| Age | Commit message (Collapse) | Author |
|
|
|
Forwardport of fcbbb1f920f7a7efb16a9871e8905b743447a939 from stable/6.1.x
|
|
Forwardport of dd895d6268f1dd544a565a321cb4527ca3ca1173 from stable/6.0.x.
|
|
path.
The existing user path also uses thread_sensitive=False in acheck_password().
Follow-up to 7f66c3b41f0fb0fb938d7b96e20a28dccdaa2ecd.
|
|
Forwardport of 9969df4f360221fc408da1604f0369f7594a1818 from stable/6.0.x.
|
|
|
|
|
|
|
|
Since the existing user path eventually calls sync_to_async() in acheck_password,
aim for parity with the nonexistent/inactive user branch by adding sync_to_async().
Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
|
|
corresponds to request.META under ASGI.
Because these tests always passed both WSGI environ values and HTTP
headers via `**extra`, this masked a behavior difference between WSGI
and ASGI.
What should happen: everything should be passed via `headers` but for
the default REMOTE_USER case on WSGI, which should be passed via
`**extra`.
Since that was not done, a regression made it into Django 5.2
(50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer
corresponded to the request.META key under ASGI. To cope, an ASGI user
would have started(*) sending HTTP headers that match the `.header`
attribute, which may or may not have been edited to remove the HTTP_
prefix. (Note: the default `REMOTE_USER` case did not work under ASGI,
so the change in Django 5.2 had the effect of fixing the default case
but changing the semantic of the custom case.)
(*): Unless they were getting the sync execution path, which didn't have
this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a.
Thanks Mykhailo Havelia and Sarah Boyce for reviews.
|
|
|
|
This alleviates sync/async duplication.
|
|
We need to switch on whether the request is a WSGI or ASGI request to
know whether to prepend `HTTP_`: we cannot assume sync exceution means
we are running under WSGI, as there could be other sync middleware
forcing sync execution under ASGI.
Thanks Mykhailo Havelia for the report.
|
|
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
request.user/auser as handled by login().
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
handle subclasses.
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
Thank you Mar Bartolome and Tim Schilling for reviews.
|
|
Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
|
|
For use in checking user permissions via has_perm().
Co-authored-by: 사재혁 <jaehyuck.sa.dev@gmail.com>
|
|
alogin/alogout().
Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
|
|
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Thanks Sarah Boyce and Jacob Walls for reviews.
Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
model renaming in migrations."
This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04.
|
|
Forwardport of 00575b79312c719a6b37035067095e2d679bb5d7 from stable/6.0.x.
|
|
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
UserModel.is_anonymous/is_authenticated methods.
|
|
|
|
Forwardport of 2a2936c3e6444a0f37156773ca405cedaf28dea7 from stable/5.2.x.
|
|
|
|
aprocess_request().
Per deprecation timeline.
|
|
auth.alogin.
Per deprecation timeline.
|
|
Regression in f02b49d2f3bf84f5225de920ca510149f1f9f1da.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
|
|
|
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."
This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
|
|
favor of hmac.compare_digest().
Signed-off-by: SaJH <wogur981208@gmail.com>
|
|
Follow up to ceecd518b19044181a3598c55ebed7c2545963cc.
|
|
In alogout(), there is no need to check the is_authenticated attribute
when user is None.
In aget_user(), there is no need to call get_session_auth_hash() twice.
Follow up to 50f89ae850f6b4e35819fe725a08c7e579bfd099.
|
|
contrib.auth.aupdate_session_auth_hash().
|
|
|
|
contrib.auth.alogout().
|
|
verify_password.
|
|
Rewrapped long docstrings and block comments to 79 characters + newline
using script from https://github.com/medmunds/autofix-w505.
|
|
Manually reformatted some long docstrings and comments that would be
damaged by the to-be-applied autofixer script, in cases where editorial
judgment seemed necessary for style or wording changes.
|
|
|
|
Updated django.contrib.auth's views and admin modules to apply
decorators consistently.
|
|
Co-authored-by: Screamadelica <1621456391@sjtu.edu.cn>
|
|
The documentation[0] encourages users to write functions without a
default for `app_configs`, and checks are always passed the argument.
[0] https://docs.djangoproject.com/en/5.2/topics/checks/
|