summaryrefslogtreecommitdiff
path: root/django/contrib/auth
AgeCommit message (Collapse)Author
2026-06-16Fixed #37163 -- Optimized @user_passes_test async checking.Adam Johnson
2026-06-02Updated source translation catalogs.Jacob Walls
Forwardport of fcbbb1f920f7a7efb16a9871e8905b743447a939 from stable/6.1.x
2026-06-02Updated translations from Transifex.Jacob Walls
Forwardport of dd895d6268f1dd544a565a321cb4527ca3ca1173 from stable/6.0.x.
2026-06-02Refs #36439 -- Added missing thread_sensitive=False to dummy password hasher ↵Jacob Walls
path. The existing user path also uses thread_sensitive=False in acheck_password(). Follow-up to 7f66c3b41f0fb0fb938d7b96e20a28dccdaa2ecd.
2026-06-01Updated translations from Transifex.Jacob Walls
Forwardport of 9969df4f360221fc408da1604f0369f7594a1818 from stable/6.0.x.
2026-05-28Fixed #36225 -- Coped with lack of get_by_natural_key() in createsuperuser.babbitt
2026-05-27Fixed #37019 -- Updated login() and logout() to set request.auser.vishwa
2026-05-20Increased the default PBKDF2 iterations for Django 6.2.Sarah Boyce
2026-05-06Refs #36439 -- Added sync_to_async() to dummy password hasher path.Jacob Walls
Since the existing user path eventually calls sync_to_async() in acheck_password, aim for parity with the nonexistent/inactive user branch by adding sync_to_async(). Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
2026-05-06Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header ↵Jacob Walls
corresponds to request.META under ASGI. Because these tests always passed both WSGI environ values and HTTP headers via `**extra`, this masked a behavior difference between WSGI and ASGI. What should happen: everything should be passed via `headers` but for the default REMOTE_USER case on WSGI, which should be passed via `**extra`. Since that was not done, a regression made it into Django 5.2 (50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer corresponded to the request.META key under ASGI. To cope, an ASGI user would have started(*) sending HTTP headers that match the `.header` attribute, which may or may not have been edited to remove the HTTP_ prefix. (Note: the default `REMOTE_USER` case did not work under ASGI, so the change in Django 5.2 had the effect of fixing the default case but changing the semantic of the custom case.) (*): Unless they were getting the sync execution path, which didn't have this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a. Thanks Mykhailo Havelia and Sarah Boyce for reviews.
2026-05-05Fixed #37053 -- Added validate=True to base64.b64decode() calls.Sarah Boyce
2026-05-04Fixed #35971 -- Added RemoteUserMiddleware.get_username() helper.Jacob Walls
This alleviates sync/async duplication.
2026-05-04Fixed #37079 -- Fixed specialization of header lookups in RemoteUserMiddleware.Jacob Walls
We need to switch on whether the request is a WSGI or ASGI request to know whether to prepend `HTTP_`: we cannot assume sync exceution means we are running under WSGI, as there could be other sync middleware forcing sync execution under ASGI. Thanks Mykhailo Havelia for the report.
2026-05-01Refs #35303 -- Improved use of async methods in RemoteUserMiddleware.Sarah Boyce
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-05-01Refs #689, #4015 -- Removed RemoteUserMiddleware updates to ↵Sarah Boyce
request.user/auser as handled by login(). Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-05-01Refs #689 -- Made RemoteUserMiddleware ImproperlyConfigured error message ↵Sarah Boyce
handle subclasses. Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-04-27Fixed #36901 -- Centralized auth timing attack mitigations.afenoum
Thank you Mar Bartolome and Tim Schilling for reviews.
2026-04-24Fixed #36542 -- Marked authenticate() with @sensitive_variables() decorator.KANIN KEARPIMY
Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
2026-04-07Fixed #37021 -- Added Permission.user_perm_str property.mariatta
For use in checking user permissions via has_perm(). Co-authored-by: 사재혁 <jaehyuck.sa.dev@gmail.com>
2026-04-02Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
2026-02-27Fixed #27489 -- Renamed permissions upon model renaming in migrations.Artyom Kotovskiy
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-02-27Fixed #34643 -- Moved inputs beneath labels and errors in admin forms.antoliny0919
Thanks Sarah Boyce and Jacob Walls for reviews. Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-05Fixed #36843, #36793 -- Reverted "Fixed #27489 -- Renamed permissions upon ↵Jacob Walls
model renaming in migrations." This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04.
2025-12-02Updated translations from Transifex.Natalia
Forwardport of 00575b79312c719a6b37035067095e2d679bb5d7 from stable/6.0.x.
2025-11-12Fixed #36717 -- Redirect authenticated users on admin login view to next URL.Benedict Etzel
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-11-05Fixed #36709 -- Included static methods in system check for ↵Harsh Jain
UserModel.is_anonymous/is_authenticated methods.
2025-10-14Refs #31223 -- Added __class_getitem__() to SetPasswordMixin.Thibaut Decombe
2025-09-18Updated translations from Transifex.Natalia
Forwardport of 2a2936c3e6444a0f37156773ca405cedaf28dea7 from stable/5.2.x.
2025-09-17Increased the default PBKDF2 iterations for Django 6.1.Jacob Walls
2025-09-17Refs #36390 -- Removed support for RemoteUserMiddleware subclasses missing ↵Jacob Walls
aprocess_request(). Per deprecation timeline.
2025-09-17Refs #35530 -- Removed request.user or auser() fallback in auth.login and ↵Jacob Walls
auth.alogin. Per deprecation timeline.
2025-09-15Refs #27489 -- Made RenamePermission() operation respect database.David Sanders
Regression in f02b49d2f3bf84f5225de920ca510149f1f9f1da. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-09-11Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.Adam Johnson
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-22Refs #35530 -- Corrected deprecation message in auth.alogin().Mariusz Felisiak
Follow up to ceecd518b19044181a3598c55ebed7c2545963cc.
2025-08-20Refs #35303 -- Made small optimizations in alogout() and aget_user().Mariusz Felisiak
In alogout(), there is no need to check the is_authenticated attribute when user is None. In aget_user(), there is no need to call get_session_auth_hash() twice. Follow up to 50f89ae850f6b4e35819fe725a08c7e579bfd099.
2025-08-20Fixed #36561 -- Used request.auser() in ↵Xinyi Rong
contrib.auth.aupdate_session_auth_hash().
2025-08-19Fixed #27489 -- Renamed permissions upon model renaming in migrations.Artyom Kotovskiy
2025-08-08Fixed #36540 -- Updated request.auser() in contrib.auth.alogin() and ↵Xinyi Rong
contrib.auth.alogout().
2025-07-31Fixed #36439 -- Optimized acheck_password by using sync_to_async on ↵Roel Delos Reyes
verify_password.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Refs #36500 -- Shortened some long docstrings and comments.Mike Edmunds
Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-07-22Standardized how method_decorator is used in contrib.auth views and admin.Claude Paroz
Updated django.contrib.auth's views and admin modules to apply decorators consistently.
2025-07-22Fixed #36226 -- Accepted str or bytes for password and salt in password hashers.Roel Delos Reyes
Co-authored-by: Screamadelica <1621456391@sjtu.edu.cn>
2025-06-11Removed default value for app_configs in system check functions.Adam Johnson
The documentation[0] encourages users to write functions without a default for `app_configs`, and checks are always passed the argument. [0] https://docs.djangoproject.com/en/5.2/topics/checks/