Fixed #17209 -- Added password reset/change class-based views

Thanks Tim Graham for the review.

4 files changed, 518 insertions, 26 deletions

diff --git a/tests/auth_tests/test_deprecated_views.py b/tests/auth_tests/test_deprecated_views.py
new file mode 100644
index 0000000000..6034fd11de
--- /dev/null
+++ b/tests/auth_tests/test_deprecated_views.py
@@ -0,0 +1,446 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+import datetime
+import itertools
+import re
+
+from django.conf import settings
+from django.contrib.auth import SESSION_KEY
+from django.contrib.auth.forms import (
+    AuthenticationForm, PasswordChangeForm, SetPasswordForm,
+)
+from django.contrib.auth.models import User
+from django.core import mail
+from django.http import QueryDict
+from django.test import TestCase, override_settings
+from django.test.utils import ignore_warnings, patch_logger
+from django.utils.deprecation import RemovedInDjango21Warning
+from django.utils.encoding import force_text
+from django.utils.six.moves.urllib.parse import ParseResult, urlparse
+
+from .models import CustomUser, UUIDUser
+from .settings import AUTH_TEMPLATES
+
+
+@override_settings(
+    LANGUAGES=[('en', 'English')],
+    LANGUAGE_CODE='en',
+    TEMPLATES=AUTH_TEMPLATES,
+    ROOT_URLCONF='auth_tests.urls_deprecated',
+)
+class AuthViewsTestCase(TestCase):
+    """
+    Helper base class for all the follow test cases.
+    """
+
+    @classmethod
+    def setUpTestData(cls):
+        cls.u1 = User.objects.create_user(username='testclient', password='password', email='testclient@example.com')
+        cls.u3 = User.objects.create_user(username='staff', password='password', email='staffmember@example.com')
+
+    def login(self, username='testclient', password='password'):
+        response = self.client.post('/login/', {
+            'username': username,
+            'password': password,
+        })
+        self.assertIn(SESSION_KEY, self.client.session)
+        return response
+
+    def logout(self):
+        response = self.client.get('/admin/logout/')
+        self.assertEqual(response.status_code, 200)
+        self.assertNotIn(SESSION_KEY, self.client.session)
+
+    def assertFormError(self, response, error):
+        """Assert that error is found in response.context['form'] errors"""
+        form_errors = list(itertools.chain(*response.context['form'].errors.values()))
+        self.assertIn(force_text(error), form_errors)
+
+    def assertURLEqual(self, url, expected, parse_qs=False):
+        """
+        Given two URLs, make sure all their components (the ones given by
+        urlparse) are equal, only comparing components that are present in both
+        URLs.
+        If `parse_qs` is True, then the querystrings are parsed with QueryDict.
+        This is useful if you don't want the order of parameters to matter.
+        Otherwise, the query strings are compared as-is.
+        """
+        fields = ParseResult._fields
+
+        for attr, x, y in zip(fields, urlparse(url), urlparse(expected)):
+            if parse_qs and attr == 'query':
+                x, y = QueryDict(x), QueryDict(y)
+            if x and y and x != y:
+                self.fail("%r != %r (%s doesn't match)" % (url, expected, attr))
+
+
+@ignore_warnings(category=RemovedInDjango21Warning)
+class PasswordResetTest(AuthViewsTestCase):
+
+    def test_email_not_found(self):
+        """If the provided email is not registered, don't raise any error but
+        also don't send any email."""
+        response = self.client.get('/password_reset/')
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post('/password_reset/', {'email': 'not_a_real_email@email.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_email_found(self):
+        "Email is sent if a valid email address is provided for password reset"
+        response = self.client.post('/password_reset/', {'email': 'staffmember@example.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn("http://", mail.outbox[0].body)
+        self.assertEqual(settings.DEFAULT_FROM_EMAIL, mail.outbox[0].from_email)
+        # optional multipart text/html email has been added.  Make sure original,
+        # default functionality is 100% the same
+        self.assertFalse(mail.outbox[0].message().is_multipart())
+
+    def test_extra_email_context(self):
+        """
+        extra_email_context should be available in the email template context.
+        """
+        response = self.client.post(
+            '/password_reset_extra_email_context/',
+            {'email': 'staffmember@example.com'},
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertIn('Email email context: "Hello!"', mail.outbox[0].body)
+
+    def test_html_mail_template(self):
+        """
+        A multipart email with text/plain and text/html is sent
