summaryrefslogtreecommitdiff
path: root/docs/releases
diff options
context:
space:
mode:
authorElif T. Kus <elifkus@gmail.com>2016-01-03 12:56:22 +0200
committerTim Graham <timograham@gmail.com>2016-01-22 12:12:17 -0500
commitbca9faae95db2a92e540fbd08505c134639916fe (patch)
tree92b34dd8ecf8cf5432c25d43292ebc83b7919350 /docs/releases
parent79d0a4fdb0d13ba6a843dace2b90ab44e856bd85 (diff)
Fixed #26020 -- Normalized header stylings in docs.
Diffstat (limited to 'docs/releases')
-rw-r--r--docs/releases/1.1.3.txt2
-rw-r--r--docs/releases/1.1.4.txt2
-rw-r--r--docs/releases/1.10.txt74
-rw-r--r--docs/releases/1.2.4.txt2
-rw-r--r--docs/releases/1.2.5.txt8
-rw-r--r--docs/releases/1.2.txt14
-rw-r--r--docs/releases/1.3.4.txt2
-rw-r--r--docs/releases/1.3.5.txt4
-rw-r--r--docs/releases/1.3.6.txt8
-rw-r--r--docs/releases/1.3.txt84
-rw-r--r--docs/releases/1.4.10.txt2
-rw-r--r--docs/releases/1.4.2.txt2
-rw-r--r--docs/releases/1.4.3.txt4
-rw-r--r--docs/releases/1.4.4.txt8
-rw-r--r--docs/releases/1.4.6.txt2
-rw-r--r--docs/releases/1.4.7.txt2
-rw-r--r--docs/releases/1.4.8.txt4
-rw-r--r--docs/releases/1.4.9.txt2
-rw-r--r--docs/releases/1.4.txt152
-rw-r--r--docs/releases/1.5.2.txt4
-rw-r--r--docs/releases/1.5.3.txt4
-rw-r--r--docs/releases/1.5.4.txt4
-rw-r--r--docs/releases/1.5.5.txt4
-rw-r--r--docs/releases/1.5.txt88
-rw-r--r--docs/releases/1.6.txt108
-rw-r--r--docs/releases/1.7.txt198
-rw-r--r--docs/releases/1.8.txt204
-rw-r--r--docs/releases/1.9.txt124
-rw-r--r--docs/releases/security.txt218
29 files changed, 666 insertions, 668 deletions
diff --git a/docs/releases/1.1.3.txt b/docs/releases/1.1.3.txt
index ffc0395199..270f495813 100644
--- a/docs/releases/1.1.3.txt
+++ b/docs/releases/1.1.3.txt
@@ -19,7 +19,7 @@ Backwards incompatible changes
==============================
Restricted filters in admin interface
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
The Django administrative interface, django.contrib.admin, supports
filtering of displayed lists of objects by fields on the corresponding
diff --git a/docs/releases/1.1.4.txt b/docs/releases/1.1.4.txt
index 1d16a8cb1c..4d3544cc35 100644
--- a/docs/releases/1.1.4.txt
+++ b/docs/releases/1.1.4.txt
@@ -19,7 +19,7 @@ Backwards incompatible changes
==============================
CSRF exception for AJAX requests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Django includes a CSRF-protection mechanism, which makes use of a
token inserted into outgoing forms. Middleware then checks for the
diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt
index 57478ee285..d0a7ba3b41 100644
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@@ -27,10 +27,10 @@ What's new in Django 1.10
...
Minor features
-~~~~~~~~~~~~~~
+--------------
:mod:`django.contrib.admin`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* For sites running on a subpath, the default :attr:`URL for the "View site"
link <django.contrib.admin.AdminSite.site_url>` at the top of each admin page
@@ -57,12 +57,12 @@ Minor features
method is now the preferred way of retrieving the change message.
:mod:`django.contrib.admindocs`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
:mod:`django.contrib.auth`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~
* The default iteration count for the PBKDF2 password hasher has been increased
by 25%. This backwards compatible change will not affect users who have
@@ -77,12 +77,12 @@ Minor features
to allow using it without credentials.
:mod:`django.contrib.contenttypes`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
:mod:`django.contrib.gis`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~
* :ref:`Distance lookups <distance-lookups>` now accept expressions as the
distance value parameter.
@@ -122,39 +122,39 @@ Minor features
<django.contrib.gis.geos.MultiLineString.closed>` properties.
:mod:`django.contrib.messages`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
:mod:`django.contrib.postgres`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
:mod:`django.contrib.redirects`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
:mod:`django.contrib.sessions`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :djadmin:`clearsessions` management command now removes file-based
sessions.
:mod:`django.contrib.sitemaps`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
:mod:`django.contrib.sites`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :class:`~django.contrib.sites.models.Site` model now supports
:ref:`natural keys <topics-serialization-natural-keys>`.
:mod:`django.contrib.staticfiles`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :ttag:`static` template tag now uses ``django.contrib.staticfiles``
if it's in ``INSTALLED_APPS``. This is especially useful for third-party apps
@@ -163,61 +163,61 @@ Minor features
not worry about whether or not the ``staticfiles`` app is installed.
:mod:`django.contrib.syndication`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ...
Cache
-^^^^^
+~~~~~
* The file-based cache backend now uses the highest pickling protocol.
