summaryrefslogtreecommitdiff
path: root/django/contrib/auth/forms.py
AgeCommit message (Collapse)Author
2026-02-27Fixed #34643 -- Moved inputs beneath labels and errors in admin forms.antoliny0919
Thanks Sarah Boyce and Jacob Walls for reviews. Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
2025-10-14Refs #31223 -- Added __class_getitem__() to SetPasswordMixin.Thibaut Decombe
2025-04-17Fixed #35959 -- Displayed password reset button in admin only when user has ↵Sarah Boyce
sufficient permissions. This change ensures that the "Reset password" button in the admin is shown only when the user has the necessary permission to perform a password change operation. It reuses the password hashing rendering logic in `display_for_field` to show the appropriate read-only widget for users with view-only access.
2025-04-17Refs #35959 -- Added render_password_as_hash auth template tag for password ↵Sarah Boyce
rendering.
2025-02-01Fixed #36140 -- Allowed BaseUserCreationForm to define non required password ↵nessita
fields. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks buffgecko12 for the report and Sarah Boyce for the review.
2025-01-13Fixed #36087 -- Supported password reset on a custom user model with a ↵Sarah Boyce
composite primary key.
2024-11-15Refs #28215 -- Marked auth form passwords as sensitive variables.GappleBee
2024-09-03Fixed CVE-2024-45231 -- Avoided server error on password reset when email ↵Natalia
sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-08-19Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.Natalia
Refs #34429: Following the implementation allowing the setting of unusable passwords via the admin site, the `BaseUserCreationForm` and `UserCreationForm` were extended to include a new field for choosing whether password-based authentication for the new user should be enabled or disabled at creation time. Given that these forms are designed to be extended when implementing custom user models, this branch ensures that this new field is moved to a new, admin-dedicated, user creation form `AdminUserCreationForm`. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for the review.
2024-05-30Fixed #35477 -- Corrected 'required' errors in auth password set/change forms.Fabian Braun
The auth forms using SetPasswordMixin were incorrectly including the 'This field is required.' error when additional validations (e.g., overriding `clean_password1`) were performed and failed. This fix ensures accurate error reporting for password fields. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-03-27Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing ↵Fabian Braun
the reset password link with a button. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-02-20Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.Fabian Braun
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-02-20Refs #34429 -- Created `SetPasswordMixin` to reuse password validation logic ↵Fabian Braun
in auth forms. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2023-11-01Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.Mariusz Felisiak
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2023-03-28Fixed #34438 -- Reallowed extending UserCreationForm.Gary Jarrel
Regression in 298d02a77a69321af8c0023df3250663e9d1362d.
2022-12-29Fixed #25617 -- Added case-insensitive unique username validation in ↵Paul Schilling
UserCreationForm. Co-Authored-By: Neven Mundar <nmundar@gmail.com>
2022-11-29Fixed #34187 -- Made UserCreationForm save many-to-many fields.sdolemelipone
2022-11-11Fixed typo in SetPasswordForm()'s docstring.Vasiliy Ivanov
2022-10-27Fixed #34066 -- Fixed link to password reset view in ↵Simon Kern
UserChangeForm.password's help text when using to_field. Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com> Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2022-10-26Completed test coverage for contrib.auth.forms.Marcelo Galigniana
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-05-19Fixed #32765 -- Removed "for" HTML attribute from ReadOnlyPasswordHashWidget.David Sanders
ReadOnlyPasswordHashWidget doesn't have any labelable elements.
2020-12-03Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default.Timo Ludwig
2020-10-28Made small readability improvements.Martin Thoma
2020-04-28Changed django.forms.ValidationError imports to ↵François Freitag
django.core.exceptions.ValidationError. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-12-18Fixed CVE-2019-19844 -- Used verified user email for password reset requests.Simon Charette
Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
2019-11-11Fixed #30977 -- Optimized PasswordResetForm.save() a bit.Hasan Ramezani
Moved site variables assignment outside of the loop.
2019-09-18Fixed #30776 -- Restored max length validation on ↵Sam Reynolds
AuthenticationForm.UsernameField. Regression in 5ceaf14686ce626404afb6a5fbd3d8286410bf13. Thanks gopackgo90 for the report and Mariusz Felisiak for tests.