+        if the html_email_template parameter is passed to the view
+        """
+        response = self.client.post('/password_reset/html_email_template/', {'email': 'staffmember@example.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        message = mail.outbox[0].message()
+        self.assertEqual(len(message.get_payload()), 2)
+        self.assertTrue(message.is_multipart())
+        self.assertEqual(message.get_payload(0).get_content_type(), 'text/plain')
+        self.assertEqual(message.get_payload(1).get_content_type(), 'text/html')
+        self.assertNotIn('<html>', message.get_payload(0).get_payload())
+        self.assertIn('<html>', message.get_payload(1).get_payload())
+
+    def test_email_found_custom_from(self):
+        "Email is sent if a valid email address is provided for password reset when a custom from_email is provided."
+        response = self.client.post('/password_reset_from_email/', {'email': 'staffmember@example.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual("staffmember@example.com", mail.outbox[0].from_email)
+
+    # Skip any 500 handler action (like sending more mail...)
+    @override_settings(DEBUG_PROPAGATE_EXCEPTIONS=True)
+    def test_poisoned_http_host(self):
+        "Poisoned HTTP_HOST headers can't be used for reset emails"
+        # This attack is based on the way browsers handle URLs. The colon
+        # should be used to separate the port, but if the URL contains an @,
+        # the colon is interpreted as part of a username for login purposes,
+        # making 'evil.com' the request domain. Since HTTP_HOST is used to
+        # produce a meaningful reset URL, we need to be certain that the
+        # HTTP_HOST header isn't poisoned. This is done as a check when get_host()
+        # is invoked, but we check here as a practical consequence.
+        with patch_logger('django.security.DisallowedHost', 'error') as logger_calls:
+            response = self.client.post(
+                '/password_reset/',
+                {'email': 'staffmember@example.com'},
+                HTTP_HOST='www.example:dr.frankenstein@evil.tld'
+            )
+            self.assertEqual(response.status_code, 400)
+            self.assertEqual(len(mail.outbox), 0)
+            self.assertEqual(len(logger_calls), 1)
+
+    # Skip any 500 handler action (like sending more mail...)
+    @override_settings(DEBUG_PROPAGATE_EXCEPTIONS=True)
+    def test_poisoned_http_host_admin_site(self):
+        "Poisoned HTTP_HOST headers can't be used for reset emails on admin views"
+        with patch_logger('django.security.DisallowedHost', 'error') as logger_calls:
+            response = self.client.post(
+                '/admin_password_reset/',
+                {'email': 'staffmember@example.com'},
+                HTTP_HOST='www.example:dr.frankenstein@evil.tld'
+            )
+            self.assertEqual(response.status_code, 400)
+            self.assertEqual(len(mail.outbox), 0)
+            self.assertEqual(len(logger_calls), 1)
+
+    def _test_confirm_start(self):
+        # Start by creating the email
+        self.client.post('/password_reset/', {'email': 'staffmember@example.com'})
+        self.assertEqual(len(mail.outbox), 1)
+        return self._read_signup_email(mail.outbox[0])
+
+    def _read_signup_email(self, email):
+        urlmatch = re.search(r"https?://[^/]*(/.*reset/\S*)", email.body)
+        self.assertIsNotNone(urlmatch, "No URL found in sent email")
+        return urlmatch.group(), urlmatch.groups()[0]
+
+    def test_confirm_valid(self):
+        url, path = self._test_confirm_start()
+        response = self.client.get(path)
+        # redirect to a 'complete' page:
+        self.assertContains(response, "Please enter your new password")
+
+    def test_confirm_invalid(self):
+        url, path = self._test_confirm_start()
+        # Let's munge the token in the path, but keep the same length,
+        # in case the URLconf will reject a different length.
+        path = path[:-5] + ("0" * 4) + path[-1]
+
+        response = self.client.get(path)
+        self.assertContains(response, "The password reset link was invalid")
+
+    def test_confirm_invalid_user(self):
+        # Ensure that we get a 200 response for a non-existent user, not a 404
+        response = self.client.get('/reset/123456/1-1/')
+        self.assertContains(response, "The password reset link was invalid")
+
+    def test_confirm_overflow_user(self):
+        # Ensure that we get a 200 response for a base36 user id that overflows int
+        response = self.client.get('/reset/zzzzzzzzzzzzz/1-1/')
+        self.assertContains(response, "The password reset link was invalid")
+
+    def test_confirm_invalid_post(self):
+        # Same as test_confirm_invalid, but trying
+        # to do a POST instead.