CSRF
-^^^^
+~~~~
* The default :setting:`CSRF_FAILURE_VIEW`, ``views.csrf.csrf_failure()`` now
accepts an optional ``template_name`` parameter, defaulting to
``'403_csrf.html'``, to control the template used to render the page.
Database backends
-^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~
* ...
Email
-^^^^^
+~~~~~
* ...
File Storage
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* ...
File Uploads
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* ...
Forms
-^^^^^
+~~~~~
* Form and widget ``Media`` is now served using
:mod:`django.contrib.staticfiles` if installed.
Generic Views
-^^^^^^^^^^^^^
+~~~~~~~~~~~~~
* The :class:`~django.views.generic.base.View` class can now be imported from
``django.views``.
Internationalization
-^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~
* ...
Management Commands
-^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~
* The new :option:`check --fail-level` option allows specifying the message
level that will cause the command to exit with a non-zero status.
@@ -235,12 +235,12 @@ Management Commands
exit, instead of opening the interactive shell.
Migrations
-^^^^^^^^^^
+~~~~~~~~~~
* Added support for serialization of ``enum.Enum`` objects.
Models
-^^^^^^
+~~~~~~
* Reverse foreign keys from proxy models are now propagated to their
concrete class. The reverse relation attached by a
@@ -264,7 +264,7 @@ Models
may be called without any arguments to return all objects in the queryset.
Requests and Responses
-^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~
* Added ``request.user`` to the debug view.
@@ -274,30 +274,30 @@ Requests and Responses
stream-like object and allow wrapping it with :py:class:`io.TextIOWrapper`.
Serialization
-^^^^^^^^^^^^^
+~~~~~~~~~~~~~
* The ``django.core.serializers.json.DjangoJSONEncoder`` now knows how to
serialize lazy strings, typically used for translatable content.
Signals
-^^^^^^^
+~~~~~~~
* ...
Templates
-^^^^^^^^^
+~~~~~~~~~
* Added the ``autoescape`` option to the
:class:`~django.template.backends.django.DjangoTemplates` backend and the
:class:`~django.template.Engine` class.
Tests
-^^^^^
+~~~~~
* ...
URLs
-^^^^
+~~~~
* An addition in :func:`django.setup()` allows URL resolving that happens
outside of the request/response cycle (e.g. in management commands and
@@ -305,7 +305,7 @@ URLs
is set.
Validators
-^^^^^^^^^^
+~~~~~~~~~~
* :class:`~django.core.validators.URLValidator` now limits the length of
domain name labels to 63 characters and the total length of domain
@@ -323,7 +323,7 @@ Backwards incompatible changes in 1.10
may appear as a backwards incompatible change.
Database backend API
-~~~~~~~~~~~~~~~~~~~~
+--------------------
* ...
@@ -471,7 +471,7 @@ Features deprecated in 1.10
===========================
Direct assignment to a reverse foreign key or many-to-many relation
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------
Instead of assigning related objects using direct assignment::
@@ -486,7 +486,7 @@ added in Django 1.9::
This prevents confusion about an assignment resulting in an implicit save.
:mod:`django.contrib.gis`
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
* The ``get_srid()`` and ``set_srid()`` methods of
:class:`~django.contrib.gis.geos.GEOSGeometry` are deprecated in favor
@@ -505,7 +505,7 @@ This prevents confusion about an assignment resulting in an implicit save.
:attr:`~django.contrib.gis.geos.GEOSGeometry.unary_union` property.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* The ``makemigrations --exit`` option is deprecated in favor of the
:option:`makemigrations --check` option.
diff --git a/docs/releases/1.2.4.txt b/docs/releases/1.2.4.txt
index ae15ea6f7c..86a018a55f 100644
--- a/docs/releases/1.2.4.txt
+++ b/docs/releases/1.2.4.txt
@@ -19,7 +19,7 @@ Backwards incompatible changes
==============================
Restricted filters in admin interface
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
The Django administrative interface, django.contrib.admin, supports
filtering of displayed lists of objects by fields on the corresponding
diff --git a/docs/releases/1.2.5.txt b/docs/releases/1.2.5.txt
index 5d3050a993..f5d452942d 100644
--- a/docs/releases/1.2.5.txt
+++ b/docs/releases/1.2.5.txt
@@ -19,7 +19,7 @@ Backwards incompatible changes
==============================
CSRF exception for AJAX requests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Django includes a CSRF-protection mechanism, which makes use of a
token inserted into outgoing forms. Middleware then checks for the
@@ -68,7 +68,7 @@ documentation for your version of Django, as the exact code necessary
is different for some older versions of Django.
FileField no longer deletes files
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
In earlier Django versions, when a model instance containing a
:class:`~django.db.models.FileField` was deleted,
@@ -82,7 +82,7 @@ yourself (for instance, with a custom management command that can be run
manually or scheduled to run periodically via e.g. cron).
Use of custom SQL to load initial data in tests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
Django provides a custom SQL hooks as a way to inject hand-crafted SQL
into the database synchronization process. One of the possible uses
@@ -112,7 +112,7 @@ should either insert it using :ref:`test fixtures
test case.
