Refs #17209 -- Removed login/logout and password reset/change function-based views.

Per deprecation timeline.

25 files changed, 40 insertions, 34 deletions

diff --git a/docs/releases/1.10.7.txt b/docs/releases/1.10.7.txt
index c5caa65143..590a15024d 100644
--- a/docs/releases/1.10.7.txt
+++ b/docs/releases/1.10.7.txt
@@ -10,7 +10,7 @@ CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric r
 ============================================================================================
 
 Django relies on user input in some cases  (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security check for these
 redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
 URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt
index b235afb4f5..cf59598977 100644
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@@ -118,19 +118,19 @@ Minor features
   subclassed ``django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the
   default value.
 
-* The :func:`~django.contrib.auth.views.logout` view sends "no-cache" headers
+* The ``django.contrib.auth.views.logout()`` view sends "no-cache" headers
   to prevent an issue where Safari caches redirects and prevents a user from
   being able to log out.
 
-* Added the optional ``backend`` argument to :func:`~django.contrib.auth.login`
+* Added the optional ``backend`` argument to :func:`django.contrib.auth.login`
   to allow using it without credentials.
 
 * The new :setting:`LOGOUT_REDIRECT_URL` setting controls the redirect of the
-  :func:`~django.contrib.auth.views.logout` view, if the view doesn't get a
+  ``django.contrib.auth.views.logout()`` view, if the view doesn't get a
   ``next_page`` argument.
 
 * The new ``redirect_authenticated_user`` parameter for the
-  :func:`~django.contrib.auth.views.login` view allows redirecting
+  ``django.contrib.auth.views.login()`` view allows redirecting
   authenticated users visiting the login page.
 
 * The new :class:`~django.contrib.auth.backends.AllowAllUsersModelBackend` and
diff --git a/docs/releases/1.3.txt b/docs/releases/1.3.txt
index 88c83ecd27..e1cd547b5e 100644
--- a/docs/releases/1.3.txt
+++ b/docs/releases/1.3.txt
@@ -636,7 +636,7 @@ message as a nonexistent account.
 Password reset view now accepts ``from_email``
 ----------------------------------------------
 
-The :func:`django.contrib.auth.views.password_reset` view now accepts a
+The ``django.contrib.auth.views.password_reset()`` view now accepts a
 ``from_email`` parameter, which is passed to the ``password_reset_form``’s
 ``save()`` method as a keyword argument. If you are using this view with a
 custom password reset form, then you will need to ensure your form's ``save()``
diff --git a/docs/releases/1.4.13.txt b/docs/releases/1.4.13.txt
index 14e5af9a0d..89b4473e55 100644
--- a/docs/releases/1.4.13.txt
+++ b/docs/releases/1.4.13.txt
@@ -36,7 +36,7 @@ which are accepted by some browsers. This allows a user to be redirected to
 an unsafe URL unexpectedly.
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
 The security checks for these redirects (namely
 ``django.utils.http.is_safe_url()``) did not correctly validate some malformed
diff --git a/docs/releases/1.4.18.txt b/docs/releases/1.4.18.txt
index 124d271bc4..075e08b32a 100644
--- a/docs/releases/1.4.18.txt
+++ b/docs/releases/1.4.18.txt
@@ -35,7 +35,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security checks for these
 redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
 whitespace on the tested URL and as such considered URLs like
diff --git a/docs/releases/1.4.20.txt b/docs/releases/1.4.20.txt
index f2ca5ac103..d40bd20edd 100644
--- a/docs/releases/1.4.20.txt
+++ b/docs/releases/1.4.20.txt
@@ -10,7 +10,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security checks for these
 redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with
 leading control characters and so considered URLs like ``\x08javascript:...``
diff --git a/docs/releases/1.4.22.txt b/docs/releases/1.4.22.txt
index bed56d42e7..ed5ba2ef92 100644
--- a/docs/releases/1.4.22.txt
+++ b/docs/releases/1.4.22.txt
@@ -14,7 +14,7 @@ Denial-of-service possibility in ``logout()`` view by filling session store
 ===========================================================================
 
