanks jonash for the initial patch and claudep for the review.
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt8
-rw-r--r--docs/ref/contrib/admin/index.txt7
-rw-r--r--docs/ref/utils.txt14
-rw-r--r--docs/releases/1.6.txt53
-rw-r--r--docs/topics/auth/default.txt22
5 files changed, 97 insertions, 7 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index 45f82b49e6..9672746717 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -326,6 +326,14 @@ these changes.
remove calls to this method, and instead ensure that their auth related views
are CSRF protected, which ensures that cookies are enabled.
+* The version of :func:`django.contrib.auth.views.password_reset_confirm` that
+ supports base36 encoded user IDs
+ (``django.contrib.auth.views.password_reset_confirm_uidb36``) will be
+ removed. If your site has been running Django 1.6 for more than
+ :setting:`PASSWORD_RESET_TIMEOUT_DAYS`, this change will have no effect. If
+ not, then any password reset links generated before you upgrade to Django 1.7
+ won't work after the upgrade.
+
1.8
---
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index 90ef68837a..318ce297a2 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -2278,9 +2278,14 @@ your URLconf. Specifically, add these four patterns:
url(r'^admin/password_reset/$', 'django.contrib.auth.views.password_reset', name='admin_password_reset'),
url(r'^admin/password_reset/done/$', 'django.contrib.auth.views.password_reset_done', name='password_reset_done'),
- url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm', name='password_reset_confirm'),
+ url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm', name='password_reset_confirm'),
url(r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete', name='password_reset_complete'),
+.. versionchanged:: 1.6
+
+ The pattern for :func:`~django.contrib.auth.views.password_reset_confirm`
+ changed as the ``uid`` is now base 64 encoded.
+
(This assumes you've added the admin at ``admin/`` and requires that you put
the URLs starting with ``^admin/`` before the line that includes the admin app
itself).
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index 45d7781403..8d722829fb 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -649,6 +649,20 @@ escaping HTML.
Converts a positive integer to a base 36 string. On Python 2 ``i`` must be
smaller than :data:`sys.maxint`.
+.. function:: urlsafe_base64_encode(s)
+
+ .. versionadded:: 1.6
+
+ Encodes a bytestring in base64 for use in URLs, stripping any trailing
+ equal signs.
+
+.. function:: urlsafe_base64_decode(s)
+
+ .. versionadded:: 1.6
+
+ Decodes a base64 encoded string, adding back any trailing equal signs that
+ might have been stripped.
+
``django.utils.module_loading``
===============================
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index 3d59ce771b..2c1fffd8cd 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -656,6 +656,59 @@ rely on the previous URLs. If you want to revert to the original behavior you
can set the
:attr:`~django.contrib.admin.ModelAdmin.preserve_filters` attribute to ``False``.
+``django.contrib.auth`` password reset uses base 64 encoding of ``User`` PK
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Past versions of Django used base 36 encoding of the ``User`` primary key in
+the password reset views and URLs
+(:func:`django.contrib.auth.views.password_reset_confirm`). Base 36 encoding is
+sufficient if the user primary key is an integer, however, with the
+introduction of custom user models in Django 1.5, that assumption may no longer
+be true.
+
+:func:`django.contrib.auth.views.password_reset_confirm` has been modified to
+take a ``uidb64`` parameter instead of ``uidb36``. If you are reversing this
+view, for example in a custom ``password_reset_email.html`` template, be sure
+to update your code.
+
+A temporary shim for :func:`django.contrib.auth.views.password_reset_confirm`
+that will allow password reset links generated prior to Django 1.6 to continue
+to work has been added to provide backwards compatibility; this will be removed
+in Django 1.7. Thus, as long as your site has been running Django 1.6 for more
+than :setting:`PASSWORD_RESET_TIMEOUT_DAYS`, this change will have no effect.
+If not (for example, if you upgrade directly from Django 1.5 to Django 1.7),
+then any password reset links generated before you upgrade to Django 1.7 or
+later won't work after the upgrade.
+
+In addition, if you have any custom password reset URLs, you will need to
+update them by replacing ``uidb36`` with ``uidb64`` and the dash that follows
+that pattern with a slash. Also add ``_\-`` to the list of characters that may
+match the ``uidb64`` pattern.
+
+For example::
+
+ url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
+ 'django.contrib.auth.views.password_reset_confirm',
+ name='password_reset_confirm'),
+
+becomes::
+
+ url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>.+)/$',
+ 'django.contrib.auth.views.password_reset_confirm',
+ name='password_reset_confirm'),
+
+You may also want to add the shim to support the old style reset links. Using
+the example above, you would modify the existing url by replacing
+``django.contrib.auth.views.password_reset_confirm`` with
+``django.contrib.auth.views.password_reset_confirm_uidb36`` and also remove
+the ``name`` argument so it doesn't conflict with the new url::
+
+ url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
+ 'django.contrib.auth.views.password_reset_confirm_uidb36'),
+
+You can remove this url pattern after your app has been deployed with Django
+1.6 for :setting:`PASSWORD_RESET_TIMEOUT_DAYS`.
+
Miscellaneous
~~~~~~~~~~~~~
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 8849520b11..e2fa0c287e 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -817,7 +817,7 @@ patterns.
* ``protocol``: http or https
- * ``uid``: The user's id encoded in base 36.
+ * ``uid``: The user's primary key encoded in base 64.
* ``token``: Token to check that the reset link is valid.
@@ -826,7 +826,12 @@ patterns.
.. code-block:: html+django
Someone asked for password reset for email {{ email }}. Follow the link below:
- {{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb36=uid token=token %}
+ {{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb64=uid token=token %}
+
+ .. versionchanged:: 1.6
+
+ Reversing ``password_reset_confirm`` takes a ``uidb64`` argument instead
+ of ``uidb36``.
The same template context is used for subject template. Subject must be
single line plain text string.
@@ -846,7 +851,7 @@ patterns.
Defaults to :file:`registration/password_reset_done.html` if not
supplied.
-.. function:: password_reset_confirm(request[, uidb36, token, template_name, token_generator, set_password_form, post_reset_redirect])
+.. function:: password_reset_confirm(request[, uidb64, token, template_name, token_generator, set_password_form, post_reset_redirect])
Presents a form for entering a new password.
@@ -854,7 +859,12 @@ patterns.
**Optional arguments:**
- * ``uidb36``: The user's id encoded in base 36. Defaults to ``None``.
+ * ``uidb64``: The user's id encoded in base 64. Defaults to ``None``.
+
+ .. versionchanged:: 1.6
+
+ The ``uidb64`` parameter was previously base 36 encoded and named
+ ``uidb36``.
* ``token``: Token to check that the password is valid. Defaults to
``None``.
@@ -877,8 +887,8 @@ patterns.
* ``form``: The form (see ``set_password_form`` above) for setting the
new user's password.
- * ``validlink``: Boolean, True if the link (combination of uidb36 and
- token) is valid or unused yet.
+ * ``validlink``: Boolean, True if the link (combination of ``uidb64`` and
+ ``token``) is valid or unused yet.
.. function:: password_reset_complete(request[,template_name])