ModelAdmin.lookup_allowed signature changed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
Django 1.2.4 introduced a method ``lookup_allowed`` on ``ModelAdmin``, to cope
with a security issue (changeset `[15033]
diff --git a/docs/releases/1.2.txt b/docs/releases/1.2.txt
index 065764c3a3..d680c1e72b 100644
--- a/docs/releases/1.2.txt
+++ b/docs/releases/1.2.txt
@@ -309,7 +309,7 @@ Django's :doc:`internationalization framework </topics/i18n/index>` has been exp
with locale-aware formatting and form processing. That means, if enabled, dates
and numbers on templates will be displayed using the format specified for the
current locale. Django will also use localized formats when parsing data in
-forms. See :ref:`Format localization <format-localization>` for more details.
+forms. See :doc:`/topics/i18n/formatting` for more details.
``readonly_fields`` in ``ModelAdmin``
-------------------------------------
@@ -1072,10 +1072,10 @@ to provide localizers the possibility to translate date and time formats. They
were translatable :term:`translation strings <translation string>` that could
be recognized because they were all upper case (for example
:setting:`DATETIME_FORMAT`, :setting:`DATE_FORMAT`, :setting:`TIME_FORMAT`).
-They have been deprecated in favor of the new :ref:`Format localization
-<format-localization>` infrastructure that allows localizers to specify that
-information in a ``formats.py`` file in the corresponding
-``django/conf/locale/<locale name>/`` directory.
+They have been deprecated in favor of the new :doc:`/topics/i18n/formatting`
+infrastructure that allows localizers to specify that information in a
+``formats.py`` file in the corresponding ``django/conf/locale/<locale name>/``
+directory.
GeoDjango
---------
@@ -1089,7 +1089,7 @@ following sections provide information on the most-popular APIs that
were affected by these changes.
``SpatialBackend``
-^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~
Prior to the creation of the separate spatial backends, the
``django.contrib.gis.db.backend.SpatialBackend`` object was
@@ -1117,7 +1117,7 @@ Would need to be changed::
PostGISAdaptor = connection.ops.Adapter
``SpatialRefSys`` and ``GeometryColumns`` models
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In previous versions of GeoDjango, :mod:`django.contrib.gis.db.models`
had ``SpatialRefSys`` and ``GeometryColumns`` models for querying
diff --git a/docs/releases/1.3.4.txt b/docs/releases/1.3.4.txt
index 3a174b3d44..54ca809ffc 100644
--- a/docs/releases/1.3.4.txt
+++ b/docs/releases/1.3.4.txt
@@ -7,7 +7,7 @@ Django 1.3.4 release notes
This is the fourth release in the Django 1.3 series.
Host header poisoning
----------------------
+=====================
Some parts of Django -- independent of end-user-written applications -- make
use of full URLs, including domain name, which are generated from the HTTP Host
diff --git a/docs/releases/1.3.5.txt b/docs/releases/1.3.5.txt
index f71758b0a4..7e40fa3c19 100644
--- a/docs/releases/1.3.5.txt
+++ b/docs/releases/1.3.5.txt
@@ -14,7 +14,7 @@ the other we've chosen to take further steps to tighten up Django's code in
response to independent discovery of potential problems from multiple sources.
Host header poisoning
----------------------
+=====================
Several earlier Django security releases focused on the issue of poisoning the
HTTP Host header, causing Django to generate URLs pointing to arbitrary,
@@ -35,7 +35,7 @@ Any deviation from this will now be rejected, raising the exception
:exc:`django.core.exceptions.SuspiciousOperation`.
Redirect poisoning
-------------------
+==================
Also following up on a previous issue: in July of this year, we made changes to
Django's HTTP redirect classes, performing additional validation of the scheme
diff --git a/docs/releases/1.3.6.txt b/docs/releases/1.3.6.txt
index d55199a882..9ed92bd6c2 100644
--- a/docs/releases/1.3.6.txt
+++ b/docs/releases/1.3.6.txt
@@ -11,7 +11,7 @@ This is the sixth bugfix/security release in the Django 1.3 series.
Host header poisoning
----------------------
+=====================
Some parts of Django -- independent of end-user-written applications -- make
use of full URLs, including domain name, which are generated from the HTTP Host
@@ -36,7 +36,7 @@ This host validation is disabled when ``DEBUG`` is ``True`` or when running test
XML deserialization
--------------------
+===================
The XML parser in the Python standard library is vulnerable to a number of
attacks via external entities and entity expansion. Django uses this parser for
@@ -57,7 +57,7 @@ management command, you will need to ensure they do not contain a DTD.
Formset memory exhaustion
--------------------------
+=========================
Previous versions of Django did not validate or limit the form-count data
provided by the client in a formset's management form, making it possible to
@@ -70,7 +70,7 @@ factory argument).
Admin history view information leakage
---------------------------------------
+======================================
In previous versions of Django, an admin user without change permission on a
model could still view the unicode representation of instances via their admin
diff --git a/docs/releases/1.3.txt b/docs/releases/1.3.txt
index 9b1194820d..737bee4acb 100644
--- a/docs/releases/1.3.txt
+++ b/docs/releases/1.3.txt
@@ -68,7 +68,7 @@ What's new in Django 1.3
========================
Class-based views
-~~~~~~~~~~~~~~~~~
+-----------------
Django 1.3 adds a framework that allows you to use a class as a view.
This means you can compose a view out of a collection of methods that
@@ -86,7 +86,7 @@ your function-based generic views to class-based
views <https://docs.djangoproject.com/en/1.4/topics/generic-views-migration/>`_.
