Revert to SHA1 hashing for stored passwords

This is required for the old style community auth system that is still
in use by the commitfest app. Once that has been retired or upgraded,
this patch should be reverted.

Existing passwords are automatically converted once the user logs in to
the main website once.

pgweb/settings.py

@@ -117,6 +117,22 @@ INSTALLED_APPS = [
     'pgweb.pugs',
 ]
 
+#
+# Disable the new authentication handling for now. The reason for this is
+# that we need the sha1 authentication so we can do old-style community
+# auth, which is still used by the commitfest app. Once that app is
+# migrated away, this can be reverted to the new django default which
+# is more secure.
+#
+PASSWORD_HASHERS = (
+    'django.contrib.auth.hashers.SHA1PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+    'django.contrib.auth.hashers.BCryptPasswordHasher',
+    'django.contrib.auth.hashers.MD5PasswordHasher',
+    'django.contrib.auth.hashers.CryptPasswordHasher',
+)
+
 
 ###
 # Application specific settings, likely overridden in settings_local.py.