+        url, path = self._test_confirm_start()
+        path = path[:-5] + ("0" * 4) + path[-1]
+
+        self.client.post(path, {
+            'new_password1': 'anewpassword',
+            'new_password2': ' anewpassword',
+        })
+        # Check the password has not been changed
+        u = User.objects.get(email='staffmember@example.com')
+        self.assertTrue(not u.check_password("anewpassword"))
+
+    def test_confirm_complete(self):
+        url, path = self._test_confirm_start()
+        response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
+        # Check the password has been changed
+        u = User.objects.get(email='staffmember@example.com')
+        self.assertTrue(u.check_password("anewpassword"))
+
+        # Check we can't use the link again
+        response = self.client.get(path)
+        self.assertContains(response, "The password reset link was invalid")
+
+    def test_confirm_different_passwords(self):
+        url, path = self._test_confirm_start()
+        response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'x'})
+        self.assertFormError(response, SetPasswordForm.error_messages['password_mismatch'])
+
+    def test_reset_redirect_default(self):
+        response = self.client.post('/password_reset/', {'email': 'staffmember@example.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/password_reset/done/')
+
+    def test_reset_custom_redirect(self):
+        response = self.client.post('/password_reset/custom_redirect/', {'email': 'staffmember@example.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/custom/')
+
+    def test_reset_custom_redirect_named(self):
+        response = self.client.post('/password_reset/custom_redirect/named/', {'email': 'staffmember@example.com'})
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/password_reset/')
+
+    def test_confirm_redirect_default(self):
+        url, path = self._test_confirm_start()
+        response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/reset/done/')
+
+    def test_confirm_redirect_custom(self):
+        url, path = self._test_confirm_start()
+        path = path.replace('/reset/', '/reset/custom/')
+        response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/custom/')
+
+    def test_confirm_redirect_custom_named(self):
+        url, path = self._test_confirm_start()
+        path = path.replace('/reset/', '/reset/custom/named/')
+        response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/password_reset/')
+
+    def test_confirm_display_user_from_form(self):
+        url, path = self._test_confirm_start()
+        response = self.client.get(path)
+
+        # #16919 -- The ``password_reset_confirm`` view should pass the user
+        # object to the ``SetPasswordForm``, even on GET requests.
+        # For this test, we render ``{{ form.user }}`` in the template
+        # ``registration/password_reset_confirm.html`` so that we can test this.
+        username = User.objects.get(email='staffmember@example.com').username
+        self.assertContains(response, "Hello, %s." % username)
+
+        # However, the view should NOT pass any user object on a form if the
+        # password reset link was invalid.
+        response = self.client.get('/reset/zzzzzzzzzzzzz/1-1/')
+        self.assertContains(response, "Hello, .")
+
+
+@ignore_warnings(category=RemovedInDjango21Warning)
+@override_settings(AUTH_USER_MODEL='auth_tests.CustomUser')
+class CustomUserPasswordResetTest(AuthViewsTestCase):
+    user_email = 'staffmember@example.com'
+
+    @classmethod
+    def setUpTestData(cls):
+        cls.u1 = CustomUser.custom_objects.create(
+            email='staffmember@example.com',
+            date_of_birth=datetime.date(1976, 11, 8),
+        )
+        cls.u1.set_password('password')
+        cls.u1.save()
+
+    def _test_confirm_start(self):
+        # Start by creating the email
+        response = self.client.post('/password_reset/', {'email': self.user_email})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(len(mail.outbox), 1)
+        return self._read_signup_email(mail.outbox[0])
+
+    def _read_signup_email(self, email):
+        urlmatch = re.search(r"https?://[^/]*(/.*reset/\S*)", email.body)
+        self.assertIsNotNone(urlmatch, "No URL found in sent email")
+        return urlmatch.group(), urlmatch.groups()[0]
+
+    def test_confirm_valid_custom_user(self):
+        url, path = self._test_confirm_start()
+        response = self.client.get(path)
+        # redirect to a 'complete' page:
+        self.assertContains(response, "Please enter your new password")
+        # then submit a new password
+        response = self.client.post(path, {
+            'new_password1': 'anewpassword',
+            'new_password2': 'anewpassword',
+        })