 Previously, a session could be created when anonymously accessing the
-:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
+``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
 with :func:`~django.contrib.auth.decorators.login_required` as done in the
 admin). This could allow an attacker to easily create many new session records
 by sending repeated requests, potentially filling up the session store or
diff --git a/docs/releases/1.4.6.txt b/docs/releases/1.4.6.txt
index 39dc6f8dca..1e9590c315 100644
--- a/docs/releases/1.4.6.txt
+++ b/docs/releases/1.4.6.txt
@@ -13,7 +13,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
 The security checks for these redirects (namely
 ``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
diff --git a/docs/releases/1.5.2.txt b/docs/releases/1.5.2.txt
index 9a53ced78c..33341342a6 100644
--- a/docs/releases/1.5.2.txt
+++ b/docs/releases/1.5.2.txt
@@ -10,7 +10,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
 The security checks for these redirects (namely
 ``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
diff --git a/docs/releases/1.5.8.txt b/docs/releases/1.5.8.txt
index 93ad815cec..136b953185 100644
--- a/docs/releases/1.5.8.txt
+++ b/docs/releases/1.5.8.txt
@@ -36,7 +36,7 @@ which are accepted by some browsers. This allows a user to be redirected to
 an unsafe URL unexpectedly.
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
 The security checks for these redirects (namely
 ``django.utils.http.is_safe_url()``) did not correctly validate some malformed
diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt
index e99a8256a7..ee91dc8a3a 100644
--- a/docs/releases/1.6.10.txt
+++ b/docs/releases/1.6.10.txt
@@ -34,7 +34,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security checks for these
 redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
 whitespace on the tested URL and as such considered URLs like
diff --git a/docs/releases/1.6.11.txt b/docs/releases/1.6.11.txt
index cf94fedbf5..8cf81f89bf 100644
--- a/docs/releases/1.6.11.txt
+++ b/docs/releases/1.6.11.txt
@@ -27,7 +27,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security checks for these
 redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with
 leading control characters and so considered URLs like ``\x08javascript:...``
diff --git a/docs/releases/1.6.5.txt b/docs/releases/1.6.5.txt
index cacb522af8..77e82a668f 100644
--- a/docs/releases/1.6.5.txt
+++ b/docs/releases/1.6.5.txt
@@ -36,7 +36,7 @@ which are accepted by some browsers. This allows a user to be redirected to
 an unsafe URL unexpectedly.
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
 The security checks for these redirects (namely
 ``django.utils.http.is_safe_url()``) did not correctly validate some malformed
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index c3dd9acf4b..640a2bd93b 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -280,10 +280,10 @@ Minor features
   :attr:`~django.http.HttpResponse.reason_phrase`.
 
 * When giving the URL of the next page for
-  :func:`~django.contrib.auth.views.logout`,
-  :func:`~django.contrib.auth.views.password_reset`,
-  :func:`~django.contrib.auth.views.password_reset_confirm`,
-  and :func:`~django.contrib.auth.views.password_change`, you can now pass
+  ``django.contrib.auth.views.logout()``,
+  ``django.contrib.auth.views.password_reset()``,
+  ``django.contrib.auth.views.password_reset_confirm()``,
+  and ``django.contrib.auth.views.password_change()``, you can now pass
   URL names and they will be resolved.
 
 * The new :option:`dumpdata --pks` option specifies the primary keys of objects
@@ -742,17 +742,17 @@ can set the
 
 Past versions of Django used base 36 encoding of the ``User`` primary key in
 the password reset views and URLs
-(:func:`django.contrib.auth.views.password_reset_confirm`). Base 36 encoding is
+(``django.contrib.auth.views.password_reset_confirm()``). Base 36 encoding is
 sufficient if the user primary key is an integer, however, with the
 introduction of custom user models in Django 1.5, that assumption may no longer
 be true.
 
-:func:`django.contrib.auth.views.password_reset_confirm` has been modified to
+``django.contrib.auth.views.password_reset_confirm()`` has been modified to
 take a ``uidb64`` parameter instead of ``uidb36``. If you are reversing this
 view, for example in a custom ``password_reset_email.html`` template, be sure
 to update your code.
 
-A temporary shim for :func:`django.contrib.auth.views.password_reset_confirm`
+A temporary shim for ``django.contrib.auth.views.password_reset_confirm()``
 that will allow password reset links generated prior to Django 1.6 to continue
 to work has been added to provide backwards compatibility; this will be removed
 in Django 1.7. Thus, as long as your site has been running Django 1.6 for more
diff --git a/docs/releases/1.7.10.txt b/docs/releases/1.7.10.txt
index 7fb8e85a55..7d4c773063 100644
--- a/docs/releases/1.7.10.txt
+++ b/docs/releases/1.7.10.txt
@@ -10,7 +10,7 @@ Denial-of-service possibility in ``logout()`` view by filling session store
 ===========================================================================
 
 Previously, a session could be created when anonymously accessing the
-:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
+``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
 with :func:`~django.contrib.auth.decorators.login_required` as done in the
 admin). This could allow an attacker to easily create many new session records
 by sending repeated requests, potentially filling up the session store or
diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt
index f8e0dc8b81..fb33b98883 100644
--- a/docs/releases/1.7.3.txt
+++ b/docs/releases/1.7.3.txt
@@ -34,7 +34,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security checks for these
 redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
 whitespace on the tested URL and as such considered URLs like
diff --git a/docs/releases/1.7.7.txt b/docs/releases/1.7.7.txt
index 500a32a85e..f20ee127bc 100644
--- a/docs/releases/1.7.7.txt
+++ b/docs/releases/1.7.7.txt
@@ -27,7 +27,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 =============================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security checks for these
 redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with
 leading control characters and so considered URLs like ``\x08javascript:...``
diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt
index 6da941bc99..0cd9a033df 100644
--- a/docs/releases/1.7.txt
+++ b/docs/releases/1.7.txt
@@ -421,7 +421,7 @@ Minor features
   <django.contrib.auth.forms.AuthenticationForm.confirm_login_allowed>` method
   to more easily customize the login policy.
 
