diff options
| author | Erik Romijn <erik@erik.io> | 2013-06-17 18:06:26 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-06-18 13:32:54 -0400 |
| commit | 2c4fe761a0e2b28e2c5c3b4bc506ee06824a443d (patch) | |
| tree | 1c0ab164a4d507366916548256e9945888b06fd1 /docs | |
| parent | 3128f3d38d1db0bc01da9a4bf4be81119079d73a (diff) | |
Fixed #20593 -- Allow blank passwords in check_password() and set_password()
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/contrib/auth.txt | 16 | ||||
| -rw-r--r-- | docs/releases/1.6.txt | 9 | ||||
| -rw-r--r-- | docs/topics/auth/customizing.txt | 16 | ||||
| -rw-r--r-- | docs/topics/auth/passwords.txt | 6 |
4 files changed, 47 insertions, 0 deletions
diff --git a/docs/ref/contrib/auth.txt b/docs/ref/contrib/auth.txt index 40b3629f63..afbc6ec048 100644 --- a/docs/ref/contrib/auth.txt +++ b/docs/ref/contrib/auth.txt @@ -132,12 +132,28 @@ Methods password hashing. Doesn't save the :class:`~django.contrib.auth.models.User` object. + When the ``raw_password`` is ``None``, the password will be set to an + unusable password, as if + :meth:`~django.contrib.auth.models.User.set_unusable_password()` + were used. + + .. versionchanged:: 1.6 + + In Django 1.4 and 1.5, a blank string was unintentionally stored + as an unsable password. + .. method:: check_password(raw_password) Returns ``True`` if the given raw string is the correct password for the user. (This takes care of the password hashing in making the comparison.) + .. versionchanged:: 1.6 + + In Django 1.4 and 1.5, a blank string was unintentionally + considered to be an unusable password, resulting in this method + returning ``False`` for such a password. + .. method:: set_unusable_password() Marks the user as having no password set. This isn't the same as diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index f260a1eac0..8dea37d2da 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -701,6 +701,15 @@ Miscellaneous * :class:`~django.views.generic.base.RedirectView` now has a `pattern_name` attribute which allows it to choose the target by reversing the URL. +* In Django 1.4 and 1.5, a blank string was unintentionally not considered to + be a valid password. This meant + :meth:`~django.contrib.auth.models.User.set_password()` would save a blank + password as an unusable password like + :meth:`~django.contrib.auth.models.User.set_unusable_password()` does, and + thus :meth:`~django.contrib.auth.models.User.check_password()` always + returned ``False`` for blank passwords. This has been corrected in this + release: blank passwords are now valid. + Features deprecated in 1.6 ========================== diff --git a/docs/topics/auth/customizing.txt b/docs/topics/auth/customizing.txt index bc021b14ad..ea4ec8686d 100644 --- a/docs/topics/auth/customizing.txt +++ b/docs/topics/auth/customizing.txt @@ -583,12 +583,28 @@ The following methods are available on any subclass of password hashing. Doesn't save the :class:`~django.contrib.auth.models.AbstractBaseUser` object. + When the raw_password is ``None``, the password will be set to an + unusable password, as if + :meth:`~django.contrib.auth.models.AbstractBaseUser.set_unusable_password()` + were used. + + .. versionchanged:: 1.6 + + In Django 1.4 and 1.5, a blank string was unintentionally stored + as an unsable password as well. + .. method:: models.AbstractBaseUser.check_password(raw_password) Returns ``True`` if the given raw string is the correct password for the user. (This takes care of the password hashing in making the comparison.) + .. versionchanged:: 1.6 + + In Django 1.4 and 1.5, a blank string was unintentionally + considered to be an unusable password, resulting in this method + returning ``False`` for such a password. + .. method:: models.AbstractBaseUser.set_unusable_password() Marks the user as having no password set. This isn't the same as diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt index 206e7d856c..7e4b59a99c 100644 --- a/docs/topics/auth/passwords.txt +++ b/docs/topics/auth/passwords.txt @@ -206,6 +206,12 @@ from the ``User`` model. database to check against, and returns ``True`` if they match, ``False`` otherwise. + .. versionchanged:: 1.6 + + In Django 1.4 and 1.5, a blank string was unintentionally considered + to be an unusable password, resulting in this method returning + ``False`` for such a password. + .. function:: make_password(password[, salt, hashers]) Creates a hashed password in the format used by this application. It takes |