Logging
-~~~~~~~
+-------
Django 1.3 adds framework-level support for Python's ``logging``
module. This means you can now easily configure and control logging
@@ -97,7 +97,7 @@ handled as a logging activity. See :doc:`the documentation on Django's
logging interface </topics/logging>` for more details.
Extended static files handling
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
Django 1.3 ships with a new contrib app --
``django.contrib.staticfiles`` -- to help developers handle the static
@@ -118,7 +118,7 @@ for more details or learn how to :doc:`manage static files
</howto/static-files/index>`.
unittest2 support
-~~~~~~~~~~~~~~~~~
+-----------------
Python 2.7 introduced some major changes to the ``unittest`` library,
adding some extremely useful features. To ensure that every Django
@@ -146,7 +146,7 @@ you just won't get any of the nice new unittest2 features.
.. _unittest2: https://pypi.python.org/pypi/unittest2
Transaction context managers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
Users of Python 2.5 and above may now use transaction management functions as
`context managers`_. For example::
@@ -157,7 +157,7 @@ Users of Python 2.5 and above may now use transaction management functions as
.. _context managers: https://docs.python.org/glossary.html#term-context-manager
Configurable delete-cascade
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
:class:`~django.db.models.ForeignKey` and
:class:`~django.db.models.OneToOneField` now accept an
@@ -170,7 +170,7 @@ For more information, see the :attr:`~django.db.models.ForeignKey.on_delete`
documentation.
Contextual markers and comments for translatable strings
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
For translation strings with ambiguous meaning, you can now
use the ``pgettext`` function to specify the context of the string.
@@ -182,7 +182,7 @@ For more information, see :ref:`contextual-markers` and
:ref:`translator-comments`.
Improvements to built-in template tags
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
A number of improvements have been made to Django's built-in template tags:
@@ -199,7 +199,7 @@ A number of improvements have been made to Django's built-in template tags:
you to load a single tag or filter from a library.
TemplateResponse
-~~~~~~~~~~~~~~~~
+----------------
It can sometimes be beneficial to allow decorators or middleware to
modify a response *after* it has been constructed by the view. For
@@ -220,7 +220,7 @@ For more details, see the :doc:`documentation </ref/template-response>`
on the :class:`~django.template.response.TemplateResponse` class.
Caching changes
-~~~~~~~~~~~~~~~
+---------------
Django 1.3 sees the introduction of several improvements to the
Django's caching infrastructure.
@@ -247,7 +247,7 @@ caching in Django</topics/cache>`.
.. _pylibmc: http://sendapatch.se/projects/pylibmc/
Permissions for inactive users
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
If you provide a custom auth backend with ``supports_inactive_user``
set to ``True``, an inactive ``User`` instance will check the backend
@@ -256,14 +256,14 @@ permission handling. See the :doc:`authentication docs </topics/auth/index>`
for more details.
GeoDjango
-~~~~~~~~~
+---------
The GeoDjango test suite is now included when
:ref:`running the Django test suite <running-unit-tests>` with ``runtests.py``
when using :ref:`spatial database backends <spatial-backends>`.
:setting:`MEDIA_URL` and :setting:`STATIC_URL` must end in a slash
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------
Previously, the :setting:`MEDIA_URL` setting only required a trailing slash if
it contained a suffix beyond the domain name.
@@ -279,7 +279,7 @@ In Django 1.4 this same condition will raise ``DeprecationWarning``,
and in Django 1.5 will raise an ``ImproperlyConfigured`` exception.
Everything else
-~~~~~~~~~~~~~~~
+---------------
Django :doc:`1.1 <1.1>` and :doc:`1.2 <1.2>` added
lots of big ticket items to Django, like multiple-database support,
@@ -335,7 +335,7 @@ Backwards-incompatible changes in 1.3
=====================================
CSRF validation now applies to AJAX requests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
Prior to Django 1.2.5, Django's CSRF-prevention system exempted AJAX
requests from CSRF verification; due to `security issues`_ reported to
@@ -347,7 +347,7 @@ AJAX requests.
.. _security issues: https://www.djangoproject.com/weblog/2011/feb/08/security/
Restricted filters in admin interface
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
Prior to Django 1.2.5, the Django administrative interface allowed
filtering on any model field or relation -- not just those specified
@@ -357,7 +357,7 @@ admin must be for fields or relations specified in ``list_filter`` or
``date_hierarchy``.
Deleting a model doesn't delete associated files
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
In earlier Django versions, when a model instance containing a
:class:`~django.db.models.FileField` was deleted,
@@ -371,7 +371,7 @@ instance, with a custom management command that can be run manually or
scheduled to run periodically via e.g. cron).
PasswordInput default rendering behavior
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
The :class:`~django.forms.PasswordInput` form widget, intended for use
with form fields which represent passwords, accepts a boolean keyword
@@ -394,7 +394,7 @@ explicitly indicate this. For example::
password = forms.CharField(widget=forms.PasswordInput(render_value=True))
Clearable default widget for FileField
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
Django 1.3 now includes a :class:`~django.forms.ClearableFileInput` form widget
in addition to :class:`~django.forms.FileInput`. ``ClearableFileInput`` renders
@@ -420,7 +420,7 @@ To return to the previous rendering (without the ability to clear the
widgets = {'document': forms.FileInput}
New index on database session table
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------
Prior to Django 1.3, the database table used by the database backend
for the :doc:`sessions </topics/http/sessions>` app had no index on
@@ -437,7 +437,7 @@ index can be found by running the ``sqlindexes`` admin command::
python manage.py sqlindexes sessions
No more naughty words
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
Django has historically provided (and enforced) a list of profanities.
