summaryrefslogtreecommitdiff
path: root/tests/auth_tests
AgeCommit message (Collapse)Author
2026-05-28Fixed #36225 -- Coped with lack of get_by_natural_key() in createsuperuser.babbitt
2026-05-27Fixed #37019 -- Updated login() and logout() to set request.auser.vishwa
2026-05-20Increased the default PBKDF2 iterations for Django 6.2.Sarah Boyce
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-06Refs #35514 -- Cleaned up logging and middleware tests.Mike Edmunds
Simplified and removed use of soon-to-be-deprecated or removed features from tests for AdminEmailHandler and BrokenLinkEmailsMiddleware. Added or updated cases to ensure `fail_silently` usage remains consistent during the transition to email providers. Changed custom FailingEmailBackend to respect fail_silently and record its use in a class-level property. In AdminEmailHandlerTest: * Added make_log_record() helper to reduce duplicated code. * Changed test_fail_silently() to send through the FailingEmailBackend, which will fail if not initialized with fail_silently=True. (Rather than inspecting attributes of a soon-to-be-deprecated connection.) * Simplified test_uses_custom_email_backend() by replacing monkeypatches with inspectable custom backend. * In test_customize_send_mail_method(), removed use of the undocumented self.connection() method and the soon-to-be-deprecated `connection` arg to mail_managers(). This test verifies a subclass can customize sending by mailing the managers rather than the admins. Involving a email backend connection was irrelevant. In BrokenLinkEmailsMiddlewareTest, added a case with FailingEmailBackend to verify send uses fail_silently=True.
2026-05-06Refs #36439 -- Added sync_to_async() to dummy password hasher path.Jacob Walls
Since the existing user path eventually calls sync_to_async() in acheck_password, aim for parity with the nonexistent/inactive user branch by adding sync_to_async(). Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
2026-05-06Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header ↵Jacob Walls
corresponds to request.META under ASGI. Because these tests always passed both WSGI environ values and HTTP headers via `**extra`, this masked a behavior difference between WSGI and ASGI. What should happen: everything should be passed via `headers` but for the default REMOTE_USER case on WSGI, which should be passed via `**extra`. Since that was not done, a regression made it into Django 5.2 (50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer corresponded to the request.META key under ASGI. To cope, an ASGI user would have started(*) sending HTTP headers that match the `.header` attribute, which may or may not have been edited to remove the HTTP_ prefix. (Note: the default `REMOTE_USER` case did not work under ASGI, so the change in Django 5.2 had the effect of fixing the default case but changing the semantic of the custom case.) (*): Unless they were getting the sync execution path, which didn't have this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a. Thanks Mykhailo Havelia and Sarah Boyce for reviews.
2026-05-04Fixed #37079 -- Fixed specialization of header lookups in RemoteUserMiddleware.Jacob Walls
We need to switch on whether the request is a WSGI or ASGI request to know whether to prepend `HTTP_`: we cannot assume sync exceution means we are running under WSGI, as there could be other sync middleware forcing sync execution under ASGI. Thanks Mykhailo Havelia for the report.
2026-05-01Refs #35303 -- Added missing async RemoteUserMiddleware tests for custom ↵Sarah Boyce
RemoteUserBackend.
2026-05-01Refs #689 -- Made RemoteUserMiddleware ImproperlyConfigured error message ↵Sarah Boyce
handle subclasses. Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-04-24Fixed #36542 -- Marked authenticate() with @sensitive_variables() decorator.KANIN KEARPIMY
Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
2026-04-07Fixed #37021 -- Added Permission.user_perm_str property.mariatta
For use in checking user permissions via has_perm(). Co-authored-by: 사재혁 <jaehyuck.sa.dev@gmail.com>
2026-04-02Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
2026-02-27Fixed #27489 -- Renamed permissions upon model renaming in migrations.Artyom Kotovskiy
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-02-27Fixed #34643 -- Moved inputs beneath labels and errors in admin forms.antoliny0919
Thanks Sarah Boyce and Jacob Walls for reviews. Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-10Modified tests to format PKs with %s rather than %d.Tim Graham
It's how Django formats values internally and makes tests compatible with databases that use non-integer primary keys.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-18Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0
2026-01-05Fixed #36843, #36793 -- Reverted "Fixed #27489 -- Renamed permissions upon ↵Jacob Walls
model renaming in migrations." This reverts commits f02b49d2f3bf84f5225de920ca510149f1f9f1da and 6e89271a8507fe272d11814975500a1b40303a04.
2025-12-22Fixed #36807 -- Fixed form field alignment under <fieldset> in the admin.Jacob Walls
It isn't safe to set display: flex on <fieldset>, because on Safari this interferes with display: block on child divs. Thanks Paulo Coutinho for the report and Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2025-12-03Fixed #36280 -- Replaced exception checks with assertRaisesMessage().Skyiesac
2025-11-24Corrected assertions for True/False results in ↵Jake Howard
tests/auth_tests/test_handlers.py.