+        self.assertRedirects(response, '/reset/done/')
+
+
+@ignore_warnings(category=RemovedInDjango21Warning)
+@override_settings(AUTH_USER_MODEL='auth_tests.UUIDUser')
+class UUIDUserPasswordResetTest(CustomUserPasswordResetTest):
+
+    def _test_confirm_start(self):
+        # instead of fixture
+        UUIDUser.objects.create_user(
+            email=self.user_email,
+            username='foo',
+            password='foo',
+        )
+        return super(UUIDUserPasswordResetTest, self)._test_confirm_start()
+
+
+@ignore_warnings(category=RemovedInDjango21Warning)
+class ChangePasswordTest(AuthViewsTestCase):
+
+    def fail_login(self, password='password'):
+        response = self.client.post('/login/', {
+            'username': 'testclient',
+            'password': password,
+        })
+        self.assertFormError(response, AuthenticationForm.error_messages['invalid_login'] % {
+            'username': User._meta.get_field('username').verbose_name
+        })
+
+    def logout(self):
+        self.client.get('/logout/')
+
+    def test_password_change_fails_with_invalid_old_password(self):
+        self.login()
+        response = self.client.post('/password_change/', {
+            'old_password': 'donuts',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        self.assertFormError(response, PasswordChangeForm.error_messages['password_incorrect'])
+
+    def test_password_change_fails_with_mismatched_passwords(self):
+        self.login()
+        response = self.client.post('/password_change/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'donuts',
+        })
+        self.assertFormError(response, SetPasswordForm.error_messages['password_mismatch'])
+
+    def test_password_change_succeeds(self):
+        self.login()
+        self.client.post('/password_change/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        self.fail_login()
+        self.login(password='password1')
+
+    def test_password_change_done_succeeds(self):
+        self.login()
+        response = self.client.post('/password_change/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/password_change/done/')
+
+    @override_settings(LOGIN_URL='/login/')
+    def test_password_change_done_fails(self):
+        response = self.client.get('/password_change/done/')
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/login/?next=/password_change/done/')
+
+    def test_password_change_redirect_default(self):
+        self.login()
+        response = self.client.post('/password_change/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/password_change/done/')
+
+    def test_password_change_redirect_custom(self):
+        self.login()
+        response = self.client.post('/password_change/custom/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/custom/')
+
+    def test_password_change_redirect_custom_named(self):
+        self.login()
+        response = self.client.post('/password_change/custom/named/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        self.assertEqual(response.status_code, 302)
+        self.assertURLEqual(response.url, '/password_reset/')
+
+
+@ignore_warnings(category=RemovedInDjango21Warning)
+class SessionAuthenticationTests(AuthViewsTestCase):
+    def test_user_password_change_updates_session(self):
+        """
+        #21649 - Ensure contrib.auth.views.password_change updates the user's
+        session auth hash after a password change so the session isn't logged out.
+        """
+        self.login()
+        response = self.client.post('/password_change/', {
+            'old_password': 'password',
+            'new_password1': 'password1',
+            'new_password2': 'password1',
+        })
+        # if the hash isn't updated, retrieving the redirection page will fail.
+        self.assertRedirects(response, '/password_change/done/')
diff --git a/tests/auth_tests/test_templates.py b/tests/auth_tests/test_templates.py
index 781ffcb735..5bcc5e3672 100644
--- a/tests/auth_tests/test_templates.py
+++ b/tests/auth_tests/test_templates.py
@@ -2,8 +2,8 @@ from django.contrib.auth import authenticate
 from django.contrib.auth.models import User
 from django.contrib.auth.tokens import PasswordResetTokenGenerator
 from django.contrib.auth.views import (
-    password_change, password_change_done, password_reset,
-    password_reset_complete, password_reset_confirm, password_reset_done,
+    PasswordChangeDoneView, PasswordChangeView, PasswordResetCompleteView,
+    PasswordResetConfirmView, PasswordResetDoneView, PasswordResetView,
 )
 from django.test import RequestFactory, TestCase, override_settings
 from django.utils.encoding import force_bytes, force_text
@@ -20,35 +20,35 @@ class AuthTemplateTests(TestCase):
         request = rf.get('/somepath/')
         request.user = user
 
