| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2024-09-03 | [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when ↵ | Natalia | |
| email sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews. | |||
| 2023-11-01 | [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. | Mariusz Felisiak | |
| Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. | |||
| 2023-03-28 | [4.2.x] Fixed #34438 -- Reallowed extending UserCreationForm. | Gary Jarrel | |
| Regression in 298d02a77a69321af8c0023df3250663e9d1362d. Backport of fcc7dc5781667932bf0bf8bec76df458836e5e95 from main | |||
| 2022-12-29 | Fixed #25617 -- Added case-insensitive unique username validation in ↵ | Paul Schilling | |
| UserCreationForm. Co-Authored-By: Neven Mundar <nmundar@gmail.com> | |||
| 2022-11-29 | Fixed #34187 -- Made UserCreationForm save many-to-many fields. | sdolemelipone | |
| 2022-10-27 | Fixed #34066 -- Fixed link to password reset view in ↵ | Simon Kern | |
| UserChangeForm.password's help text when using to_field. Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com> Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2022-10-26 | Completed test coverage for contrib.auth.forms. | Marcelo Galigniana | |
| 2022-09-01 | Fixed ReadOnlyPasswordHashWidget's template for RTL languages. | Shai Berger | |
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2021-07-07 | Used more specific unittest assertions in tests. | Mads Jensen | |
| 2021-05-19 | Fixed #32765 -- Removed "for" HTML attribute from ReadOnlyPasswordHashWidget. | David Sanders | |
| ReadOnlyPasswordHashWidget doesn't have any labelable elements. | |||
| 2020-12-03 | Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default. | Timo Ludwig | |
| 2020-04-28 | Changed django.forms.ValidationError imports to ↵ | François Freitag | |
| django.core.exceptions.ValidationError. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2019-12-18 | Fixed CVE-2019-19844 -- Used verified user email for password reset requests. | Simon Charette | |
| Co-Authored-By: Florian Apolloner <florian@apolloner.eu> | |||
| 2019-09-18 | Fixed #30776 -- Restored max length validation on ↵ | Sam Reynolds | |
| AuthenticationForm.UsernameField. Regression in 5ceaf14686ce626404afb6a5fbd3d8286410bf13. Thanks gopackgo90 for the report and Mariusz Felisiak for tests. | |||
| 2019-06-28 | Fixed #30400 -- Improved typography of user facing strings. | Jon Dufresne | |
| Thanks Claude Paroz for assistance with translations. | |||
| 2019-06-07 | Fixed #29379 -- Added autocomplete attribute to contrib.auth.forms fields. | Hasan Ramezani | |
| Thank you to Nick Pope for review. Co-authored-by: CHI Cheng <cloudream@gmail.com> | |||
| 2019-05-15 | Fixed mis-capitalisation in comment. | Ally Weir | |
| 2019-04-25 | Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use ↵ | Jon Dufresne | |
| html.escape()/unescape(). | |||
| 2019-03-29 | Fixed #30236 -- Made UsernameField render with autocapitalize="none" HTML ↵ | pmisteli | |
| attribute. This prevents automatic capitalization, which is the default behavior in some browsers. | |||
| 2018-07-02 | Fixed #29449 -- Reverted "Fixed #28757 -- Allowed using contrib.auth forms ↵ | Tim Graham | |
| without installing contrib.auth." This reverts commit 3333d935d2914cd80cf31f4803821ad5c0e2a51d due to a crash if USERNAME_FIELD isn't a CharField. | |||
| 2018-04-04 | Added additional AdminPasswordChangeForm tests. | Mads Jensen | |
| 2018-03-29 | Fixed #29270 -- Fixed UserChangeForm crash if password field is excluded. | Malte Gerth | |
| 2018-02-01 | Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm. | Tim Graham | |
| Reverted 359370a8b8ca0efe99b1d4630b291ec060b69225 (refs #28645). This is a security fix. | |||
| 2018-01-05 | Fixed #28757 -- Allowed using contrib.auth forms without installing ↵ | shanghui | |
| contrib.auth. Also fixed #28608 -- Allowed UserCreationForm and UserChangeForm to work with custom user models. Thanks Sagar Chalise and Rômulo Collopy for reports, and Tim Graham and Tim Martin for reviews. | |||
| 2017-11-08 | Fixed #28645 -- Reallowed AuthenticationForm to raise the inactive user ↵ | shanghui | |
| error when using ModelBackend. Regression in e0a3d937309a82b8beea8f41b17d8b6298da2a86. Thanks Guilherme Junqueira for the report and Tim Graham for the review. | |||
| 2017-10-23 | Fixed #28706 -- Moved AuthenticationFormn invalid login ValidationError to a ↵ | Jon Dufresne | |
| method for reuse. | |||
| 2017-10-20 | Fixed #27515 -- Made AuthenticationForm's username field use the max_length ↵ | Lucas Connors | |
| from the model field. Thanks Ramin Farajpour Cami for the report. | |||
| 2017-10-20 | Refs #19130 -- Added a test for AuthenticationForm.username max_length. | Lucas Connors | |
| This will be a more useful regression test after refs #27515. | |||
| 2017-06-21 | Fixed #28127 -- Allowed UserCreationForm's password validation to check all ↵ | Andrew Pinkham | |
| user fields. | |||
| 2017-04-19 | Fixed #28097 -- Fixed layout of ReadOnlyPasswordHashWidget. | Tim Graham | |
| 2017-02-07 | Converted usage of ugettext* functions to their gettext* aliases | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-25 | Refs #23919 -- Replaced super(ClassName, self) with super(). | chillaranand | |
| 2017-01-24 | Removed unneeded force_text calls in the test suite | Claude Paroz | |
| 2017-01-20 | Refs #23919 -- Removed django.test.mock Python 2 compatibility shim. | Tim Graham | |
| 2017-01-19 | Refs #23919 -- Stopped inheriting from object to define new style classes. | Simon Charette | |
| 2017-01-18 | Refs #23919 -- Removed six.PY2/PY3 usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2016-11-10 | Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings. | za | |
| 2016-09-27 | Fixed #20705 -- Allowed using PasswordResetForm with user models with an ↵ | levental | |
| email field not named 'email'. | |||
| 2016-09-12 | Fixed #23155 -- Added request argument to user_login_failed signal. | Gavin Wahl | |
| 2016-09-10 | Fixed indentation in previous commit. | Tim Graham | |
| 2016-09-10 | Fixed #26097 -- Added password_validators_help_text_html to UserCreationForm. | Alexander Gaevsky | |
| 2016-08-24 | Fixed #27111 -- Fixed KeyError if USERNAME_FIELD isn't in ↵ | Berker Peksag | |
| UserCreationForm.fields. | |||
| 2016-08-10 | Fixed #26951 -- Allowed AuthenticationForm to work with a username of 0. | Olexander Yermakov | |
| 2016-06-21 | Refs #21379, #26719 -- Moved username normalization to AbstractBaseUser. | Tim Graham | |
| Thanks Huynh Thanh Tam for the initial patch and Claude Paroz for review. | |||
| 2016-05-16 | Refs #21379 -- Normalized unicode username inputs | Claude Paroz | |
| 2016-05-16 | Fixed #21379 -- Created auth-specific username validators | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2016-05-07 | Fixed #26544 -- Delayed translations of SetPasswordForm help_texts | Claude Paroz | |
| Thanks Michael Bitzi for the reporti and Tim Graham for the review. | |||
