Fixed #28718 -- Allowed user to request a password reset if their password doesn't use an enabled hasher.

Regression in aeb1389442d0f9669edf6660b747fd10693b63a7. Reverted changes to is_password_usable() from 703c266682be39f7153498ad0d8031231f12ee79 and documentation changes from 92f48680dbd2e02f2b33f6ad0e35b7d337889fb2.
author: Tim Graham <timograham@gmail.com> 2018-03-20 17:19:27 -0400
committer: Tim Graham <timograham@gmail.com> 2018-03-22 10:03:43 -0400
commit: a4f0e9aec76ee40c938d3bf450ff63211b7ba1f1 (patch)
tree: 65c8d99ed6a2ef86f6ff4773c87900a349e1c735 /docs/releases/2.1.txt
parent: d97cce34096043b019e818a7fb98c0f9f073704c (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/2.1.txt b/docs/releases/2.1.txt
index 439dc275ce..463fad0b6c 100644
--- a/docs/releases/2.1.txt
+++ b/docs/releases/2.1.txt
@@ -358,6 +358,14 @@ Miscellaneous
   changed from 0 to an empty string, which mainly may require some adjustments
   in tests that compare HTML.
 
+* :meth:`.User.has_usable_password` and the
+  :func:`~django.contrib.auth.hashers.is_password_usable` function no longer
+  return ``False`` if the password is ``None`` or an empty string, or if the
+  password uses a hasher that's not in the :setting:`PASSWORD_HASHERS` setting.
+  This undocumented behavior was a regression in Django 1.6 and prevented users
+  with such passwords from requesting a password reset. Audit your code to
+  confirm that your usage of these APIs don't rely on the old behavior.
+
 .. _deprecated-features-2.1:
 
 Features deprecated in 2.1
author	Tim Graham <timograham@gmail.com>	2018-03-20 17:19:27 -0400
committer	Tim Graham <timograham@gmail.com>	2018-03-22 10:03:43 -0400
commit	a4f0e9aec76ee40c938d3bf450ff63211b7ba1f1 (patch)
tree	65c8d99ed6a2ef86f6ff4773c87900a349e1c735 /docs/releases/2.1.txt
parent	d97cce34096043b019e818a7fb98c0f9f073704c (diff)