-        response = password_reset(request, post_reset_redirect='dummy/')
+        response = PasswordResetView.as_view(success_url='dummy/')(request)
         self.assertContains(response, '<title>Password reset</title>')
         self.assertContains(response, '<h1>Password reset</h1>')
 
-        response = password_reset_done(request)
+        response = PasswordResetDoneView.as_view()(request)
         self.assertContains(response, '<title>Password reset sent</title>')
         self.assertContains(response, '<h1>Password reset sent</h1>')
 
-        # password_reset_confirm invalid token
-        response = password_reset_confirm(request, uidb64='Bad', token='Bad', post_reset_redirect='dummy/')
+        # PasswordResetConfirmView invalid token
+        response = PasswordResetConfirmView.as_view(success_url='dummy/')(request, uidb64='Bad', token='Bad')
         self.assertContains(response, '<title>Password reset unsuccessful</title>')
         self.assertContains(response, '<h1>Password reset unsuccessful</h1>')
 
-        # password_reset_confirm valid token
+        # PasswordResetConfirmView valid token
         default_token_generator = PasswordResetTokenGenerator()
         token = default_token_generator.make_token(user)
         uidb64 = force_text(urlsafe_base64_encode(force_bytes(user.pk)))
-        response = password_reset_confirm(request, uidb64, token, post_reset_redirect='dummy/')
+        response = PasswordResetConfirmView.as_view(success_url='dummy/')(request, uidb64=uidb64, token=token)
         self.assertContains(response, '<title>Enter new password</title>')
         self.assertContains(response, '<h1>Enter new password</h1>')
 
-        response = password_reset_complete(request)
+        response = PasswordResetCompleteView.as_view()(request)
         self.assertContains(response, '<title>Password reset complete</title>')
         self.assertContains(response, '<h1>Password reset complete</h1>')
 
-        response = password_change(request, post_change_redirect='dummy/')
+        response = PasswordChangeView.as_view(success_url='dummy/')(request)
         self.assertContains(response, '<title>Password change</title>')
         self.assertContains(response, '<h1>Password change</h1>')
 
-        response = password_change_done(request)
+        response = PasswordChangeDoneView.as_view()(request)
         self.assertContains(response, '<title>Password change successful</title>')
         self.assertContains(response, '<h1>Password change successful</h1>')
diff --git a/tests/auth_tests/urls.py b/tests/auth_tests/urls.py
index c6dd632e0a..6a7574b8cd 100644
--- a/tests/auth_tests/urls.py
+++ b/tests/auth_tests/urls.py
@@ -8,6 +8,7 @@ from django.contrib.messages.api import info
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import render
 from django.template import RequestContext, Template
+from django.urls import reverse_lazy
 from django.views.decorators.cache import never_cache
 
