The secret attribute of Association is made not editable.
It is then not editable and displayed in admin interface
as this kind of objects should not be added in admin.
In Django 1.4 CsrfResponseMiddleware and CsrfMiddleware are removed.
The {% csrf_token %} template tag inside forms to enable CSRF protection
must be used instead.
CsrfViewMiddleware remains and is enabled by default.
Since Django 1.4, the app django.contrib.admin respects the conventions
for static files included in apps managed by django.contrib.staticfiles.
See https://docs.djangoproject.com/en/dev/releases/1.4/ for details.
The openid_meta template tag is replaced by a template context processor
which more appropriate for a variable which must be used on every
frontend page.
Fixes #1357
Up to now, the only SAML2 SP behavior of Authentic 2 when a transient
nameID was received was to open an anonymous session.
That corresponds to the option "Behavior with transient NameID"
of an "identity provider options policy" set to "Open a session".
Now we implement the option set to "Ask authentication". That allows
to ask for a user authentication even when a valid assertion is received
containing a transient nameID. That may have sense for instance if
the SSO login is used only to receive signed attributes for
users with existing accounts.
We state that the user consent for federation should not be asked by
the idp if a nameID is served.
We previously check if the user was a transient one to determine
if we should ask the consent.
However, what is important about the consent is not if the user is a
transient one but rather if we provide a transient nameID.
Obviously, if the user is a transient one, we only provide transient
nameIDs.
But now consent is also skipped with not transient users for which
a transient nameID is served.
The DEBUG mode by default is a temporary choice to have the users
beginning with Authentic 2 and using the development server not be
disappointed by the static files not served.
The Django Debug Toolbar is a dependency in the DEBUG mode.
django-registration is badly maintained currently, a fork exists named
django-registration2 but it is incompatible with django-auth-openid as
it changed some url internal names. For now we must consider
django-registration an internally distributed dependency. The copy in
authentic/vendor/registration/ should be updated regurlarly.
Mikaël Ates
Benjamin Dauvergne
Mikaël Ates
Jérôme Schneider