0.38.0 (2018-10-03)#
Security notice#
The {% user_display user %} tag did not escape properly. Depending on the
username validation rules, this could lead to XSS issues.
Note worthy changes#
New provider: Vimeo (OAuth2).
New translations: Basque.
0.37.1 (2018-08-27)#
Backwards incompatible changes#
Dropped the
x-li-src: msdkheaders from thelinkedin_oauth2handshake. This header is only required for mobile tokens, and breaks the regular flow. Use theHEADERSsetting to add this header if you need it.
0.37.0 (2018-08-27)#
Note worthy changes#
The Battle.net login backend now recognizes
apacas a valid region.User model using a
UUIDFieldas it’s primary key can now be logged in upon email confirmation (if usingACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION).New providers: Agave, Cern, Disqus, Globus.
New translation: Danish.
0.36.0 (2018-05-08)#
Note worthy changes#
New providers: Telegram, QuickBooks.
The Facebook API version now defaults to v2.12.
ORCID upgraded to use API v2.1.
Security notice#
In previous versions, the authentication backend did not invoke the
user_can_authenticate()method, potentially allowing users withis_active=Falseto authenticate when the allauth authentication backend was used in a non allauth context.
0.35.0 (2018-02-02)#
Note worthy changes#
Add support for Django 2.0
Security notice#
As an extra security measure on top of what the standard Django password reset token generator is already facilitating, allauth now adds the user email address to the hash such that whenever the user’s email address changes the token is invalidated.
Backwards incompatible changes#
Drop support for Django 1.8 and Django 1.10.
Note worthy changes#
New provider: Azure, Microsoft Graph, Salesforce, Yahoo.