| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2021-01-14 | Fixed #31358 -- Increased salt entropy of password hashers. | Jon Moroney | |
| Co-authored-by: Florian Apolloner <florian@apolloner.eu> | |||
| 2020-09-14 | Fixed #31789 -- Added a new headers interface to HttpResponse. | Tom Carrick | |
| 2020-07-09 | Used urllib.parse.urljoin() in auth_tests to join URLs. | Jon Dufresne | |
| As the strings represent URLs and not paths, should use urllib to manipulate them. | |||
| 2020-05-11 | Refs #30116 -- Simplified regex match group access with Match.__getitem__(). | Jon Dufresne | |
| The method has been available since Python 3.6. The shorter syntax is also marginally faster. | |||
| 2020-04-29 | Refs #27468 -- Made user sessions use SHA-256 algorithm. | Mariusz Felisiak | |
| 2020-03-16 | Fixed #31361 -- Fixed invalid action="" in admin forms. | Jon Dufresne | |
| The attribute action="" (empty string) on the <form> element is invalid HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says: > The action and formaction content attributes, if specified, must have > a value that is a valid non-empty URL potentially surrounded by > spaces. Emphasis on non-empty. The action attribute is allowed to be omitted, in which case the current URL is used which is the same behavior as now. | |||
| 2020-02-18 | Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵ | Claude Paroz | |
| classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2019-12-02 | Fixed CVE-2019-19118 -- Required edit permissions on parent model for ↵ | Carlton Gibson | |
| editable inlines in admin. Thank you to Shen Ying for reporting this issue. | |||
| 2019-11-18 | Replaced encode() usage with bytes literals. | Jon Dufresne | |
| 2019-06-14 | Fixed #12952 -- Adjusted admin log change messages to use form labels ↵ | Sanyam Khurana | |
| instead of field names. | |||
| 2019-05-27 | Refs #24944 -- Added test for overriding domain in email context in ↵ | Mattia Procopio | |
| PasswordResetView. | |||
| 2019-05-24 | Fixed #28780 -- Allowed specyfing a token parameter displayed in password ↵ | Rob | |
| reset URLs. Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com> | |||
| 2019-03-15 | Cleaned up exception message checking in some tests. | Jon Dufresne | |
| 2019-02-14 | Refs #15902 -- Deprecated storing user's language in the session. | Claude Paroz | |
| 2018-12-31 | Updated test URL patterns to use path() and re_path(). | Tim Graham | |
| 2018-11-27 | Switched setUp() to setUpTestData() where possible in Django's tests. | Simon Charette | |
| 2018-10-10 | Refs #27795 -- Removed force_bytes() usage from django/utils/http.py. | Jon Dufresne | |
| django.utils.http.urlsafe_base64_encode() now returns a string, not a bytestring. Since URLs are represented as strings, urlsafe_base64_encode() should return a string. All uses immediately decoded the bytestring to a string anyway. As the inverse operation, urlsafe_base64_decode() accepts a string. | |||
| 2018-10-01 | Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin ↵ | Tim Graham | |
| user change form. | |||
| 2018-10-01 | Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" ↵ | Carlton Gibson | |
| users. Thanks Claude Paroz & Tim Graham for collaborating on the patch. | |||
| 2018-08-17 | Fixed #29686 -- Made UserAdmin.user_change_password() pass user to ↵ | Alexander Todorov | |
| has_change_permission(). | |||
| 2018-06-20 | Refs #27398 -- Simplified some tests with assertRedirects(). | Tim Graham | |
| 2018-06-20 | Fixed #27398 -- Added an assertion to compare URLs, ignoring the order of ↵ | Jan Pieter Waagmeester | |
| their query strings. | |||
| 2018-05-07 | Replaced django.test.utils.patch_logger() with assertLogs(). | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2018-04-19 | Fixed #29212 -- Doc'd redirect loop if @permission_required used with ↵ | Nick Pope | |
| redirect_authenticated_user. | |||
| 2018-03-15 | Fixed #29206 -- Fixed PasswordResetConfirmView crash when the URL contains a ↵ | Mattia Procopio | |
| non-UUID where one is expected. | |||
| 2018-02-07 | Refs #27795 -- Removed force_bytes/text() usage in tests. | Tim Graham | |
| 2017-09-22 | Refs #26929 -- Removed extra_context parameter of ↵ | Tim Graham | |
| contrib.auth.views.logout_then_login(). Per deprecation timeline. | |||
| 2017-09-09 | Fixed some comments referring to a nonexistent TestClient class. | Luoxzhg | |
| 2017-08-24 | Fixed #28513 -- Added POST request support to LogoutView. | hui shang | |
| 2017-06-13 | Fixed #28229 -- Fixed the value of LoginView's "next" template variable. | Mikhail Golubev | |
| 2017-05-24 | Refs #27804 -- Used subTest() in several tests. | Bruno Alla | |
| 2017-03-07 | Fixed #27891 -- Added PasswordResetConfirmView.post_reset_login_backend. | Camilo Nova | |
| 2017-02-15 | Fixed #27840 -- Fixed KeyError in PasswordResetConfirmView.form_valid(). | Markus Holtermann | |
| When a user is already logged in when submitting the password and password confirmation to reset a password, a KeyError occurred while removing the reset session token from the session. Refs #17209 Thanks Quentin Marlats for the report and Florian Apolloner and Tim Graham for the review. | |||
| 2017-02-07 | Fixed #27815 -- Made LoginView pass the request kwarg to AuthenticationForm. | Zoltan Gyarmati | |
| 2017-02-03 | Fixed spelling of "nonexistent". | Tim Graham | |
| 2017-01-26 | Refs #23919 -- Replaced usage of django.utils.http utilities with Python ↵ | Claude Paroz | |
| equivalents Thanks Tim Graham for the review. | |||
| 2017-01-25 | Refs #23919 -- Replaced super(ClassName, self) with super(). | chillaranand | |
| 2017-01-24 | Removed unneeded force_text calls in the test suite | Claude Paroz | |
| 2017-01-18 | Refs #23919 -- Removed most of remaining six usage | Claude Paroz | |
| Thanks Tim Graham for the review. | |||
| 2017-01-18 | Refs #23919 -- Removed encoding preambles and future imports | Claude Paroz | |
| 2017-01-13 | Fixed #27518 -- Prevented possibie password reset token leak via HTTP ↵ | Romain Garrigues | |
| Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. | |||
| 2016-11-21 | Refs #17209 -- Fixed token verification for PasswordResetConfirmView POST ↵ | Florian Apolloner | |
| requests. | |||
| 2016-11-10 | Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings. | za | |
| 2016-10-28 | Simplified some auth_tests with assertRedirects(). | Tim Graham | |
| 2016-09-07 | Fixed #26956 -- Added success_url_allowed_hosts to LoginView and LogoutView. | Jon Dufresne | |
| Allows specifying additional hosts to redirect after login and log out. | |||
| 2016-08-19 | Refs #26902 -- Protected against insecure redirects in Login/LogoutView. | Przemysław Suliga | |
| 2016-08-18 | Removed unused 'password' parameter in auth_tests. | Tim Graham | |
| 2016-08-15 | Fixed #27009 -- Made update_session_auth_hash() rotate the session key. | Tim Graham | |
| 2016-08-10 | Fixed #26960 -- Added PasswordResetConfirmView option to automatically log ↵ | jordij | |
| in after a reset. | |||
| 2016-07-28 | Fixed #26929 -- Deprecated extra_context parameter of ↵ | Andrew Nester | |
| contrib.auth.views.logout_then_login(). | |||