The comments app has enforced this list of profanities, preventing people from
@@ -462,7 +462,7 @@ problem.
.. _commit that implemented this change: https://code.djangoproject.com/changeset/13996
Localflavor changes
-~~~~~~~~~~~~~~~~~~~
+-------------------
Django 1.3 introduces the following backwards-incompatible changes to
local flavors:
@@ -482,7 +482,7 @@ local flavors:
``USStateField`` not including them.
FormSet updates
-~~~~~~~~~~~~~~~
+---------------
In Django 1.3 ``FormSet`` creation behavior is modified slightly. Historically
the class didn't make a distinction between not being passed data and being
@@ -511,7 +511,7 @@ if you need to instantiate an empty ``FormSet``, don't pass in the data or use
>>> formset = ArticleFormSet(data=None)
Callables in templates
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
Previously, a callable in a template would only be called automatically as part
of the variable resolution process if it was retrieved via attribute
@@ -529,7 +529,7 @@ designed for web designers, and was never deliberately supported, it is possible
that some templates may be broken by this change.
Use of custom SQL to load initial data in tests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
Django provides a custom SQL hooks as a way to inject hand-crafted SQL
into the database synchronization process. One of the possible uses
@@ -559,7 +559,7 @@ should either insert it using :ref:`test fixtures
test case.
Changed priority of translation loading
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
Work has been done to simplify, rationalize and properly document the algorithm
used by Django at runtime to build translations from the different translations
@@ -605,7 +605,7 @@ domain):
.. _corresponding deprecated features section: loading_of_project_level_translations_
Transaction management
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
When using managed transactions -- that is, anything but the default
autocommit mode -- it is important when a transaction is marked as
@@ -639,14 +639,14 @@ the read operation that retrieves the ``MyObject`` instance leaves the
transaction in a dirty state.
No password reset for inactive users
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------
Prior to Django 1.3, inactive users were able to request a password reset email
and reset their password. In Django 1.3 inactive users will receive the same
message as a nonexistent account.
Password reset view now accepts ``from_email``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
The :func:`django.contrib.auth.views.password_reset` view now accepts a
``from_email`` parameter, which is passed to the ``password_reset_form``’s
@@ -679,7 +679,7 @@ be removed entirely.
</internals/deprecation>`.
``mod_python`` support
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
The ``mod_python`` library has not had a release since 2007 or a commit since
2008. The Apache Foundation board voted to remove ``mod_python`` from the set
@@ -694,7 +694,7 @@ recommended by the Django project, but FastCGI is also supported. Support for
``mod_python`` deployment will be removed in Django 1.5.
Function-based generic views
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
As a result of the introduction of class-based generic views, the
function-based generic views provided by Django have been deprecated.
@@ -706,7 +706,7 @@ The following modules and the views they contain have been deprecated:
* ``django.views.generic.simple``
Test client response ``template`` attribute
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
Django's :ref:`test client <test-client>` returns
:class:`~django.test.Response` objects annotated with extra testing
@@ -722,7 +722,7 @@ In Django 1.3 the ``template`` attribute is deprecated in favor of a new
list, even if it has only a single element or no elements.
``DjangoTestRunner``
-~~~~~~~~~~~~~~~~~~~~
+--------------------
As a result of the introduction of support for unittest2, the features
of ``django.test.simple.DjangoTestRunner`` (including fail-fast
@@ -731,7 +731,7 @@ redundancy, ``DjangoTestRunner`` has been turned into an empty placeholder
class, and will be removed entirely in Django 1.5.
Changes to ``url`` and ``ssi``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
Most template tags will allow you to pass in either constants or
variables as arguments -- for example::
@@ -771,7 +771,7 @@ templates should be modified to use the new ``future`` libraries and
syntax.
Changes to the login methods of the admin
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------
In previous version the admin app defined login methods in multiple locations
and ignored the almost identical implementation in the already used auth app.
@@ -788,7 +788,7 @@ attribute.
.. _r12634: https://code.djangoproject.com/changeset/12634
``reset`` and ``sqlreset`` management commands
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
Those commands have been deprecated. The ``flush`` and ``sqlflush`` commands
can be used to delete everything. You can also use ALTER TABLE or DROP TABLE
@@ -796,7 +796,7 @@ statements manually.
GeoDjango
-~~~~~~~~~
+---------
* The function-based :setting:`TEST_RUNNER` previously used to execute
the GeoDjango test suite, ``django.contrib.gis.tests.run_gis_tests``, was
@@ -812,7 +812,7 @@ GeoDjango
called when the SRID of the geometry is less than 0 or ``None``.
``CZBirthNumberField.clean``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
Previously this field's ``clean()`` method accepted a second, gender, argument
which allowed stronger validation checks to be made, however since this
@@ -820,7 +820,7 @@ argument could never actually be passed from the Django form machinery it is
now pending deprecation.