2019-09-02Refs #29379 -- Moved autocomplete attribute to UsernameField.Nick Pope
Moving the autocomplete attribute into UsernameField allows this to work for custom forms making use of UsernameField, removes some duplication in the code, and keeps consistency with the autocapitalize attribute that is already defined on UsernameField.
2019-06-28Fixed #30400 -- Improved typography of user facing strings.Jon Dufresne
Thanks Claude Paroz for assistance with translations.
2019-06-07Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields.Hasan Ramezani
Thank you to Nick Pope for review. Co-authored-by: CHI Cheng <cloudream@gmail.com>
2019-03-29Fixed #30236 -- Made UsernameField render with autocapitalize="none" HTML ↵pmisteli
attribute. This prevents automatic capitalization, which is the default behavior in some browsers.
2018-10-10Refs #27795 -- Removed force_bytes() usage from django/utils/http.py.Jon Dufresne
django.utils.http.urlsafe_base64_encode() now returns a string, not a bytestring. Since URLs are represented as strings, urlsafe_base64_encode() should return a string. All uses immediately decoded the bytestring to a string anyway. As the inverse operation, urlsafe_base64_decode() accepts a string.
2018-10-01Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin ↵Tim Graham
user change form.
2018-10-01Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" ↵Carlton Gibson
users. Thanks Claude Paroz & Tim Graham for collaborating on the patch.
2018-07-02Fixed #29449 -- Reverted "Fixed #28757 -- Allowed using contrib.auth forms ↵Tim Graham
without installing contrib.auth." This reverts commit 3333d935d2914cd80cf31f4803821ad5c0e2a51d due to a crash if USERNAME_FIELD isn't a CharField.
2018-03-29Fixed #29270 -- Fixed UserChangeForm crash if password field is excluded.Malte Gerth
2018-02-14Removed AuthenticationForm.get_user_id().Tim Graham
Unused since aab3a418ac9293bb4abd7670f65d930cb0426d58.
2018-02-01Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm.Tim Graham
Reverted 359370a8b8ca0efe99b1d4630b291ec060b69225 (refs #28645). This is a security fix.
2018-01-05Fixed #28757 -- Allowed using contrib.auth forms without installing ↵shanghui
contrib.auth. Also fixed #28608 -- Allowed UserCreationForm and UserChangeForm to work with custom user models. Thanks Sagar Chalise and Rômulo Collopy for reports, and Tim Graham and Tim Martin for reviews.
2017-12-11Fixed #28909 -- Simplified code using tuple/list/set/dict unpacking.Nick Pope
2017-11-08Fixed #28645 -- Reallowed AuthenticationForm to raise the inactive user ↵shanghui
error when using ModelBackend. Regression in e0a3d937309a82b8beea8f41b17d8b6298da2a86. Thanks Guilherme Junqueira for the report and Tim Graham for the review.
2017-10-23Fixed #28706 -- Moved AuthenticationFormn invalid login ValidationError to a ↵Jon Dufresne
method for reuse.
2017-10-20Fixed #27515 -- Made AuthenticationForm's username field use the max_length ↵Lucas Connors
from the model field. Thanks Ramin Farajpour Cami for the report.
2017-06-21Fixed #28127 -- Allowed UserCreationForm's password validation to check all ↵Andrew Pinkham
user fields.
2017-05-27Fixed #28249 -- Removed unnecessary dict.keys() calls.Jon Dufresne
iter(dict) is equivalent to iter(dict.keys()).
2017-04-22Fixed #28100 -- Removed link in UserChangeForm.password's translatable help_textClaude Paroz
2017-02-07Refs #27795 -- Removed force_text from the template layerClaude Paroz
Thanks Tim Graham for the review.
2017-02-07Converted usage of ugettext* functions to their gettext* aliasesClaude Paroz
Thanks Tim Graham for the review.
2017-02-04Refs #27656 -- Updated django.contrib docstring verb style according to PEP 257.Anton Samarchyan