summaryrefslogtreecommitdiff
path: root/tests/auth_tests/test_views.py
AgeCommit message (Collapse)Author
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-02-27Fixed #34643 -- Moved inputs beneath labels and errors in admin forms.antoliny0919
Thanks Sarah Boyce and Jacob Walls for reviews. Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
2025-12-22Fixed #36807 -- Fixed form field alignment under <fieldset> in the admin.Jacob Walls
It isn't safe to set display: flex on <fieldset>, because on Safari this interferes with display: block on child divs. Thanks Paulo Coutinho for the report and Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2025-10-14Fixed #34041 -- Added aria-current attribute to admin breadcrumbs.antoliny0919
Co-authored by: farita1699 <uwanjerry25@gmail.com>
2025-08-19Fixed #35892 -- Supported Widget.use_fieldset in admin forms.antoliny0919
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-04-17Fixed #35959 -- Displayed password reset button in admin only when user has ↵Sarah Boyce
sufficient permissions. This change ensures that the "Reset password" button in the admin is shown only when the user has the necessary permission to perform a password change operation. It reuses the password hashing rendering logic in `display_for_field` to show the appropriate read-only widget for users with view-only access.
2025-03-27Fixed #34917 -- Underlined links in the main content area of the admin.antoliny0919
2025-01-13Fixed #36087 -- Supported password reset on a custom user model with a ↵Sarah Boyce
composite primary key.
2024-10-16Refs #35727 -- Updated response.content.decode calls to use the ↵SaJH
HttpResponse.text property. Signed-off-by: SaJH <wogur981208@gmail.com>
2024-05-22Fixed #31405 -- Added LoginRequiredMiddleware.Hisham Mahmood
Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Mehmet İnce <mehmet@mehmetince.net> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-03-27Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing ↵Fabian Braun
the reset password link with a button. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-02-20Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.Fabian Braun
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-09-20Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests.Lily Foote
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly depends on the password hasher having the three components algorithm, salt and hash. The default password hasher (PBKDF2PasswordHasher) has an extra iterations component, breaking the test.
2023-01-17Refs #15619 -- Removed support for logging out via GET requests.Mariusz Felisiak
Per deprecation timeline.
2023-01-04Refs #34074 -- Used headers argument for RequestFactory and Client in docs ↵David Wobrock
and tests.
2022-09-01Fixed ReadOnlyPasswordHashWidget's template for RTL languages.Shai Berger
2022-04-20Refactored out RedirectURLMixin.get_success_url().Aymeric Augustin
This also adds a default implementation of get_default_redirect_url().
2022-04-20Simplified LogoutView.get_success_url().Aymeric Augustin
This preserves the behavior of redirecting to the logout URL without query string parameters when an insecure ?next=... parameter is given. It changes the behavior of a POST to the logout URL, as shown by the test that is changed. Currently, this results in a GET to the logout URL. However, such GET requests are deprecated. This change would be necessary in Django 5.0 anyway. This commit merely anticipates it.
2022-04-18Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page ↵Aymeric Augustin
when LOGOUT_REDIRECT_URL is set.
2022-03-29Fixed #15619 -- Deprecated log out via GET requests.René Fleschenberg
Thanks Florian Apolloner for the implementation idea. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2022-03-24Refs #15619 -- Logged out with POST requests in admin.Mariusz Felisiak
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-07-19Fixed wording of AuthViewsTestCase's docstring.Chris Jerdonek
2021-06-25Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using ↵Mateo Radman
"assert" in various code.
2021-02-08Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView.ThinkChaos
2021-01-14Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.Mariusz Felisiak
Per deprecation timeline.
2021-01-14Fixed #31358 -- Increased salt entropy of password hashers.Jon Moroney
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2020-09-14Fixed #31789 -- Added a new headers interface to HttpResponse.Tom Carrick
2020-07-09Used urllib.parse.urljoin() in auth_tests to join URLs.Jon Dufresne
As the strings represent URLs and not paths, should use urllib to manipulate them.
2020-05-11Refs #30116 -- Simplified regex match group access with Match.__getitem__().Jon Dufresne
The method has been available since Python 3.6. The shorter syntax is also marginally faster.
2020-04-29Refs #27468 -- Made user sessions use SHA-256 algorithm.Mariusz Felisiak
2020-03-16Fixed #31361 -- Fixed invalid action="" in admin forms.Jon Dufresne
The attribute action="" (empty string) on the <form> element is invalid HTML5. The spec (https://html.spec.whatwg.org/#attr-fs-action) says: > The action and formaction content attributes, if specified, must have > a value that is a valid non-empty URL potentially surrounded by > spaces. Emphasis on non-empty. The action attribute is allowed to be omitted, in which case the current URL is used which is the same behavior as now.
2020-02-18Refs #26601 -- Deprecated passing None as get_response arg to middleware ↵Claude Paroz
classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2019-12-02Fixed CVE-2019-19118 -- Required edit permissions on parent model for ↵Carlton Gibson
editable inlines in admin. Thank you to Shen Ying for reporting this issue.
2019-11-18Replaced encode() usage with bytes literals.Jon Dufresne
2019-06-14Fixed #12952 -- Adjusted admin log change messages to use form labels ↵Sanyam Khurana
instead of field names.
2019-05-27Refs #24944 -- Added test for overriding domain in email context in ↵Mattia Procopio
PasswordResetView.
2019-05-24Fixed #28780 -- Allowed specyfing a token parameter displayed in password ↵Rob
reset URLs. Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com>
2019-03-15Cleaned up exception message checking in some tests.Jon Dufresne
2019-02-14Refs #15902 -- Deprecated storing user's language in the session.Claude Paroz
2018-12-31Updated test URL patterns to use path() and re_path().Tim Graham
2018-11-27Switched setUp() to setUpTestData() where possible in Django's tests.Simon Charette
2018-10-10Refs #27795 -- Removed force_bytes() usage from django/utils/http.py.Jon Dufresne
django.utils.http.urlsafe_base64_encode() now returns a string, not a bytestring. Since URLs are represented as strings, urlsafe_base64_encode() should return a string. All uses immediately decoded the bytestring to a string anyway. As the inverse operation, urlsafe_base64_decode() accepts a string.
2018-10-01Fixed #29809 -- Fixed a crash when a "view only" user POSTs to the admin ↵Tim Graham
user change form.
2018-10-01Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" ↵Carlton Gibson
users. Thanks Claude Paroz & Tim Graham for collaborating on the patch.
2018-08-17Fixed #29686 -- Made UserAdmin.user_change_password() pass user to ↵Alexander Todorov
has_change_permission().