docs/release-notes/2016.rst
0.29.0 (2016-11-21)
0.28.0 (2016-10-13)
SCOPE and/or AUTH_PARAMS (part of the
larger SOCIALACCOUNT_PROVIDERS setting). The changes would persist across
subsequent requests for all users, provided these settings were explicitly set
within your project. These settings translate directly into request
parameters, giving the attacker undesirable control over the OAuth(2)
handshake. You are not affected if you did not explicitly configure these
settings. Thanks to Ryan Kelly for reporting!New providers: Doximity.
New translations: Korean.
0.27.0 (2016-08-18)
Django 1.10 compatibility.
The Twitter and GitHub providers now support querying of the email address.
When ACCOUNT_SIGNUP_EMAIL_ENTER_TWICE was turned on, the email field key
changed from email to email1, which could introduce subtle bugs. This
has now been changed: there always is an email field, and optionally an
email2 field.
The "You must type the same password each time" form validation error that can
be triggered during signup is now added to the password2 field instead of
being added to the non field errors.
The email_confirmation_sent signal is now passed request,
confirmation and signup instead of only the confirmation.
ACCOUNT_PASSWORD_MIN_LENGTH was already deprecated, but is now completely
ignored if AUTH_PASSWORD_VALIDATORS is not empty.
0.26.1 (2016-07-25)
Locale files wrongly packaged, fixed.
Fixed bug (KeyError) when ACCOUNT_SIGNUP_EMAIL_ENTER_TWICE was set to
True.
0.26.0 (2016-07-24)
New providers: Weixin, Battle.net, Asana, Eve Online, 23andMe, Slack
Django's password validation mechanism (see AUTH_PASSWORD_VALIDATORS) is now
used to validate passwords.
By default, email confirmations are no longer stored in the database. Instead, the email confirmation mail contains an HMAC based key identifying the email address to confirm. The verification lookup includes a fallback to the previous strategy so that there is no negative impact on pending verification emails.
A new setting ACCOUNT_SIGNUP_EMAIL_ENTER_TWICE was added, requiring users to
input their email address twice. The setting
ACCOUNT_SIGNUP_PASSWORD_VERIFICATION has been renamed to
ACCOUNT_SIGNUP_PASSWORD_ENTER_TWICE.
New translations: Latvian, Kyrgyz.
Dropped support for Django 1.6
In order to accommodate for Django's password validation, the
clean_password method of the adapter now takes an (optional)
user parameter as its second argument.
The new HMAC based keys may contain colons. If you have forked
account/urls.py, be sure to sync the account_confirm_email
pattern.
0.25.2 (2016-03-13)
0.25.1 (2016-03-13)
0.25.0 (2016-03-12)
Many providers were added: Reddit, Untappd, GitLab, Stripe, Pinterest, Shopify, Draugiem, DigitalOcean, Robinhood, Bitbucket(OAuth2).
The account connections view is now AJAX aware.
You can now customize the template extension that is being used to
render all HTML templates (ACCOUNT_TEMPLATE_EXTENSION)
In order to be secure by default, users are now blocked from logging
in after exceeding a maximum number of failed login attempts (see
ACCOUNT_LOGIN_ATTEMPTS_LIMIT,
ACCOUNT_LOGIN_ATTEMPTS_TIMEOUT). Set
ACCOUNT_LOGIN_ATTEMPTS_LIMIT to None to disable this
functionality. Important: while this protects the allauth login view, it
does not protect Django's admin login from being brute forced.
New translations: Arabic, Lithuanian
None