``CompatCookie``
-~~~~~~~~~~~~~~~~
+----------------
Previously, ``django.http`` exposed an undocumented ``CompatCookie`` class,
which was a bugfix wrapper around the standard library ``SimpleCookie``. As the
@@ -830,7 +830,7 @@ django.http import SimpleCookie`` instead.
.. _loading_of_project_level_translations:
Loading of *project-level* translations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
This release of Django starts the deprecation process for inclusion of
translations located under the so-called *project path* in the translation
@@ -865,7 +865,7 @@ Rationale for this decision:
inconsistency.
``PermWrapper`` moved to ``django.contrib.auth.context_processors``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------
In Django 1.2, we began the process of changing the location of the
``auth`` context processor from ``django.core.context_processors`` to
@@ -877,7 +877,7 @@ moved to ``django.contrib.auth.context_processors``, along with the
identical to their old versions; only the module location has changed.
Removal of ``XMLField``
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
When Django was first released, Django included an ``XMLField`` that performed
automatic XML validation for any field input. However, this validation function
diff --git a/docs/releases/1.4.10.txt b/docs/releases/1.4.10.txt
index 7477ee5e41..323cdea3a7 100644
--- a/docs/releases/1.4.10.txt
+++ b/docs/releases/1.4.10.txt
@@ -7,7 +7,7 @@ Django 1.4.10 release notes
Django 1.4.10 fixes a Python-compatibility bug in the 1.4 series.
Python compatibility
---------------------
+====================
Django 1.4.9 inadvertently introduced issues with Python 2.5 compatibility.
Django 1.4.10 restores Python 2.5 compatibility. This was issue #21362 in
diff --git a/docs/releases/1.4.2.txt b/docs/releases/1.4.2.txt
index a6150f56c3..0f9d18744d 100644
--- a/docs/releases/1.4.2.txt
+++ b/docs/releases/1.4.2.txt
@@ -7,7 +7,7 @@ Django 1.4.2 release notes
This is the second security release in the Django 1.4 series.
Host header poisoning
----------------------
+=====================
Some parts of Django -- independent of end-user-written applications -- make
use of full URLs, including domain name, which are generated from the HTTP Host
diff --git a/docs/releases/1.4.3.txt b/docs/releases/1.4.3.txt
index f26bbe9214..8bf4b2fa79 100644
--- a/docs/releases/1.4.3.txt
+++ b/docs/releases/1.4.3.txt
@@ -14,7 +14,7 @@ the other we've chosen to take further steps to tighten up Django's code in
response to independent discovery of potential problems from multiple sources.
Host header poisoning
----------------------
+=====================
Several earlier Django security releases focused on the issue of poisoning the
HTTP Host header, causing Django to generate URLs pointing to arbitrary,
@@ -35,7 +35,7 @@ Any deviation from this will now be rejected, raising the exception
:exc:`django.core.exceptions.SuspiciousOperation`.
Redirect poisoning
-------------------
+==================
Also following up on a previous issue: in July of this year, we made changes to
Django's HTTP redirect classes, performing additional validation of the scheme
diff --git a/docs/releases/1.4.4.txt b/docs/releases/1.4.4.txt
index e501e4479a..c15c0e14c3 100644
--- a/docs/releases/1.4.4.txt
+++ b/docs/releases/1.4.4.txt
@@ -12,7 +12,7 @@ This is the fourth bugfix/security release in the Django 1.4 series.
Host header poisoning
----------------------
+=====================
Some parts of Django -- independent of end-user-written applications -- make
use of full URLs, including domain name, which are generated from the HTTP Host
@@ -37,7 +37,7 @@ This host validation is disabled when ``DEBUG`` is ``True`` or when running test
XML deserialization
--------------------
+===================
The XML parser in the Python standard library is vulnerable to a number of
attacks via external entities and entity expansion. Django uses this parser for
@@ -58,7 +58,7 @@ management command, you will need to ensure they do not contain a DTD.
Formset memory exhaustion
--------------------------
+=========================
Previous versions of Django did not validate or limit the form-count data
provided by the client in a formset's management form, making it possible to
@@ -71,7 +71,7 @@ factory argument).
Admin history view information leakage
---------------------------------------
+======================================
In previous versions of Django, an admin user without change permission on a
model could still view the unicode representation of instances via their admin
diff --git a/docs/releases/1.4.6.txt b/docs/releases/1.4.6.txt
index 9aaecb5241..39dc6f8dca 100644
--- a/docs/releases/1.4.6.txt
+++ b/docs/releases/1.4.6.txt
@@ -10,7 +10,7 @@ the 1.4 series, as well as one other bug.
This is the sixth bugfix/security release in the Django 1.4 series.
Mitigated possible XSS attack via user-supplied redirect URLs
--------------------------------------------------------------
+=============================================================
Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt
index c50d938bc4..de5c679c81 100644
--- a/docs/releases/1.4.7.txt
+++ b/docs/releases/1.4.7.txt
@@ -8,7 +8,7 @@ Django 1.4.7 fixes one security issue present in previous Django releases in
the 1.4 series.
Directory traversal vulnerability in ``ssi`` template tag
----------------------------------------------------------
+=========================================================
In previous versions of Django it was possible to bypass the
``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi``
diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt
index 08dca4065e..40103d6086 100644
--- a/docs/releases/1.4.8.txt
+++ b/docs/releases/1.4.8.txt
@@ -8,7 +8,7 @@ Django 1.4.8 fixes two security issues present in previous Django releases in
the 1.4 series.
