search

ndarville / pony-forum

A modern alternative to ancient forum CMSes like vBulletin and PHPBB in Python on Django. (Alpha stage.) (NB: dotCloud have since removed their free Sandbox tier.)
http://pony-forum.com
26 stars 7 forks source link

Upgrade django-registration to 0.8 for Django 1.4 #36

Closed ndarville closed 12 years ago

ndarville commented 12 years ago

After three-and-a-half years, django-registration has been upgraded, involving a complete rewrite of the codebase. Instructions for migrating can be found here.

Impetus

The main impetus to upgrade django-registration is that the current version, 0.7, uses SHA1 password-hashing, which has been deprecated by Django 1.4 and poses a security threat.

The Problem

However, django-twostepauth has not been upgraded in light of the revision, so I assume that it will be incompatible with django-registration 0.8.

Ameliorations

A temporary fix would apply a newer password-hashing function to the deprecated, insecure SHA1-hashed passwords as some kind of post hook.

For now, better to look into whether django-twostepauth is in fact incompatible with the new version of django-registration.

python -Wall manage.py runserver

  1. Change any use of registration.urls to registration.backends.default.urls
    • The older include will continue to work until django-registration 1.0; in 0.8 it raises a PendingDeprecationWarning (which is ignored by default in Python), in 0.9 it will raise DeprecationWarning (which will begin printing warning messages on import) and in 1.0 it will be removed entirely.
  2. Changes to registration views:
    1. Both views now require the keyword argument backend, which specifies the registration backend to use.
    2. The profile_callback argument of the register() view has been removed.
    3. The activate() view now issues a redirect upon successful activation; in the default backend this is to the URL pattern named registration_activation_complete; in the default setup, this will redirect to a view which renders the template registration/activation_complete.html, and so this template should be present when using the default backend and default configuration.
  3. Changes to registration forms:
    • Previously, the form used to collect data during registration was expected to implement a save() method which would create the new user account. This is no longer the case; creating the account is handled by the backend, and so any custom logic should be moved into a custom backend, or by connecting listeners to the [signals sent during the registration process]().
  4. Changes to the RegistrationProfile model:
    1. The create_inactive_user() method of RegistrationManager now has an additional required argument: site.
    2. The user_registered signal is no longer sent by create_inactive_user(), and the user_activated signal is no longer sent by activate_user(); these signals are now sent by the backend after these methods have been called. Note that these signals were added after the django-registration 0.7 release but before the refactoring which introduced the backend API, so only installations which were tracking the in-development codebase will have made use of them.
    3. The sending of activation emails has been factored out of create_inactive_user(), and now exists as the method send_activation_email() on instances of RegistrationProfile.

      Afterwards

Look into expansive password security measures:

  1. Built-in two-factor authentication
  2. Global password reset
  3. More password security:
ndarville commented 12 years ago

django-twostepauth has not been updated since its initial commit, so it is time to roll it back, before django-registration is updated.

The relevant commits are 758c58bd91, 23c885b429, and 86a18f5b04dec.

Links:

  1. http://devdoodles.wordpress.com/2009/02/16/user-authentication-with-django-registration/
  2. http://www.michelepasin.org/techblog/2011/01/14/setting-up-django-registration/
  3. http://www.lightbird.net/dbe/forum3.html#user-registration

models.py.

urls.py:

  1. http://rdegges.com/user-authentication-with-django
  2. http://peyman-django.blogspot.dk/2010/03/full-easy-authentication-using.html