 
@@ -67,23 +68,29 @@ urlpatterns = auth_urlpatterns + [
     url(r'^logout/next_page/$', views.LogoutView.as_view(next_page='/somewhere/')),
     url(r'^logout/next_page/named/$', views.LogoutView.as_view(next_page='password_reset')),
     url(r'^remote_user/$', remote_user_auth_view),
-    url(r'^password_reset_from_email/$', views.password_reset, dict(from_email='staffmember@example.com')),
-    url(r'^password_reset_extra_email_context/$', views.password_reset,
-        dict(extra_email_context=dict(greeting='Hello!'))),
-    url(r'^password_reset/custom_redirect/$', views.password_reset, dict(post_reset_redirect='/custom/')),
-    url(r'^password_reset/custom_redirect/named/$', views.password_reset, dict(post_reset_redirect='password_reset')),
-    url(r'^password_reset/html_email_template/$', views.password_reset,
-        dict(html_email_template_name='registration/html_password_reset_email.html')),
+
+    url(r'^password_reset_from_email/$',
+        views.PasswordResetView.as_view(from_email='staffmember@example.com')),
+    url(r'^password_reset_extra_email_context/$',
+        views.PasswordResetView.as_view(extra_email_context=dict(greeting='Hello!'))),
+    url(r'^password_reset/custom_redirect/$',
+        views.PasswordResetView.as_view(success_url='/custom/')),
+    url(r'^password_reset/custom_redirect/named/$',
+        views.PasswordResetView.as_view(success_url=reverse_lazy('password_reset'))),
+    url(r'^password_reset/html_email_template/$',
+        views.PasswordResetView.as_view(
+            html_email_template_name='registration/html_password_reset_email.html'
+        )),
     url(r'^reset/custom/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
-        views.password_reset_confirm,
-        dict(post_reset_redirect='/custom/')),
+        views.PasswordResetConfirmView.as_view(success_url='/custom/')),
     url(r'^reset/custom/named/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
-        views.password_reset_confirm,
-        dict(post_reset_redirect='password_reset')),
-    url(r'^password_change/custom/$', views.password_change, dict(post_change_redirect='/custom/')),
-    url(r'^password_change/custom/named/$', views.password_change, dict(post_change_redirect='password_reset')),
-    url(r'^login_required/$', login_required(views.password_reset)),
-    url(r'^login_required_login_url/$', login_required(views.password_reset, login_url='/somewhere/')),
+        views.PasswordResetConfirmView.as_view(success_url=reverse_lazy('password_reset'))),
+    url(r'^password_change/custom/$',
+        views.PasswordChangeView.as_view(success_url='/custom/')),
+    url(r'^password_change/custom/named/$',
+        views.PasswordChangeView.as_view(success_url=reverse_lazy('password_reset'))),
+    url(r'^login_required/$', login_required(views.PasswordResetView.as_view())),
+    url(r'^login_required_login_url/$', login_required(views.PasswordResetView.as_view(), login_url='/somewhere/')),
 
     url(r'^auth_processor_no_attr_access/$', auth_processor_no_attr_access),
     url(r'^auth_processor_attr_access/$', auth_processor_attr_access),
diff --git a/tests/auth_tests/urls_deprecated.py b/tests/auth_tests/urls_deprecated.py
new file mode 100644
index 0000000000..2881e7d9d5
--- /dev/null
+++ b/tests/auth_tests/urls_deprecated.py
@@ -0,0 +1,39 @@
+from django.conf.urls import url
+from django.contrib import admin
+from django.contrib.auth import views
+from django.contrib.auth.decorators import login_required
+
+
+# special urls for deprecated function-based views
+urlpatterns = [
+    url(r'^login/$', views.login, name='login'),
+    url(r'^logout/$', views.logout, name='logout'),
+    url(r'^password_change/$', views.password_change, name='password_change'),
+    url(r'^password_change/done/$', views.password_change_done, name='password_change_done'),
+    url(r'^password_reset/$', views.password_reset, name='password_reset'),
+    url(r'^password_reset/done/$', views.password_reset_done, name='password_reset_done'),
+    url(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
+        views.password_reset_confirm, name='password_reset_confirm'),
+    url(r'^reset/done/$', views.password_reset_complete, name='password_reset_complete'),
+
+    url(r'^password_reset_from_email/$', views.password_reset, dict(from_email='staffmember@example.com')),
+    url(r'^password_reset_extra_email_context/$', views.password_reset,
+        dict(extra_email_context=dict(greeting='Hello!'))),
+    url(r'^password_reset/custom_redirect/$', views.password_reset, dict(post_reset_redirect='/custom/')),
+    url(r'^password_reset/custom_redirect/named/$', views.password_reset, dict(post_reset_redirect='password_reset')),
+    url(r'^password_reset/html_email_template/$', views.password_reset,
+        dict(html_email_template_name='registration/html_password_reset_email.html')),
+    url(r'^reset/custom/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
+        views.password_reset_confirm,
+        dict(post_reset_redirect='/custom/')),
+    url(r'^reset/custom/named/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
+        views.password_reset_confirm,
+        dict(post_reset_redirect='password_reset')),
+    url(r'^password_change/custom/$', views.password_change, dict(post_change_redirect='/custom/')),
+    url(r'^password_change/custom/named/$', views.password_change, dict(post_change_redirect='password_reset')),
+    url(r'^login_required/$', login_required(views.password_reset)),
+    url(r'^login_required_login_url/$', login_required(views.password_reset, login_url='/somewhere/')),
+
+    # This line is only required to render the password reset with is_admin=True
+    url(r'^admin/', admin.site.urls),
+]