Denial-of-service via password hashers
---------------------------------------
+======================================
In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allowed a denial-of-service attack through
@@ -21,7 +21,7 @@ limit on passwords and will fail authentication with any submitted
password of greater length.
Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin
--------------------------------------------------------------------------------------------------------------------------
+=========================================================================================================================
The decoration of the ``add_view`` and ``user_change_password`` user admin
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
diff --git a/docs/releases/1.4.9.txt b/docs/releases/1.4.9.txt
index 7fc4ecbbca..f582adec5c 100644
--- a/docs/releases/1.4.9.txt
+++ b/docs/releases/1.4.9.txt
@@ -8,7 +8,7 @@ Django 1.4.9 fixes a security-related bug in the 1.4 series and one other
data corruption bug.
Readdressed denial-of-service via password hashers
---------------------------------------------------
+==================================================
Django 1.4.8 imposes a 4096-byte limit on passwords in order to mitigate a
denial-of-service attack through submission of bogus but extremely large
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index 0aedf23ede..4f802d55c6 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -81,7 +81,7 @@ What's new in Django 1.4
========================
Support for time zones
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
In previous versions, Django used "naive" date/times (that is, date/times
without an associated time zone), leaving it up to each developer to interpret
@@ -108,7 +108,7 @@ project, read the :ref:`migration guide <time-zones-migration-guide>`. If you
encounter problems, there's a helpful :ref:`FAQ <time-zones-faq>`.
Support for in-browser testing frameworks
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------
Django 1.4 supports integration with in-browser testing frameworks like
Selenium_. The new :class:`django.test.LiveServerTestCase` base class lets you
@@ -120,7 +120,7 @@ concrete examples.
.. _Selenium: http://seleniumhq.org/
Updated default project layout and ``manage.py``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
Django 1.4 ships with an updated default project layout and ``manage.py`` file
for the :djadmin:`startproject` management command. These fix some issues with
@@ -186,7 +186,7 @@ prefix, some places without it), the imports will need to be cleaned up when
switching to the new ``manage.py``.
Custom project and app templates
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
The :djadmin:`startapp` and :djadmin:`startproject` management commands
now have a ``--template`` option for specifying a path or URL to a custom app
@@ -207,7 +207,7 @@ For more information, see the :djadmin:`startapp` and :djadmin:`startproject`
documentation.
Improved WSGI support
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
The :djadmin:`startproject` management command now adds a :file:`wsgi.py`
module to the initial project layout, containing a simple WSGI application that
@@ -224,7 +224,7 @@ with the same WSGI configuration that is used for deployment. The new
callable configured via :setting:`WSGI_APPLICATION`.)
``SELECT FOR UPDATE`` support
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
Django 1.4 includes a :meth:`QuerySet.select_for_update()
<django.db.models.query.QuerySet.select_for_update>` method, which generates a
@@ -236,7 +236,7 @@ For more details, see the documentation for
:meth:`~django.db.models.query.QuerySet.select_for_update`.
``Model.objects.bulk_create`` in the ORM
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
This method lets you create multiple objects more efficiently. It can result in
significant performance increases if you have many objects.
@@ -248,7 +248,7 @@ See the :meth:`~django.db.models.query.QuerySet.bulk_create` docs for more
information.
``QuerySet.prefetch_related``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
Similar to :meth:`~django.db.models.query.QuerySet.select_related` but with a
different strategy and broader scope,
@@ -263,7 +263,7 @@ doing O(n) database queries (or worse) if objects on your primary ``QuerySet``
each have many related objects that you also need to fetch.
Improved password hashing
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
Django's auth system (``django.contrib.auth``) stores passwords using a one-way
algorithm. Django 1.3 uses the SHA1_ algorithm, but increasing processor speeds
@@ -279,7 +279,7 @@ details, see :ref:`auth_password_storage`.
.. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt
HTML5 doctype
-~~~~~~~~~~~~~
+-------------
We've switched the admin and other bundled templates to use the HTML5
doctype. While Django will be careful to maintain compatibility with older
@@ -288,7 +288,7 @@ admin pages without having to lose HTML validity or override the provided
templates to change the doctype.
List filters in admin interface
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
Prior to Django 1.4, the :mod:`~django.contrib.admin` app let you specify
change list filters by specifying a field lookup, but it didn't allow you to
@@ -297,7 +297,7 @@ used internally and known as "FilterSpec"). For more details, see the
documentation for :attr:`~django.contrib.admin.ModelAdmin.list_filter`.
Multiple sort in admin interface
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
The admin change list now supports sorting on multiple columns. It respects all
elements of the :attr:`~django.contrib.admin.ModelAdmin.ordering` attribute, and
@@ -307,7 +307,7 @@ behavior of desktop GUIs. We also added a
ordering dynamically (i.e., depending on the request).
New ``ModelAdmin`` methods
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------
We added a :meth:`~django.contrib.admin.ModelAdmin.save_related` method to
:mod:`~django.contrib.admin.ModelAdmin` to ease customization of how
@@ -320,7 +320,7 @@ enable dynamic customization of fields and links displayed on the admin
change list.
