| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2025-03-01 | [5.2.x] Applied Black's 2025 stable style. | Mariusz Felisiak | |
| https://github.com/psf/black/releases/tag/25.1.0 Backport of ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 from main | |||
| 2025-02-18 | [5.2.x] Fixed #36179 -- Unhexed entries and removed duplicates in ↵ | mimi89999 | |
| auth/common-passwords.txt.gz. Backport of 727731d76d9dfd5304d536478d862778f6dd6d9b from main. | |||
| 2025-02-01 | [5.2.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non required ↵ | nessita | |
| password fields. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks buffgecko12 for the report and Sarah Boyce for the review. Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main. | |||
| 2025-01-13 | Fixed #36087 -- Supported password reset on a custom user model with a ↵ | Sarah Boyce | |
| composite primary key. | |||
| 2024-11-28 | Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin. | Jaap Roes | |
| 2024-11-28 | Refs #35530 -- Added basic test cases for auth.login. | Jaap Roes | |
| 2024-11-26 | Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when username is ↵ | Tommy Allen | |
| unavailable. Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews. | |||
| 2024-11-15 | Refs #28215 -- Marked auth form passwords as sensitive variables. | GappleBee | |
| 2024-10-17 | Refs #35844 -- Used asgiref.sync.iscoroutinefunction() instead of deprecated ↵ | Mariusz Felisiak | |
| asyncio.iscoroutinefunction(). Fixes DeprecationWarning: 'asyncio.iscoroutinefunction' is deprecated and slated for removal in Python 3.16; use inspect.iscoroutinefunction() instead. | |||
| 2024-10-16 | Refs #35727 -- Updated response.content.decode calls to use the ↵ | SaJH | |
| HttpResponse.text property. Signed-off-by: SaJH <wogur981208@gmail.com> | |||
| 2024-10-15 | Fixed #35782 -- Allowed overriding password validation error messages. | Ben Cail | |
| 2024-10-07 | Fixed #35303 -- Implemented async auth backends and utils. | Jon Janzen | |
| 2024-09-03 | Fixed CVE-2024-45231 -- Avoided server error on password reset when email ↵ | Natalia | |
| sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews. | |||
| 2024-09-02 | Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors. | sanjeevholla26 | |
| This improves the screen reader experience. | |||
| 2024-08-23 | Added helper and refactored PasswordResetFormTest to unify email sending tests. | nessita | |
| 2024-08-19 | Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm. | Natalia | |
| Refs #34429: Following the implementation allowing the setting of unusable passwords via the admin site, the `BaseUserCreationForm` and `UserCreationForm` were extended to include a new field for choosing whether password-based authentication for the new user should be enabled or disabled at creation time. Given that these forms are designed to be extended when implementing custom user models, this branch ensures that this new field is moved to a new, admin-dedicated, user creation form `AdminUserCreationForm`. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for the review. | |||
| 2024-08-19 | Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User ↵ | Natalia | |
| model. This work also allows to subclass BaseUserCreationFormTest to reuse the tests and assertions for testing forms that extend BaseUserCreationForm, which is now used for UserCreationFormTest, increasing its coverage. | |||
| 2024-08-13 | Refs #35402 -- Added tests for invalid usage of submodules in some settings. | Jacob Walls | |
| 2024-08-08 | Added test for acheck_password() to ensure make_password is called for ↵ | Natalia | |
| unusable passwords. This is a follow up for the fix of CVE-2024-39329 (5d8645857936c142a3973694799c52165e2bdcdb) where the timing of verify_password() was standardized when checking unusable passwords. | |||
| 2024-07-09 | Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵ | Michael Manfre | |
| checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. | |||
| 2024-07-04 | Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests. | Jake Howard | |
| 2024-07-04 | Fixed #35569 -- Improved wording of invalid ForeignKey error message. | Jacob Walls | |
| 2024-05-30 | Fixed #35477 -- Corrected 'required' errors in auth password set/change forms. | Fabian Braun | |
| The auth forms using SetPasswordMixin were incorrectly including the 'This field is required.' error when additional validations (e.g., overriding `clean_password1`) were performed and failed. This fix ensures accurate error reporting for password fields. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2024-05-22 | Increased the default PBKDF2 iterations for Django 5.2. | Natalia | |
| 2024-05-22 | Fixed #31405 -- Added LoginRequiredMiddleware. | Hisham Mahmood | |
| Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Mehmet İnce <mehmet@mehmetince.net> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | |||
| 2024-05-17 | Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher. | SaJH | |
| 2024-05-13 | Fixed #35408 -- Optimized post-migrate permission creation. | Adam Johnson | |
| co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2024-03-27 | Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing ↵ | Fabian Braun | |
| the reset password link with a button. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2024-03-07 | Fixed #35030 -- Made django.contrib.auth decorators to work with async ↵ | Dingning | |
| functions. | |||
| 2024-03-06 | Refs #35030 -- Added more tests for @user_passes_test decorator. | Mariusz Felisiak | |
| 2024-02-20 | Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms. | Fabian Braun | |
| Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> | |||
| 2024-02-20 | Refs #34429 -- Defined test user with unusable password for auth forms tests. | Natalia | |
| 2024-01-26 | Applied Black's 2024 stable style. | Mariusz Felisiak | |
| https://github.com/psf/black/releases/tag/24.1.0 | |||
| 2024-01-12 | Added test ensuring that validate_password is used in AdminPasswordChangeForm. | nessita | |
| Co-authored-by: Fabian Braun <fsbraun@gmx.de> | |||
| 2024-01-04 | Used enterClassContext() where appropriate. | Mariusz Felisiak | |
| 2023-12-31 | Used addCleanup() in tests where appropriate. | Mariusz Felisiak | |
| 2023-11-01 | Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. | Mariusz Felisiak | |
| Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. | |||
| 2023-09-20 | Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests. | Lily Foote | |
| auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly depends on the password hasher having the three components algorithm, salt and hash. The default password hasher (PBKDF2PasswordHasher) has an extra iterations component, breaking the test. | |||
| 2023-09-18 | Increased the default PBKDF2 iterations for Django 5.1. | Mariusz Felisiak | |
| 2023-09-18 | Refs #33691 -- Removed insecure password hashers per deprecation timeline. | Mariusz Felisiak | |
| 2023-09-18 | Refs #33764 -- Removed BaseUserManager.make_random_password() per ↵ | Mariusz Felisiak | |
| deprecation timeline. | |||
| 2023-08-22 | Removed unnecessary trailing commas in tests. | konsti | |
| 2023-08-08 | Fixed #34542 -- Made createsuperuser handle required blank fields in ↵ | Mateusz Więckowski | |
| non-interactive mode. | |||
| 2023-06-27 | Fixed #34391 -- Added async-compatible interface to auth functions and ↵ | Jon Janzen | |
| related methods test clients. | |||
| 2023-05-18 | Fixed #34565 -- Added support for async checking of user passwords. | HappyDingning | |
| 2023-03-28 | Fixed #34438 -- Reallowed extending UserCreationForm. | Gary Jarrel | |
| Regression in 298d02a77a69321af8c0023df3250663e9d1362d. | |||
| 2023-03-20 | Fixed some typos in comments, docstrings, and tests. | Liyang Zhang | |
| 2023-03-09 | Fixed #33985 -- Used app_config.verbose_name in ContentType.__str__(). | Hrushikesh Vaidya | |
| 2023-03-08 | Fixed #34384 -- Fixed session validation when rotation secret keys. | David Wobrock | |
| Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report. | |||
| 2023-03-07 | Fixed #31920 -- Made AuthenticationMiddleware add request.auser(). | Jon Janzen | |
