summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorErik Romijn <erik@erik.io>2013-06-17 18:06:26 +0200
committerTim Graham <timograham@gmail.com>2013-06-18 13:32:54 -0400
commit2c4fe761a0e2b28e2c5c3b4bc506ee06824a443d (patch)
tree1c0ab164a4d507366916548256e9945888b06fd1 /docs
parent3128f3d38d1db0bc01da9a4bf4be81119079d73a (diff)
Fixed #20593 -- Allow blank passwords in check_password() and set_password()
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/contrib/auth.txt16
-rw-r--r--docs/releases/1.6.txt9
-rw-r--r--docs/topics/auth/customizing.txt16
-rw-r--r--docs/topics/auth/passwords.txt6
4 files changed, 47 insertions, 0 deletions
diff --git a/docs/ref/contrib/auth.txt b/docs/ref/contrib/auth.txt
index 40b3629f63..afbc6ec048 100644
--- a/docs/ref/contrib/auth.txt
+++ b/docs/ref/contrib/auth.txt
@@ -132,12 +132,28 @@ Methods
password hashing. Doesn't save the
:class:`~django.contrib.auth.models.User` object.
+ When the ``raw_password`` is ``None``, the password will be set to an
+ unusable password, as if
+ :meth:`~django.contrib.auth.models.User.set_unusable_password()`
+ were used.
+
+ .. versionchanged:: 1.6
+
+ In Django 1.4 and 1.5, a blank string was unintentionally stored
+ as an unsable password.
+
.. method:: check_password(raw_password)
Returns ``True`` if the given raw string is the correct password for
the user. (This takes care of the password hashing in making the
comparison.)
+ .. versionchanged:: 1.6
+
+ In Django 1.4 and 1.5, a blank string was unintentionally
+ considered to be an unusable password, resulting in this method
+ returning ``False`` for such a password.
+
.. method:: set_unusable_password()
Marks the user as having no password set. This isn't the same as
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index f260a1eac0..8dea37d2da 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -701,6 +701,15 @@ Miscellaneous
* :class:`~django.views.generic.base.RedirectView` now has a `pattern_name`
attribute which allows it to choose the target by reversing the URL.
+* In Django 1.4 and 1.5, a blank string was unintentionally not considered to
+ be a valid password. This meant
+ :meth:`~django.contrib.auth.models.User.set_password()` would save a blank
+ password as an unusable password like
+ :meth:`~django.contrib.auth.models.User.set_unusable_password()` does, and
+ thus :meth:`~django.contrib.auth.models.User.check_password()` always
+ returned ``False`` for blank passwords. This has been corrected in this
+ release: blank passwords are now valid.
+
Features deprecated in 1.6
==========================
diff --git a/docs/topics/auth/customizing.txt b/docs/topics/auth/customizing.txt
index bc021b14ad..ea4ec8686d 100644
--- a/docs/topics/auth/customizing.txt
+++ b/docs/topics/auth/customizing.txt
@@ -583,12 +583,28 @@ The following methods are available on any subclass of
password hashing. Doesn't save the
:class:`~django.contrib.auth.models.AbstractBaseUser` object.
+ When the raw_password is ``None``, the password will be set to an
+ unusable password, as if
+ :meth:`~django.contrib.auth.models.AbstractBaseUser.set_unusable_password()`
+ were used.
+
+ .. versionchanged:: 1.6
+
+ In Django 1.4 and 1.5, a blank string was unintentionally stored
+ as an unsable password as well.
+
.. method:: models.AbstractBaseUser.check_password(raw_password)
Returns ``True`` if the given raw string is the correct password for
the user. (This takes care of the password hashing in making the
comparison.)
+ .. versionchanged:: 1.6
+
+ In Django 1.4 and 1.5, a blank string was unintentionally
+ considered to be an unusable password, resulting in this method
+ returning ``False`` for such a password.
+
.. method:: models.AbstractBaseUser.set_unusable_password()
Marks the user as having no password set. This isn't the same as
diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt
index 206e7d856c..7e4b59a99c 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -206,6 +206,12 @@ from the ``User`` model.
database to check against, and returns ``True`` if they match, ``False``
otherwise.
+ .. versionchanged:: 1.6
+
+ In Django 1.4 and 1.5, a blank string was unintentionally considered
+ to be an unusable password, resulting in this method returning
+ ``False`` for such a password.
+
.. function:: make_password(password[, salt, hashers])
Creates a hashed password in the format used by this application. It takes