summaryrefslogtreecommitdiff
path: root/tests/auth_tests
AgeCommit message (Collapse)Author
2025-03-01[5.2.x] Applied Black's 2025 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/25.1.0 Backport of ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 from main
2025-02-18[5.2.x] Fixed #36179 -- Unhexed entries and removed duplicates in ↵mimi89999
auth/common-passwords.txt.gz. Backport of 727731d76d9dfd5304d536478d862778f6dd6d9b from main.
2025-02-01[5.2.x] Fixed #36140 -- Allowed BaseUserCreationForm to define non required ↵nessita
password fields. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks buffgecko12 for the report and Sarah Boyce for the review. Backport of d15454a6e84a595ffc8dc1b926282f484f782a8f from main.
2025-01-13Fixed #36087 -- Supported password reset on a custom user model with a ↵Sarah Boyce
composite primary key.
2024-11-28Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin.Jaap Roes
2024-11-28Refs #35530 -- Added basic test cases for auth.login.Jaap Roes
2024-11-26Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when username is ↵Tommy Allen
unavailable. Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews.
2024-11-15Refs #28215 -- Marked auth form passwords as sensitive variables.GappleBee
2024-10-17Refs #35844 -- Used asgiref.sync.iscoroutinefunction() instead of deprecated ↵Mariusz Felisiak
asyncio.iscoroutinefunction(). Fixes DeprecationWarning: 'asyncio.iscoroutinefunction' is deprecated and slated for removal in Python 3.16; use inspect.iscoroutinefunction() instead.
2024-10-16Refs #35727 -- Updated response.content.decode calls to use the ↵SaJH
HttpResponse.text property. Signed-off-by: SaJH <wogur981208@gmail.com>
2024-10-15Fixed #35782 -- Allowed overriding password validation error messages.Ben Cail
2024-10-07Fixed #35303 -- Implemented async auth backends and utils.Jon Janzen
2024-09-03Fixed CVE-2024-45231 -- Avoided server error on password reset when email ↵Natalia
sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-02Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors.sanjeevholla26
This improves the screen reader experience.
2024-08-23Added helper and refactored PasswordResetFormTest to unify email sending tests.nessita
2024-08-19Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.Natalia
Refs #34429: Following the implementation allowing the setting of unusable passwords via the admin site, the `BaseUserCreationForm` and `UserCreationForm` were extended to include a new field for choosing whether password-based authentication for the new user should be enabled or disabled at creation time. Given that these forms are designed to be extended when implementing custom user models, this branch ensures that this new field is moved to a new, admin-dedicated, user creation form `AdminUserCreationForm`. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for the review.
2024-08-19Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User ↵Natalia
model. This work also allows to subclass BaseUserCreationFormTest to reuse the tests and assertions for testing forms that extend BaseUserCreationForm, which is now used for UserCreationFormTest, increasing its coverage.
2024-08-13Refs #35402 -- Added tests for invalid usage of submodules in some settings.Jacob Walls
2024-08-08Added test for acheck_password() to ensure make_password is called for ↵Natalia
unusable passwords. This is a follow up for the fix of CVE-2024-39329 (5d8645857936c142a3973694799c52165e2bdcdb) where the timing of verify_password() was standardized when checking unusable passwords.
2024-07-09Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-04Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests.Jake Howard
2024-07-04Fixed #35569 -- Improved wording of invalid ForeignKey error message.Jacob Walls
2024-05-30Fixed #35477 -- Corrected 'required' errors in auth password set/change forms.Fabian Braun
The auth forms using SetPasswordMixin were incorrectly including the 'This field is required.' error when additional validations (e.g., overriding `clean_password1`) were performed and failed. This fix ensures accurate error reporting for password fields. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-05-22Increased the default PBKDF2 iterations for Django 5.2.Natalia
2024-05-22Fixed #31405 -- Added LoginRequiredMiddleware.Hisham Mahmood
Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Mehmet İnce <mehmet@mehmetince.net> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-17Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.SaJH
2024-05-13Fixed #35408 -- Optimized post-migrate permission creation.Adam Johnson
co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-03-27Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing ↵Fabian Braun
the reset password link with a button. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-03-07Fixed #35030 -- Made django.contrib.auth decorators to work with async ↵Dingning
functions.
2024-03-06Refs #35030 -- Added more tests for @user_passes_test decorator.Mariusz Felisiak
2024-02-20Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.Fabian Braun
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-02-20Refs #34429 -- Defined test user with unusable password for auth forms tests.Natalia
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2024-01-12Added test ensuring that validate_password is used in AdminPasswordChangeForm.nessita
Co-authored-by: Fabian Braun <fsbraun@gmx.de>
2024-01-04Used enterClassContext() where appropriate.Mariusz Felisiak
2023-12-31Used addCleanup() in tests where appropriate.Mariusz Felisiak
2023-11-01Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.Mariusz Felisiak
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2023-09-20Defined PASSWORD_HASHERS for auth_tests.test_views.ChangelistTests.Lily Foote
auth_tests.test_views.ChangelistTests.test_view_user_password_is_readonly depends on the password hasher having the three components algorithm, salt and hash. The default password hasher (PBKDF2PasswordHasher) has an extra iterations component, breaking the test.
2023-09-18Increased the default PBKDF2 iterations for Django 5.1.Mariusz Felisiak
2023-09-18Refs #33691 -- Removed insecure password hashers per deprecation timeline.Mariusz Felisiak
2023-09-18Refs #33764 -- Removed BaseUserManager.make_random_password() per ↵Mariusz Felisiak
deprecation timeline.
2023-08-22Removed unnecessary trailing commas in tests.konsti
2023-08-08Fixed #34542 -- Made createsuperuser handle required blank fields in ↵Mateusz Więckowski
non-interactive mode.
2023-06-27Fixed #34391 -- Added async-compatible interface to auth functions and ↵Jon Janzen
related methods test clients.
2023-05-18Fixed #34565 -- Added support for async checking of user passwords.HappyDingning
2023-03-28Fixed #34438 -- Reallowed extending UserCreationForm.Gary Jarrel
Regression in 298d02a77a69321af8c0023df3250663e9d1362d.
2023-03-20Fixed some typos in comments, docstrings, and tests.Liyang Zhang
2023-03-09Fixed #33985 -- Used app_config.verbose_name in ContentType.__str__().Hrushikesh Vaidya
2023-03-08Fixed #34384 -- Fixed session validation when rotation secret keys.David Wobrock
Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7. Thanks Eric Zarowny for the report.
2023-03-07Fixed #31920 -- Made AuthenticationMiddleware add request.auser().Jon Janzen