-* :func:`django.contrib.auth.views.password_reset` takes an optional
+* ``django.contrib.auth.views.password_reset()`` takes an optional
   ``html_email_template_name`` parameter used to send a multipart HTML email
   for password resets.
 
@@ -1846,7 +1846,7 @@ remove usage of these features.
 * The ``check_for_test_cookie`` method in
   :class:`~django.contrib.auth.forms.AuthenticationForm` is removed.
 
-* The version of :func:`django.contrib.auth.views.password_reset_confirm` that
+* The version of ``django.contrib.auth.views.password_reset_confirm()`` that
   supports base36 encoded user IDs
   (``django.contrib.auth.views.password_reset_confirm_uidb36``) is removed.
 
diff --git a/docs/releases/1.8.10.txt b/docs/releases/1.8.10.txt
index 77d5c48ff6..b3d886960d 100644
--- a/docs/releases/1.8.10.txt
+++ b/docs/releases/1.8.10.txt
@@ -10,7 +10,7 @@ CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redi
 ===============================================================================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security check for these
 redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
 with basic authentication credentials "safe" when they shouldn't be.
diff --git a/docs/releases/1.8.18.txt b/docs/releases/1.8.18.txt
index f41c7d080f..4196fa1573 100644
--- a/docs/releases/1.8.18.txt
+++ b/docs/releases/1.8.18.txt
@@ -10,7 +10,7 @@ CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric r
 ============================================================================================
 
 Django relies on user input in some cases  (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security check for these
 redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
 URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
diff --git a/docs/releases/1.8.4.txt b/docs/releases/1.8.4.txt
index ee36c41fbc..486589254e 100644
--- a/docs/releases/1.8.4.txt
+++ b/docs/releases/1.8.4.txt
@@ -10,7 +10,7 @@ Denial-of-service possibility in ``logout()`` view by filling session store
 ===========================================================================
 
 Previously, a session could be created when anonymously accessing the
-:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
+``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
 with :func:`~django.contrib.auth.decorators.login_required` as done in the
 admin). This could allow an attacker to easily create many new session records
 by sending repeated requests, potentially filling up the session store or
diff --git a/docs/releases/1.9.13.txt b/docs/releases/1.9.13.txt
index 4828096da9..41af5d36b2 100644
--- a/docs/releases/1.9.13.txt
+++ b/docs/releases/1.9.13.txt
@@ -11,7 +11,7 @@ CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric r
 ============================================================================================
 
 Django relies on user input in some cases  (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security check for these
 redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
 URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
diff --git a/docs/releases/1.9.3.txt b/docs/releases/1.9.3.txt
index ad99cd863c..21949a4daa 100644
--- a/docs/releases/1.9.3.txt
+++ b/docs/releases/1.9.3.txt
@@ -10,7 +10,7 @@ CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redi
 ===============================================================================================================
 
 Django relies on user input in some cases (e.g.
-:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
 to redirect the user to an "on success" URL. The security check for these
 redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
 with basic authentication credentials "safe" when they shouldn't be.
diff --git a/docs/releases/1.9.txt b/docs/releases/1.9.txt
index 2b012191cd..37c4ff1711 100644
--- a/docs/releases/1.9.txt
+++ b/docs/releases/1.9.txt
@@ -216,7 +216,7 @@ Minor features
   makes it possible to use ``REMOTE_USER`` for setups where the header is only
   populated on login pages instead of every request in the session.
 
-* The :func:`~django.contrib.auth.views.password_reset` view accepts an
+* The ``django.contrib.auth.views.password_reset()`` view accepts an
   ``extra_email_context`` parameter.
 
 :mod:`django.contrib.contenttypes`
diff --git a/docs/releases/2.1.txt b/docs/releases/2.1.txt
index 23a0c37e32..9f1648122a 100644
--- a/docs/releases/2.1.txt
+++ b/docs/releases/2.1.txt
@@ -223,3 +223,9 @@ Features removed in 2.1
 These features have reached the end of their deprecation cycle and are removed
 in Django 2.1. See :ref:`deprecated-features-1.11` for details, including how
 to remove usage of these features.
+in Django 2.1. See :ref:`deprecated-features-1.11` and for details, including
+how to remove usage of these features.
+
+* ``contrib.auth.views.login()``, ``logout()``, ``password_change()``,
+  ``password_change_done()``, ``password_reset()``, ``password_reset_done()``,
+  ``password_reset_confirm()``, and ``password_reset_complete()`` are removed.