summaryrefslogtreecommitdiff
path: root/django/contrib/auth/views.py
AgeCommit message (Collapse)Author
2025-11-12Fixed #36717 -- Redirect authenticated users on admin login view to next URL.Benedict Etzel
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-07-22Standardized how method_decorator is used in contrib.auth views and admin.Claude Paroz
Updated django.contrib.auth's views and admin modules to apply decorators consistently.
2025-01-13Fixed #36087 -- Supported password reset on a custom user model with a ↵Sarah Boyce
composite primary key.
2024-05-29Fixed 35467 -- Replaced urlparse with urlsplit where appropriate.Jake Howard
This work should not generate any change of functionality, and `urlsplit` is approximately 6x faster. Most use cases of `urlparse` didn't touch the path, so they can be converted to `urlsplit` without any issue. Most of those which do use `.path`, simply parse the URL, mutate the querystring, then put them back together, which is also fine (so long as urlunsplit is used).
2024-05-22Fixed #31405 -- Added LoginRequiredMiddleware.Hisham Mahmood
Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Mehmet İnce <mehmet@mehmetince.net> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2023-01-17Refs #15619 -- Removed support for logging out via GET requests.Mariusz Felisiak
Per deprecation timeline.
2022-04-20Refactored out RedirectURLMixin.get_success_url().Aymeric Augustin
This also adds a default implementation of get_default_redirect_url().
2022-04-20Simplified LogoutView.get_success_url().Aymeric Augustin
This preserves the behavior of redirecting to the logout URL without query string parameters when an insecure ?next=... parameter is given. It changes the behavior of a POST to the logout URL, as shown by the test that is changed. Currently, this results in a GET to the logout URL. However, such GET requests are deprecated. This change would be necessary in Django 5.0 anyway. This commit merely anticipates it.
2022-04-20Unified LoginView/LogoutView.get_default_redirect_url() methods.Aymeric Augustin
This might change the behavior when self.next_page == "". However, resolve_url(self.next_page) would almost certainly fail in that case. It is technically possible to define a logout URLpattern whose name is "": path('logout/', LogoutView.as_view(), name=''), and then to refer to this pattern with next_page = "". However this feels like a pathological case, so we decided not to handle it. Most checks on next_page, LOGIN_REDIRECT_URL, and LOGOUT_REDIRECT_URL are performed with boolean evaluation rather than comparison with None. That's why we standardizing that way.
2022-04-20Renamed LogoutView.get_next_page() to get_success_url().Aymeric Augustin
This aligns it with LoginView. Also, it removes confusion with the get_next_page() method of paginators. get_next_page() was a private API, therefore this refactoring is allowed.
2022-04-20Refactored out RedirectURLMixin.get_redirect_url().Aymeric Augustin
This also renames SuccessURLAllowedHostsMixin to RedirectURLMixin. This doesn't change the behavior of LogoutView.get_next_page() because next_page == "" implies url_is_safe == False before the refactoring.
2022-04-19Removed unnecessary default argument from GET.get() call in ↵Aymeric Augustin
LoginView.get_redirect_url(). The default argument is unnecessary because url_has_allowed_host_and_scheme() returns False when its first argument is "" or None, so get_redirect_url() still returns "". This also aligns LoginView.get_redirect_url() and LogoutView.get_next_page().
2022-04-18Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page ↵Aymeric Augustin
when LOGOUT_REDIRECT_URL is set.
2022-03-29Fixed #15619 -- Deprecated log out via GET requests.René Fleschenberg
Thanks Florian Apolloner for the implementation idea. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-01-13Refs #32681 -- Fixed VariableDoesNotExist when rendering some admin template.Mariusz Felisiak
Regression in 84609b3205905097d7d3038d32e6101f012c0619. Follow up to 4e5bbb6ef2287126badd32842b239f4a8a7394ca. Thanks Sourav Kumar for the report.
2021-06-25Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using ↵Mateo Radman
"assert" in various code.
2021-02-08Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView.ThinkChaos
2019-09-02Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme().Carlton Gibson
2019-05-24Fixed #28780 -- Allowed specyfing a token parameter displayed in password ↵Rob
reset URLs. Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
2018-03-15Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a ↵Mattia Procopio
non-UUID where one is expected.