2025-11-05Fixed #36709 -- Included static methods in system check for ↵Harsh Jain
UserModel.is_anonymous/is_authenticated methods.
2025-10-14Refs #31223 -- Added __class_getitem__() to SetPasswordMixin.Thibaut Decombe
2025-10-14Fixed #34041 -- Added aria-current attribute to admin breadcrumbs.antoliny0919
Co-authored by: farita1699 <uwanjerry25@gmail.com>
2025-09-17Increased the default PBKDF2 iterations for Django 6.1.Jacob Walls
2025-09-17Refs #36390 -- Removed support for RemoteUserMiddleware subclasses missing ↵Jacob Walls
aprocess_request(). Per deprecation timeline.
2025-09-17Refs #35530 -- Removed request.user or auser() fallback in auth.login and ↵Jacob Walls
auth.alogin. Per deprecation timeline.
2025-09-15Refs #27489 -- Made RenamePermission() operation respect database.David Sanders
Regression in f02b49d2f3bf84f5225de920ca510149f1f9f1da. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-09-11Fixed #36603 -- Optimized check order in LoginRequiredMiddleware.Adam Johnson
2025-08-19Fixed #27489 -- Renamed permissions upon model renaming in migrations.Artyom Kotovskiy
2025-08-19Fixed #35892 -- Supported Widget.use_fieldset in admin forms.antoliny0919
2025-08-08Fixed #36540 -- Updated request.auser() in contrib.auth.alogin() and ↵Xinyi Rong
contrib.auth.alogout().
2025-07-25Fixed #35581 -- Updated django.core.mail to Python's modern email API.Mike Edmunds
- Changed EmailMessage.message() to construct a "modern email API" email.message.EmailMessage and added policy keyword arg. - Added support for modern MIMEPart objects in EmailMessage.attach() (and EmailMessage constructor, EmailMessage.attachments list). - Updated SMTP EmailBackend to use modern email.policy.SMTP. Deprecated: - Attaching MIMEBase objects (replace with MIMEPart) - BadHeaderError (modern email uses ValueError) - SafeMIMEText, SafeMIMEMultipart (unnecessary for modern email) - django.core.mail.forbid_multi_line_headers() (undocumented, but exposed via `__all__` and in wide use) - django.core.mail.message.sanitize_address() (undocumented, but in wide use) Removed without deprecation (all undocumented): - EmailMessage.mixed_subtype - EmailMultiAlternatives.alternative_subtype - Support for setting (undocumented) EmailMessage.encoding property to a legacy email.charset.Charset object Related changes: - Dropped tests for incorrect RFC 2047 encoding of non-ASCII email address localparts. This is specifically prohibited by RFC 2047, and not supported by any known MTA or email client. (Python still mis-applies encoded-word to non-ASCII localparts, but it is a bug that may be fixed in the future.) - Added tests that try to discourage using Python's legacy email APIs in future updates to django.core.mail.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-07-22Fixed #36226 -- Accepted str or bytes for password and salt in password hashers.Roel Delos Reyes
Co-authored-by: Screamadelica <1621456391@sjtu.edu.cn>
2025-07-17Fixed #36163 -- Deprecated most positional arguments in django.core.mail.Mike Edmunds
In public mail APIs, changed less frequently used parameters from keyword-or-positional to keyword-only, emitting a warning during the required deprecation period.
2025-05-23Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review.
2025-04-17Fixed #35959 -- Displayed password reset button in admin only when user has ↵Sarah Boyce
sufficient permissions. This change ensures that the "Reset password" button in the admin is shown only when the user has the necessary permission to perform a password change operation. It reuses the password hashing rendering logic in `display_for_field` to show the appropriate read-only widget for users with view-only access.
2025-04-17Refs #35959 -- Added render_password_as_hash auth template tag for password ↵Sarah Boyce
rendering.
2025-04-17Fixed #36314 -- Fixed MinimumLengthValidator error message translation.Ahmed Nassar
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa. Thank you Gabriel Trouvé for the report and Claude Paroz for the review.
2025-03-27Fixed #34917 -- Underlined links in the main content area of the admin.antoliny0919
2025-03-01Applied Black's 2025 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/25.1.0
2025-02-18Fixed #36179 -- Unhexed entries and removed duplicates in ↵mimi89999
auth/common-passwords.txt.gz.
2025-02-18Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc.Mariusz Felisiak
datetime.UTC was added in Python 3.11.
2025-02-01Fixed #36140 -- Allowed BaseUserCreationForm to define non required password ↵nessita
fields. Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3. Thanks buffgecko12 for the report and Sarah Boyce for the review.
2025-01-15Increased the default PBKDF2 iterations for Django 6.0.Sarah Boyce