| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2022-05-11 | Fixed #33691 -- Deprecated django.contrib.auth.hashers.CryptPasswordHasher. | Mariusz Felisiak | |
| 2022-04-20 | Refactored out RedirectURLMixin.get_success_url(). | Aymeric Augustin | |
| This also adds a default implementation of get_default_redirect_url(). | |||
| 2022-04-20 | Simplified LogoutView.get_success_url(). | Aymeric Augustin | |
| This preserves the behavior of redirecting to the logout URL without query string parameters when an insecure ?next=... parameter is given. It changes the behavior of a POST to the logout URL, as shown by the test that is changed. Currently, this results in a GET to the logout URL. However, such GET requests are deprecated. This change would be necessary in Django 5.0 anyway. This commit merely anticipates it. | |||
| 2022-04-18 | Fixed #33648 -- Prevented extra redirect in LogoutView on invalid next page ↵ | Aymeric Augustin | |
| when LOGOUT_REDIRECT_URL is set. | |||
| 2022-04-18 | Fixed various tests on MySQL with MyISAM storage engine. | Mariusz Felisiak | |
| 2022-04-01 | Fixed #33613 -- Made createsuperuser detect uniqueness of USERNAME_FIELD ↵ | Lucidiot | |
| when using Meta.constraints. | |||
| 2022-03-29 | Fixed #15619 -- Deprecated log out via GET requests. | René Fleschenberg | |
| Thanks Florian Apolloner for the implementation idea. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2022-03-24 | Refs #15619 -- Logged out with POST requests in admin. | Mariusz Felisiak | |
| 2022-03-24 | Refs #32365 -- Removed internal uses of utils.timezone.utc alias. | Carlton Gibson | |
| Remaining test case ensures that uses of the alias are mapped canonically by the migration writer. | |||
| 2022-03-10 | Fixed #33561 -- Allowed synchronization of user attributes in RemoteUserBackend. | Adrian Torres | |
| 2022-02-22 | Removed redundant QuerySet.all() calls in docs and tests. | Nick Pope | |
| Most QuerySet methods are mapped onto the Manager and, in general, it isn't necessary to call .all() on the manager. | |||
| 2022-02-07 | Refs #33476 -- Refactored code to strictly match 88 characters line length. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2022-02-01 | Fixed #30360 -- Added support for secret key rotation. | tschilling | |
| Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com> | |||
| 2022-01-04 | Fixed CVE-2021-45115 -- Prevented DoS vector in ↵ | Florian Apolloner | |
| UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu> | |||
| 2021-11-11 | Fixed #33269 -- Made AnonymousUser/PermissionsMixin.has_perms() raise ↵ | Lie Ryan | |
| ValueError on string or non-iterable perm_list. | |||
| 2021-10-12 | Fixed #33178 -- Made createsuperuser validate required fields passed in ↵ | Christophe Henry | |
| options in interactive mode. | |||
| 2021-10-12 | Refs #33178 -- Added createsuperuser tests for validation of foreign keys. | Christophe Henry | |
| 2021-10-12 | Refs #21755 -- Fixed createsuperuser crash for required foreign keys passed ↵ | Christophe Henry | |
| in options in interactive mode. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-10-12 | Refs #29628, Refs #33178 -- Made createsuperuser validate password against ↵ | Mariusz Felisiak | |
| required fields passed in options. | |||
| 2021-10-07 | Fixed #33151 -- Fixed createsuperuser crash for many-to-many required fields ↵ | Christophe Henry | |
| in non-interactive mode. | |||
| 2021-09-20 | Increased the default PBKDF2 iterations for Django 4.1. | Mariusz Felisiak | |
| 2021-09-06 | Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵ | Mateo Radman | |
| encode() methods of remaining password hashers. | |||
| 2021-08-11 | Refs #29898 -- Changed ProjectState.real_apps to set. | Mariusz Felisiak | |
| 2021-08-02 | Refs #32956 -- Corrected usage of "insure" and "assure". | David Smith | |