2018-01-03Fixed #28982 -- Simplified code with and/or.Дилян Палаузов
2017-12-11Fixed #28909 -- Simplified code using tuple/list/set/dict unpacking.Nick Pope
2017-09-22Refs #26929 -- Removed extra_context parameter of ↵Tim Graham
contrib.auth.views.logout_then_login(). Per deprecation timeline.
2017-09-22Refs #17209 -- Removed login/logout and password reset/change function-based ↵Tim Graham
views. Per deprecation timeline.
2017-09-03Fixed #28550 -- Restored contrib.auth's login() and logout() views' respect ↵ZachLiuGIS
of positional arguments. Regression in 78963495d0caadb77eb97ccf319ef0ba3b204fb5. Forwardport of f8e0557b01ebbb11478cfb012c4cafc67f1213c1 from stable/1.11.x
2017-08-24Fixed #28513 -- Added POST request support to LogoutView.hui shang
2017-06-13Fixed #28229 -- Fixed the value of LoginView's "next" template variable.Mikhail Golubev
2017-03-07Fixed #27891 -- Added PasswordResetConfirmView.post_reset_login_backend.Camilo Nova
2017-03-04Refs #27795 -- Removed unneeded force_text callsClaude Paroz
Thanks Tim Graham for the review.
2017-02-15Fixed #27840 -- Fixed KeyError in PasswordResetConfirmView.form_valid().Markus Holtermann
When a user is already logged in when submitting the password and password confirmation to reset a password, a KeyError occurred while removing the reset session token from the session. Refs #17209 Thanks Quentin Marlats for the report and Florian Apolloner and Tim Graham for the review.
2017-02-07Refs #27815 -- Reordered LoginView.get_form_kwargs().Tim Graham
2017-02-07Fixed #27815 -- Made LoginView pass the request kwarg to AuthenticationForm.Zoltan Gyarmati
2017-02-07Converted usage of ugettext* functions to their gettext* aliasesClaude Paroz
Thanks Tim Graham for the review.
2017-02-04Refs #27656 -- Updated django.contrib docstring verb style according to PEP 257.Anton Samarchyan
2017-01-25Refs #23919 -- Removed misc Python 2/3 references.Tim Graham
2017-01-25Refs #23919 -- Replaced super(ClassName, self) with super().chillaranand
2017-01-19Refs #23919 -- Stopped inheriting from object to define new style classes.Simon Charette
2017-01-18Refs #23919 -- Removed most of remaining six usageClaude Paroz
Thanks Tim Graham for the review.
2017-01-17Refs #24126 -- Removed auth views' current_app parameter per deprecation ↵Tim Graham
timeline.
2017-01-13Fixed #27518 -- Prevented possibie password reset token leak via HTTP ↵Romain Garrigues
Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review.
2016-11-25Fixed #25966 -- Made get_user_model() work at import time.Aymeric Augustin
This makes it equivalent to: `from django.contrib.auth.models import User`. Thanks Aymeric Augustin for the initial patch and Tim Graham for the review.
2016-11-21Refs #17209 -- Fixed token verification for PasswordResetConfirmView POST ↵Florian Apolloner
requests.
2016-09-07Fixed #26956 -- Added success_url_allowed_hosts to LoginView and LogoutView.Jon Dufresne
Allows specifying additional hosts to redirect after login and log out.
2016-09-07Refs #26956 -- Allowed is_safe_url() to validate against multiple hostsJon Dufresne
2016-08-19Refs #26902 -- Protected against insecure redirects in Login/LogoutView.Przemysław Suliga
2016-08-10Fixed #26960 -- Added PasswordResetConfirmView option to automatically log ↵jordij
in after a reset.
2016-07-28Fixed #26929 -- Deprecated extra_context parameter of ↵Andrew Nester
contrib.auth.views.logout_then_login().
2016-07-22Fixed #26882 -- Added tests for auth.views.logout_then_login().Andrew Nester
2016-07-16Fixed #17209 -- Added password reset/change class-based viewsClaude Paroz
Thanks Tim Graham for the review.