--- a/.hgtags	Tue Feb 16 19:15:48 2016 +0100
+++ b/.hgtags	Thu Mar 24 09:43:25 2016 +0100
@@ -517,6 +517,9 @@
 8c5dabbcd4d9505c3a617f9dbe2b10172bdc2b3a 3.20.13
 8c5dabbcd4d9505c3a617f9dbe2b10172bdc2b3a debian/3.20.13-1
 8c5dabbcd4d9505c3a617f9dbe2b10172bdc2b3a centos/3.20.13-1
+f66a4895759e0913b1203943fc2cd7be1a821e05 3.20.14
+f66a4895759e0913b1203943fc2cd7be1a821e05 debian/3.20.14-1
+f66a4895759e0913b1203943fc2cd7be1a821e05 centos/3.20.14-1
 887c6eef807781560adcd4ecd2dea9011f5a6681 3.21.0
 887c6eef807781560adcd4ecd2dea9011f5a6681 debian/3.21.0-1
 887c6eef807781560adcd4ecd2dea9011f5a6681 centos/3.21.0-1

--- a/debian/changelog	Tue Feb 16 19:15:48 2016 +0100
+++ b/debian/changelog	Thu Mar 24 09:43:25 2016 +0100
@@ -46,6 +46,12 @@
 
  -- Julien Cristau <julien.cristau@logilab.fr>  Fri, 10 Jul 2015 17:04:11 +0200
 
+cubicweb (3.20.14-1) unstable; urgency=medium
+
+  * new upstream release
+
+ -- Julien Cristau <julien.cristau@logilab.fr>  Mon, 21 Mar 2016 17:59:22 +0100
+
 cubicweb (3.20.13-1) unstable; urgency=medium
 
   * new upstream release

--- a/misc/migration/3.10.0_Any.py	Tue Feb 16 19:15:48 2016 +0100
+++ b/misc/migration/3.10.0_Any.py	Thu Mar 24 09:43:25 2016 +0100
@@ -1,4 +1,3 @@
-from cubicweb.server.session import hooks_control
 
 for uri, cfg in config.read_sources_file().items():
     if uri in ('system', 'admin'):
@@ -9,7 +8,7 @@
 add_relation_definition('CWSource', 'cw_source', 'CWSource')
 add_entity_type('CWSourceHostConfig')
 
-with hooks_control(session, session.HOOKS_ALLOW_ALL, 'cw.sources'):
+with session.allow_all_hooks_but('cw.sources'):
     create_entity('CWSource', type=u'native', name=u'system')
 commit()
 

--- a/misc/migration/3.10.9_Any.py	Tue Feb 16 19:15:48 2016 +0100
+++ b/misc/migration/3.10.9_Any.py	Thu Mar 24 09:43:25 2016 +0100
@@ -14,7 +14,7 @@
     enabled = interactive_mode
     with progress(title=title, nbops=nbops, size=30, enabled=enabled) as pb:
         for i,  row in enumerate(rset):
-            with hooks_control(session, session.HOOKS_DENY_ALL, 'integrity'):
+            with session.deny_all_hooks_but('integrity'):
                 data = {'eid': row[0], 'cwuri': row[1].replace(u'/eid', u'')}
                 rql('SET X cwuri %(cwuri)s WHERE X eid %(eid)s', data)
             if not i % 100: # commit every 100 entities to limit memory consumption

--- a/server/sources/native.py	Tue Feb 16 19:15:48 2016 +0100
+++ b/server/sources/native.py	Thu Mar 24 09:43:25 2016 +0100
@@ -1507,7 +1507,12 @@
         if 'CWUser' in schema: # probably an empty schema if not true...
             # rql syntax trees used to authenticate users
             self._passwd_rqlst = self.source.compile_rql(self.passwd_rql, self._sols)
-            self._auth_rqlst = self.source.compile_rql(self.auth_rql, self._sols)
+            if 'CWSource' in schema:
+                self._auth_rqlst = self.source.compile_rql(self.auth_rql, self._sols)
+            else:
+                self._auth_rqlst = self.source.compile_rql(
+                        u'Any X WHERE X is CWUser, X login %(login)s, X upassword %(pwd)s',
+                        ({'X': 'CWUser', 'P': 'Password'},))
 
     def authenticate(self, cnx, login, password=None, **kwargs):
         """return CWUser eid for the given login/password if this account is