When a user changed their primary email address we would simply update the email address fields. This is problematic because we have no guarantee the new address is owned by the user. We now update the fields, set the email as unverified and send a confirmation. If an exception happens during this process we rollback the changes as if the email never changed.
When looking up a user account for authentication by email address, we need to take primary into consideration. If the email address is primary we ignore the verified check (restores previous behavior after sign up and EMAIL_CONFIRMATION_REQUIRED = False.) If email address is not primary then it must be verified to ensure people don't hijack other people's email addresses. Thanks Luke Hatcher for discovering this small bug.
You can now pass fallback_url to methods which use default_redirect. This makes customizing the redirect URL simpler when you need data from the request to build the URL.
This commits adds two new signals which are similiar to their sign up counterparts. user_logged_in and user_login_attempt which are sent as they are named. Couple of other changes made to make the signals work such as unifying the interface to get the identifier field for each login form and added LoginView.after_login.
EmailAddressManager.add_email will not send confirmation if verified is True. Also, updated SignupView to take advantage of this with some minor clean ups.
When we look up an email address for a user during authentication we must only look for verified email addresses.
This change adds a new username backend which does a case-insensitive lookup on username (Django does case-sensitive.) This commit also unifies the credential keys to allow email authentication with username fallback. Backwards incompatible if you wrote a custom authentication, overrode the authenticate method and use LoginEmailForm.
When a password change occurs we now notify the user by default. This is very useful for detecting when something bad might be going on for a user. If a user receives this email when they did not expect they can now talk to the site owner to get the situation fixed.
When a User instance is created we now create an associated Account object. We make sure that User.save calling code has control over whether the creation happens. This allows our SignupView to have full control over the account creation. Fixes #26 — thanks to Douglas Meehan for the report.
EmailAddressManager.add_email now accepts confirm kwarg to control whether it will send a confirmation email. It is turned OFF by default (if you are calling add_email directly.) Added confirm kwarg to SettingsView.update_email which defaults to the value of ACCOUNT_EMAIL_CONFIRMATION_EMAIL. This patch fixes #24 which reported a bug in when we display the email confirmation user message after sign up. Thanks Dave Lowe.