Re: [Django] #21649: Add session signing based on the value of the user's password

2014-04-17 Thread Django 
#21649: Add session signing based on the value of the user's password
-+-
 Reporter:  timo |Owner:  timo
 Type:  New feature  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"548acd77fd6356073ad4fa514c3d61f6589da43b"]:
 {{{
 #!CommitTicketReference repository=""
 revision="548acd77fd6356073ad4fa514c3d61f6589da43b"
 [1.7.x] Fixed a KeyError on login with legacy sessions; refs #21649.

 Thanks Loic for the report.

 Backport of 11e30b684d from master
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.c17485d3d5d1a200db19be9f8671d50a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #21649: Add session signing based on the value of the user's password

2014-04-17 Thread Django 
#21649: Add session signing based on the value of the user's password
-+-
 Reporter:  timo |Owner:  timo
 Type:  New feature  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"11e30b684d1a74bf7cc3b3bd22c0ffbdaa28f0a0"]:
 {{{
 #!CommitTicketReference repository=""
 revision="11e30b684d1a74bf7cc3b3bd22c0ffbdaa28f0a0"
 Fixed a KeyError on login with legacy sessions; refs #21649.

 Thanks Loic for the report.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.684fefb4208f2ca1c65111e385a64684%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #21649: Add session signing based on the value of the user's password

2014-04-05 Thread Django 
#21649: Add session signing based on the value of the user's password
-+-
 Reporter:  timo |Owner:  timo
 Type:  New feature  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-

Comment (by Tim Graham ):

 In [changeset:"5891fd3f89337fc190cf671575407233440d2736"]:
 {{{
 #!CommitTicketReference repository=""
 revision="5891fd3f89337fc190cf671575407233440d2736"
 [1.7.x] Fixed #21649 -- Added optional invalidation of sessions when user
 password changes.

 Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.

 Backport of fd23c06023 from master
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.319ccd271a08373ddb908dbf56ea5370%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #21649: Add session signing based on the value of the user's password

2014-04-05 Thread Django 
#21649: Add session signing based on the value of the user's password
-+-
 Reporter:  timo |Owner:  timo
 Type:  New feature  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by Tim Graham ):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [changeset:"fd23c06023a0585ee743c0752dc94da66694cf63"]:
 {{{
 #!CommitTicketReference repository=""
 revision="fd23c06023a0585ee743c0752dc94da66694cf63"
 Fixed #21649 -- Added optional invalidation of sessions when user password
 changes.

 Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.61a68fad97cb63998227e7f9c7e1f451%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #21649: Add session signing based on the value of the user's password

2014-04-03 Thread Django 
#21649: Add session signing based on the value of the user's password
-+-
 Reporter:  timo |Owner:  timo
 Type:  New feature  |   Status:  new
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
Has patch:  1|  checkin
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by aaugustin):

 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.49e0b8d7e8aa4a09c38c4e773bd3c265%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #21649: Add session signing based on the value of the user's password

2014-03-29 Thread Django 
#21649: Add session signing based on the value of the user's password
--+
 Reporter:  timo  |Owner:  timo
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by timo):

 * needs_better_patch:  1 => 0


Comment:

 Here's an [https://github.com/django/django/pull/2494 updated PR] that
 uses the middleware approach suggested above.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.1fbcc49ee6f5e0fe9a88a8844fd37bd0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #21649: Add session signing based on the value of the user's password

2013-12-31 Thread Django 
#21649: Add session signing based on the value of the user's password
--+
 Reporter:  timo  |Owner:  timo
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+
Changes (by timo):

 * needs_better_patch:  0 => 1


Comment:

 Florian and Shai were both against losing sessions for this change. Shai
 suggested have a separate middleware for session signing & verification so
 that users who don't want this behavior can opt-out. I'll look into that
 approach.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.16cecfbcf8b5660c400c6a2fee2cfc61%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #21649: Add session signing based on the value of the user's password

2013-12-30 Thread Django 
#21649: Add session signing based on the value of the user's password
--+
 Reporter:  timo  |Owner:  timo
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by PaulM):

 I think in the past we've done work to preserve sessions across version
 upgrades. This of course has the downside of making the full benefit of
 the patch take an extra version to manifest. I personally don't mind
 sessions going away during upgrade, but I believe that some users of
 Django may not be comfortable with that.

 I'd defer to Jacob or Luke or another conservative core dev. The upgrade
 code path shouldn't be too complex in this case.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.1f811bc93c716e31dd32d1b59475c477%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #21649: Add session signing based on the value of the user's password

2013-12-25 Thread Django 
#21649: Add session signing based on the value of the user's password
--+
 Reporter:  timo  |Owner:  timo
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by timo):

 * has_patch:  0 => 1


Comment:

 [https://github.com/django/django/pull/2113 PR] is up for review.

 One thing I'd like feedback on is whether we should try to make this more
 backwards-compatible. Currently: "As a side effect of this change, users
 will be logged out when upgrading from an older version of Django."

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/062.23b1c398f9db391d1e3af320a366a0ec%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.