summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt8
-rw-r--r--docs/ref/contrib/admin/index.txt7
-rw-r--r--docs/ref/utils.txt14
-rw-r--r--docs/releases/1.6.txt53
-rw-r--r--docs/topics/auth/default.txt22
5 files changed, 97 insertions, 7 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index 45f82b49e6..9672746717 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -326,6 +326,14 @@ these changes.
remove calls to this method, and instead ensure that their auth related views
are CSRF protected, which ensures that cookies are enabled.
+* The version of :func:`django.contrib.auth.views.password_reset_confirm` that
+ supports base36 encoded user IDs
+ (``django.contrib.auth.views.password_reset_confirm_uidb36``) will be
+ removed. If your site has been running Django 1.6 for more than
+ :setting:`PASSWORD_RESET_TIMEOUT_DAYS`, this change will have no effect. If
+ not, then any password reset links generated before you upgrade to Django 1.7
+ won't work after the upgrade.
+
1.8
---
diff --git a/docs/ref/contrib/admin/index.txt b/docs/ref/contrib/admin/index.txt
index 90ef68837a..318ce297a2 100644
--- a/docs/ref/contrib/admin/index.txt
+++ b/docs/ref/contrib/admin/index.txt
@@ -2278,9 +2278,14 @@ your URLconf. Specifically, add these four patterns:
url(r'^admin/password_reset/$', 'django.contrib.auth.views.password_reset', name='admin_password_reset'),
url(r'^admin/password_reset/done/$', 'django.contrib.auth.views.password_reset_done', name='password_reset_done'),
- url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm', name='password_reset_confirm'),
+ url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm', name='password_reset_confirm'),
url(r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete', name='password_reset_complete'),
+.. versionchanged:: 1.6
+
+ The pattern for :func:`~django.contrib.auth.views.password_reset_confirm`
+ changed as the ``uid`` is now base 64 encoded.
+
(This assumes you've added the admin at ``admin/`` and requires that you put
the URLs starting with ``^admin/`` before the line that includes the admin app
itself).
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index 45d7781403..8d722829fb 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -649,6 +649,20 @@ escaping HTML.
Converts a positive integer to a base 36 string. On Python 2 ``i`` must be
smaller than :data:`sys.maxint`.
+.. function:: urlsafe_base64_encode(s)
+
+ .. versionadded:: 1.6
+
+ Encodes a bytestring in base64 for use in URLs, stripping any trailing
+ equal signs.
+
+.. function:: urlsafe_base64_decode(s)
+
+ .. versionadded:: 1.6
+
+ Decodes a base64 encoded string, adding back any trailing equal signs that
+ might have been stripped.
+
``django.utils.module_loading``
===============================
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index 3d59ce771b..2c1fffd8cd 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -656,6 +656,59 @@ rely on the previous URLs. If you want to revert to the original behavior you
can set the
:attr:`~django.contrib.admin.ModelAdmin.preserve_filters` attribute to ``False``.
+``django.contrib.auth`` password reset uses base 64 encoding of ``User`` PK
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Past versions of Django used base 36 encoding of the ``User`` primary key in
+the password reset views and URLs
+(:func:`django.contrib.auth.views.password_reset_confirm`). Base 36 encoding is
+sufficient if the user primary key is an integer, however, with the
+introduction of custom user models in Django 1.5, that assumption may no longer
+be true.
+
+:func:`django.contrib.auth.views.password_reset_confirm` has been modified to
+take a ``uidb64`` parameter instead of ``uidb36``. If you are reversing this
+view, for example in a custom ``password_reset_email.html`` template, be sure
+to update your code.
+
+A temporary shim for :func:`django.contrib.auth.views.password_reset_confirm`
+that will allow password reset links generated prior to Django 1.6 to continue
+to work has been added to provide backwards compatibility; this will be removed
+in Django 1.7. Thus, as long as your site has been running Django 1.6 for more
+than :setting:`PASSWORD_RESET_TIMEOUT_DAYS`, this change will have no effect.
+If not (for example, if you upgrade directly from Django 1.5 to Django 1.7),
+then any password reset links generated before you upgrade to Django 1.7 or
+later won't work after the upgrade.
+
+In addition, if you have any custom password reset URLs, you will need to
+update them by replacing ``uidb36`` with ``uidb64`` and the dash that follows
+that pattern with a slash. Also add ``_\-`` to the list of characters that may
+match the ``uidb64`` pattern.
+
+For example::
+
+ url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
+ 'django.contrib.auth.views.password_reset_confirm',
+ name='password_reset_confirm'),
+
+becomes::
+
+ url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>.+)/$',
+ 'django.contrib.auth.views.password_reset_confirm',
+ name='password_reset_confirm'),
+
+You may also want to add the shim to support the old style reset links. Using
+the example above, you would modify the existing url by replacing
+``django.contrib.auth.views.password_reset_confirm`` with
+``django.contrib.auth.views.password_reset_confirm_uidb36`` and also remove
+the ``name`` argument so it doesn't conflict with the new url::
+
+ url(r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$',
+ 'django.contrib.auth.views.password_reset_confirm_uidb36'),
+
+You can remove this url pattern after your app has been deployed with Django
+1.6 for :setting:`PASSWORD_RESET_TIMEOUT_DAYS`.
+
Miscellaneous
~~~~~~~~~~~~~
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 8849520b11..e2fa0c287e 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -817,7 +817,7 @@ patterns.
* ``protocol``: http or https
- * ``uid``: The user's id encoded in base 36.
+ * ``uid``: The user's primary key encoded in base 64.
* ``token``: Token to check that the reset link is valid.
@@ -826,7 +826,12 @@ patterns.
.. code-block:: html+django
Someone asked for password reset for email {{ email }}. Follow the link below:
- {{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb36=uid token=token %}
+ {{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb64=uid token=token %}
+
+ .. versionchanged:: 1.6
+
+ Reversing ``password_reset_confirm`` takes a ``uidb64`` argument instead
+ of ``uidb36``.
The same template context is used for subject template. Subject must be
single line plain text string.
@@ -846,7 +851,7 @@ patterns.
Defaults to :file:`registration/password_reset_done.html` if not
supplied.
-.. function:: password_reset_confirm(request[, uidb36, token, template_name, token_generator, set_password_form, post_reset_redirect])
+.. function:: password_reset_confirm(request[, uidb64, token, template_name, token_generator, set_password_form, post_reset_redirect])
Presents a form for entering a new password.
@@ -854,7 +859,12 @@ patterns.
**Optional arguments:**
- * ``uidb36``: The user's id encoded in base 36. Defaults to ``None``.
+ * ``uidb64``: The user's id encoded in base 64. Defaults to ``None``.
+
+ .. versionchanged:: 1.6
+
+ The ``uidb64`` parameter was previously base 36 encoded and named
+ ``uidb36``.
* ``token``: Token to check that the password is valid. Defaults to
``None``.
@@ -877,8 +887,8 @@ patterns.
* ``form``: The form (see ``set_password_form`` above) for setting the
new user's password.
- * ``validlink``: Boolean, True if the link (combination of uidb36 and
- token) is valid or unused yet.
+ * ``validlink``: Boolean, True if the link (combination of ``uidb64`` and
+ ``token``) is valid or unused yet.
.. function:: password_reset_complete(request[,template_name])