Django-hijack

- Unify settings; Django will show a warning if a deprecated setting name is used. See http://django-hijack.rtfd.org/en/latest/configuration/#settings-overview
- Drop official support for Django 1.4, 1.6; add support for 1.9 using https://github.com/arteria/django-compat v1.0.8
- Add i18n support, see https://github.com/arteria/django-hijack/tree/v2.0.0/hijack/locale
- Make `HIJACK_DECORATOR` configurable
- Do not update last_login time of hijacked users
- Add optional Bootstrap-optimized notification bar. Can be activated with `HIJACK_USE_BOOTSTRAP`
- Add signals `hijack_started` and `hijack_ended`
- Add AppConfig and various checks
- Check "next" GET parameter for safety
- Move documentation to http://django-hijack.readthedocs.org/
- Use https://github.com/arteria/django-sessioninfo as a dependency
- Rewrite tests

- Bugfixes
- Allow hijacking users with negative IDs

- allow email usernames in login_with_username
- dropped support for django 1.5

- Added RemoteUser support, for more information see the [FAQ](https://github.com/arteria/django-hijack#support-for-custom-user-models)
- Fixed hide button to redirects to correct full path
- [Custom hijack function](https://github.com/arteria/django-hijack#support-for-custom-user-models)

**NOTE**: Be careful using the [new custom hijack function](https://github.com/arteria/django-hijack#custom-hijack-function), this can cause serious security vulnerabilities!

Security update.
We recommend you to update django-hijack to the latest version.
- HTML tags, are now rendered with escaping

- Do not allow staff users to hijack superusers
- Add setting to choose which user attributes can be used for hijacking a user
- Use a more liberal/naive approach to regex checking for an email
- Code cleanup
- Check staff status against logged in user instead the user being hijacked (bugfix)
- Only include 'disable-hijack-warning' url if HIJACK_NOTIFY_ADMIN is enabled