Update to Django 1.10

[stsewd]

Closes #4174

Things we need to check:

• https://docs.djangoproject.com/en/2.0/releases/1.10/#removed-weak-password-hashers-from-the-default-password-hashers-setting we are using a salted sha1 to hash the user passwords (at least in our tests fixtures), these hashes were removed in 1.10. We need to check if we have these hashes in the db (I'm not sure and the docs didn't mention, but what will happen to this users? the change is automatically? Are their required to change the password?). EDIT: We need to update those Meta: Upgrade Django to 1.10 #4174 (comment)
• we need to upgrade tastypie, because of https://docs.djangoproject.com/en/2.0/releases/1.10/#features-removed-in-1-10 (tastpie 0.13.1 uses get_all_field_names() we need to update to 0.13.2/3) This is blocked because of Tastypie needs to upgrade our dependencies to support Python3 #3570 (comment)
• Make sure we are using a supported postgres version https://docs.djangoproject.com/en/2.0/releases/1.10/#dropped-support-for-postgresql-9-1
• A new migration for users was added in this version

[stsewd]

Looks like some changes were made to the BaseCommand class too. option_list was deprecated in django 1.8 https://docs.djangoproject.com/en/1.9/howto/custom-management-commands/#django.core.management.BaseCommand.option_list we can fix that in another PR.

[davidfischer]

we are using a salted sha1 to hash the user passwords (at least in our tests fixtures)

Just to clarify in case anybody comes by and reads this, we are not using this in production. We are using PBKDF2 with 20k iterations. By upgrading to Django 1.10, this will change to 30k iterations whenever somebody logs in.

[ericholscher]

we need to upgrade tastypie, because of https://docs.djangoproject.com/en/2.0/releases/1.10/#features-removed-in-1-10 (tastpie 0.13.1 uses get_all_field_names() we need to update to 0.13.2/3) This is blocked because of #3570 (comment)

I wonder if we can just make the API read-only using the ReadOnlyAuthorization, and remove our fancy Django-based authorization? That might be a way to upgrade it. I don't believe there are any "logged in only" features of it, so we should be safe to just make it read-only for anyone.

This also feels like a nice way to slowly deprecate it.

[stsewd]

I'm trying that right now, seems to work.

[stsewd]

@ericholscher we only have this test for creating a project (for superusers only), I'm not sure if that is something we use https://github.com/rtfd/readthedocs.org/blob/d413341097466f90ca10eabadc347d35970847df/readthedocs/rtd_tests/tests/test_api.py#L420-L432

[ericholscher]

@ericholscher we only have this test for creating a project (for superusers only), I'm not sure if that is something we use

Don't believe so -- it is likely from when we used it from the builders in the past.

[agjohnson]

Just noting here that we're targeting django 1.10 for our version 3.0, so i think we should probably back burner this project for right now. Our version 3.0 is probably a couple months out realistically, once we've wrapped up the yaml and search feature changes.