summaryrefslogtreecommitdiff
path: root/tests/auth_tests
AgeCommit message (Collapse)Author
2025-11-24[6.0.x] Corrected assertions for True/False results in ↵Jake Howard
tests/auth_tests/test_handlers.py. Backport of d08ae991a83950aba5043f5a34f5af12d2effe9e from main.
2025-10-14[6.0.x] Refs #31223 -- Added __class_getitem__() to SetPasswordMixin.Thibaut Decombe
Backport of d0c8f89c942d1379724bdd37127076d13452f71d from main.
2025-09-15Refs #27489 -- Made RenamePermission() operation respect database.David Sanders
Regression in f02b49d2f3bf84f5225de920ca510149f1f9f1da. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-09-11Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.Adam Johnson
2025-08-19Fixed #27489 -- Renamed permissions upon model renaming in migrations.Artyom Kotovskiy
2025-08-19Fixed #35892 -- Supported Widget.use_fieldset in admin forms.antoliny0919
2025-08-08Fixed #36540 -- Updated request.auser() in contrib.auth.alogin() and ↵Xinyi Rong
contrib.auth.alogout().
2025-07-25Fixed #35581 -- Updated django.core.mail to Python's modern email API.Mike Edmunds
- Changed EmailMessage.message() to construct a "modern email API" email.message.EmailMessage and added policy keyword arg. - Added support for modern MIMEPart objects in EmailMessage.attach() (and EmailMessage constructor, EmailMessage.attachments list). - Updated SMTP EmailBackend to use modern email.policy.SMTP. Deprecated: - Attaching MIMEBase objects (replace with MIMEPart) - BadHeaderError (modern email uses ValueError) - SafeMIMEText, SafeMIMEMultipart (unnecessary for modern email) - django.core.mail.forbid_multi_line_headers() (undocumented, but exposed via `__all__` and in wide use) - django.core.mail.message.sanitize_address() (undocumented, but in wide use) Removed without deprecation (all undocumented): - EmailMessage.mixed_subtype - EmailMultiAlternatives.alternative_subtype - Support for setting (undocumented) EmailMessage.encoding property to a legacy email.charset.Charset object Related changes: - Dropped tests for incorrect RFC 2047 encoding of non-ASCII email address localparts. This is specifically prohibited by RFC 2047, and not supported by any known MTA or email client. (Python still mis-applies encoded-word to non-ASCII localparts, but it is a bug that may be fixed in the future.) - Added tests that try to discourage using Python's legacy email APIs in future updates to django.core.mail.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-07-22Fixed #36226 -- Accepted str or bytes for password and salt in password hashers.Roel Delos Reyes
Co-authored-by: Screamadelica <1621456391@sjtu.edu.cn>
2025-07-17Fixed #36163 -- Deprecated most positional arguments in django.core.mail.Mike Edmunds
In public mail APIs, changed less frequently used parameters from keyword-or-positional to keyword-only, emitting a warning during the required deprecation period.
2025-05-23Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review.
2025-04-17Fixed #35959 -- Displayed password reset button in admin only when user has ↵Sarah Boyce
sufficient permissions. This change ensures that the "Reset password" button in the admin is shown only when the user has the necessary permission to perform a password change operation. It reuses the password hashing rendering logic in `display_for_field` to show the appropriate read-only widget for users with view-only access.
2025-04-17Refs #35959 -- Added render_password_as_hash auth template tag for password ↵Sarah Boyce
rendering.
2025-04-17Fixed #36314 -- Fixed MinimumLengthValidator error message translation.Ahmed Nassar
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa. Thank you Gabriel Trouvé for the report and Claude Paroz for the review.
2025-03-27Fixed #34917 -- Underlined links in the main content area of the admin.antoliny0919
2025-03-01Applied Black's 2025 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/25.1.0
2025-02-18Fixed #36179 -- Unhexed entries and removed duplicates in ↵mimi89999
auth/common-passwords.txt.gz.
2025-02-18Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc.Mariusz Felisiak
datetime.UTC was added in Python 3.11.
2025-02-01Fixed #36140 -- Allowed BaseUserCreationForm to define non required password ↵nessita
fields. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks buffgecko12 for the report and Sarah Boyce for the review.
2025-01-15Increased the default PBKDF2 iterations for Django 6.0.Sarah Boyce
2025-01-13Fixed #36087 -- Supported password reset on a custom user model with a ↵Sarah Boyce
composite primary key.