| 2021-07-22 | Fixed #32275 -- Added scrypt password hasher. | ryowright | |
| Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-07-22 | Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵ | Mariusz Felisiak | |
| encode() methods of some password hashers. | |||
| 2021-07-19 | Fixed wording of AuthViewsTestCase's docstring. | Chris Jerdonek | |
| 2021-07-07 | Used more specific unittest assertions in tests. | Mads Jensen | |
| 2021-06-25 | Refs #32508 -- Raised ImproperlyConfigured/TypeError instead of using ↵ | Mateo Radman | |
| "assert" in various code. | |||
| 2021-05-28 | Refs #24121 -- Added __repr__() to PermWrapper. | abhiabhi94 | |
| 2021-05-20 | Renamed "object" argument of ModelAdmin.log_addition(), log_change(), and ↵ | David Sanders | |
| log_deletion() methods. | |||
| 2021-05-19 | Fixed #32765 -- Removed "for" HTML attribute from ReadOnlyPasswordHashWidget. | David Sanders | |
| ReadOnlyPasswordHashWidget doesn't have any labelable elements. | |||
| 2021-04-20 | Fixed #32664 -- Made PasswordResetTokenGenerator.secret validation lazy. | François Freitag | |
| Django apps initialization to run management command triggers the admin autodiscovery. Importing django.contrib.auth.tokens creates an instance of PasswordResetTokenGenerator which required a SECRET_KEY. For several management commands, the token generator is unused. It should only complain about a missing SECRET_KEY when it is used. | |||
| 2021-04-20 | Refs #28017 -- Added test for PasswordResetTokenGenerator subclass with a ↵ | François Freitag | |
| custom secret. | |||
| 2021-03-11 | Refs #32508 -- Raised ImproperlyConfigured instead of using "assert" in ↵ | Hasan Ramezani | |
| middlewares. | |||
| 2021-02-08 | Fixed #28216 -- Added next_page/get_default_redirect_url() to LoginView. | ThinkChaos | |
| 2021-01-14 | Increased the default PBKDF2 iterations for Django 4.0. | Mariusz Felisiak | |
| 2021-01-14 | Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting. | Mariusz Felisiak | |
| Per deprecation timeline. | |||
| 2021-01-14 | Refs #27468 -- Removed support for the pre-Django 3.1 user sessions. | Mariusz Felisiak | |
| Per deprecation timeline. | |||
| 2021-01-14 | Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens. | Mariusz Felisiak | |
| Per deprecation timeline. | |||
| 2021-01-14 | Refs #28622 -- Removed settings.PASSWORD_RESET_TIMEOUT_DAYS per deprecation ↵ | Mariusz Felisiak | |
| timeline. | |||
| 2021-01-14 | Fixed #31358 -- Increased salt entropy of password hashers. | Jon Moroney | |
| Co-authored-by: Florian Apolloner <florian@apolloner.eu> | |||
| 2021-01-14 | Refs #31358 -- Added bcrypt password hashers tests for must_update() with ↵ | Jon Moroney | |
| salt(). | |||
| 2020-12-28 | Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. | Florian Apolloner | |
| Argon2 encodes the salt as base64 for representation in the final hash output. To be able to accurately return the used salt from decode(), add padding, b64decode, and decode from latin1 (for the remote possibility that someone supplied a custom hash consisting solely of bytes -- this would require a manual construction of the hash though, Django's interface does not allow for that). | |||
| 2020-12-03 | Fixed #32235 -- Made ReadOnlyPasswordHashField disabled by default. | Timo Ludwig | |
| 2020-11-30 | Refs #31978 -- Fixed hint in admin's password reset confirmation form for ↵ | Mariusz Felisiak | |
| custom username fields. Thanks Jaap Roes for the report. | |||
| 2020-11-30 | Refs #22909 -- Removed camelCasing in auth_tests.test_templates tests. | Mariusz Felisiak | |
| 2020-11-10 | Avoided direct styles in admin templates. | Claude Paroz | |
| Direct styles might be forbidden by Content Security Policies. | |||
| 2020-10-28 | Refs #28215 -- Marked auth credentials as sensitive variables. | Hasan Ramezani | |
| Co-authored-by: Collin Anderson <collin@onetencommunications.com> | |||