2024-11-28Fixed #35530 -- Deprecated request.user fallback in auth.login and auth.alogin.Jaap Roes
2024-11-28Refs #35530 -- Added basic test cases for auth.login.Jaap Roes
2024-11-26Fixed #35942 -- Fixed createsuperuser crash on Python 3.13+ when username is ↵Tommy Allen
unavailable. Thanks Mariusz Felisiak and Jacob Tyler Walls for reviews.
2024-11-15Refs #28215 -- Marked auth form passwords as sensitive variables.GappleBee
2024-10-17Refs #35844 -- Used asgiref.sync.iscoroutinefunction() instead of deprecated ↵Mariusz Felisiak
asyncio.iscoroutinefunction(). Fixes DeprecationWarning: 'asyncio.iscoroutinefunction' is deprecated and slated for removal in Python 3.16; use inspect.iscoroutinefunction() instead.
2024-10-16Refs #35727 -- Updated response.content.decode calls to use the ↵SaJH
HttpResponse.text property. Signed-off-by: SaJH <wogur981208@gmail.com>
2024-10-15Fixed #35782 -- Allowed overriding password validation error messages.Ben Cail
2024-10-07Fixed #35303 -- Implemented async auth backends and utils.Jon Janzen
2024-09-03Fixed CVE-2024-45231 -- Avoided server error on password reset when email ↵Natalia
sending fails. On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
2024-09-02Refs #35706 -- Prefixed 'Error:' to titles of admin pages with form errors.sanjeevholla26
This improves the screen reader experience.
2024-08-23Added helper and refactored PasswordResetFormTest to unify email sending tests.nessita
2024-08-19Fixed #35678 -- Removed "usable_password" field from BaseUserCreationForm.Natalia
Refs #34429: Following the implementation allowing the setting of unusable passwords via the admin site, the `BaseUserCreationForm` and `UserCreationForm` were extended to include a new field for choosing whether password-based authentication for the new user should be enabled or disabled at creation time. Given that these forms are designed to be extended when implementing custom user models, this branch ensures that this new field is moved to a new, admin-dedicated, user creation form `AdminUserCreationForm`. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for the review.
2024-08-19Refs #35678 -- Split tests for BaseUserCreationForm when using a custom User ↵Natalia
model. This work also allows to subclass BaseUserCreationFormTest to reuse the tests and assertions for testing forms that extend BaseUserCreationForm, which is now used for UserCreationFormTest, increasing its coverage.
2024-08-13Refs #35402 -- Added tests for invalid usage of submodules in some settings.Jacob Walls
2024-08-08Added test for acheck_password() to ensure make_password is called for ↵Natalia
unusable passwords. This is a follow up for the fix of CVE-2024-39329 (5d8645857936c142a3973694799c52165e2bdcdb) where the timing of verify_password() was standardized when checking unusable passwords.
2024-07-09Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-07-04Fixed #35520 -- Avoided opening transaction for read-only ModelAdmin requests.Jake Howard
2024-07-04Fixed #35569 -- Improved wording of invalid ForeignKey error message.Jacob Walls
2024-05-30Fixed #35477 -- Corrected 'required' errors in auth password set/change forms.Fabian Braun
The auth forms using SetPasswordMixin were incorrectly including the 'This field is required.' error when additional validations (e.g., overriding `clean_password1`) were performed and failed. This fix ensures accurate error reporting for password fields. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-05-22Increased the default PBKDF2 iterations for Django 5.2.Natalia
2024-05-22Fixed #31405 -- Added LoginRequiredMiddleware.Hisham Mahmood
Co-authored-by: Adam Johnson <me@adamj.eu> Co-authored-by: Mehmet İnce <mehmet@mehmetince.net> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-05-17Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.SaJH
2024-05-13Fixed #35408 -- Optimized post-migrate permission creation.Adam Johnson
co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-03-27Fixed #34977 -- Improved accessibility in the UserChangeForm by replacing ↵Fabian Braun
the reset password link with a button. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2024-03-07Fixed #35030 -- Made django.contrib.auth decorators to work with async ↵Dingning
functions.
2024-03-06Refs #35030 -- Added more tests for @user_passes_test decorator.Mariusz Felisiak
2024-02-20Fixed #34429 -- Allowed setting unusable passwords for users in the auth forms.Fabian Braun
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>