Admin inlines respect user permissions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
Admin inlines now only allow those actions for which the user has
permission. For ``ManyToMany`` relationships with an auto-created intermediate
@@ -329,7 +329,7 @@ related model determines if the user has the permission to add, change or
delete relationships.
Tools for cryptographic signing
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
Django 1.4 adds both a low-level API for signing values and a high-level API
for setting and reading signed cookies, one of the most common uses of
@@ -339,7 +339,7 @@ See the :doc:`cryptographic signing </topics/signing>` docs for more
information.
Cookie-based session backend
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
Django 1.4 introduces a cookie-based session backend that uses the tools for
:doc:`cryptographic signing </topics/signing>` to store the session data in
@@ -356,7 +356,7 @@ See the :ref:`cookie-based session backend <cookie-session-backend>` docs for
more information.
New form wizard
-~~~~~~~~~~~~~~~
+---------------
The previous ``FormWizard`` from ``django.contrib.formtools`` has been
replaced with a new implementation based on the class-based views
@@ -369,13 +369,13 @@ storage backend. The latter uses the tools for
Django 1.4 to store the wizard's state in the user's cookies.
``reverse_lazy``
-~~~~~~~~~~~~~~~~
+----------------
A lazily evaluated version of ``reverse()`` was added to allow using URL
reversals before the project's URLconf gets loaded.
Translating URL patterns
-~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------
Django can now look for a language prefix in the URLpattern when using the new
:func:`~django.conf.urls.i18n.i18n_patterns` helper function.
@@ -385,7 +385,7 @@ It's also now possible to define translatable URL patterns using
and how to internationalize URL patterns.
Contextual translation support for ``{% trans %}`` and ``{% blocktrans %}``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------
The :ref:`contextual translation<contextual-markers>` support introduced in
Django 1.3 via the ``pgettext`` function has been extended to the
@@ -393,7 +393,7 @@ Django 1.3 via the ``pgettext`` function has been extended to the
keyword.
Customizable ``SingleObjectMixin`` URLConf kwargs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
Two new attributes,
:attr:`pk_url_kwarg<django.views.generic.detail.SingleObjectMixin.pk_url_kwarg>`
@@ -404,14 +404,14 @@ enable the customization of URLconf keyword arguments used for single
object generic views.
Assignment template tags
-~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------
A new ``assignment_tag`` helper function was added to ``template.Library`` to
ease the creation of template tags that store data in a specified context
variable.
``*args`` and ``**kwargs`` support for template tag helper functions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------------------
The :ref:`simple_tag<howto-custom-template-tags-simple-tags>`,
:ref:`inclusion_tag <howto-custom-template-tags-inclusion-tags>` and newly
@@ -433,7 +433,7 @@ For example:
{% my_tag 123 "abcd" book.title warning=message|lower profile=user.profile %}
No wrapping of exceptions in ``TEMPLATE_DEBUG`` mode
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------
In previous versions of Django, whenever the ``TEMPLATE_DEBUG`` setting
was ``True``, any exception raised during template rendering (even exceptions
@@ -448,7 +448,7 @@ exceptions from template rendering is now consistent regardless of the value of
``TemplateSyntaxError`` in order to catch other errors.
``truncatechars`` template filter
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
This new filter truncates a string to be no longer than the specified
number of characters. Truncated strings end with a translatable ellipsis
@@ -456,7 +456,7 @@ sequence ("..."). See the documentation for :tfilter:`truncatechars` for
more details.
``static`` template tag
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
The :mod:`staticfiles<django.contrib.staticfiles>` contrib app has a new
``static`` template tag to refer to files saved with the
@@ -465,7 +465,7 @@ The :mod:`staticfiles<django.contrib.staticfiles>` contrib app has a new
files from a cloud service<staticfiles-from-cdn>`.
``CachedStaticFilesStorage`` storage backend
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
The :mod:`staticfiles<django.contrib.staticfiles>` contrib app now has a
:class:`~django.contrib.staticfiles.storage.CachedStaticFilesStorage` backend
@@ -478,7 +478,7 @@ See the :class:`~django.contrib.staticfiles.storage.CachedStaticFilesStorage`
docs for more information.
Simple clickjacking protection
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
We've added a middleware to provide easy protection against `clickjacking
<https://en.wikipedia.org/wiki/Clickjacking>`_ using the ``X-Frame-Options``
@@ -487,7 +487,7 @@ you'll almost certainly want to :doc:`enable it </ref/clickjacking/>` to help
plug that security hole for browsers that support the header.
CSRF improvements
-~~~~~~~~~~~~~~~~~
+-----------------
We've made various improvements to our CSRF features, including the
:func:`~django.views.decorators.csrf.ensure_csrf_cookie` decorator, which can
@@ -497,7 +497,7 @@ improve the security and usefulness of CSRF protection. See the :doc:`CSRF
docs </ref/csrf>` for more information.
Error report filtering
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
We added two function decorators,
:func:`~django.views.decorators.debug.sensitive_variables` and
@@ -516,7 +516,7 @@ filter<custom-error-reports>`. For more information see the docs on
:ref:`Filtering error reports<filtering-error-reports>`.
Extended IPv6 support
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
Django 1.4 can now better handle IPv6 addresses with the new
:class:`~django.db.models.GenericIPAddressField` model field,
@@ -525,7 +525,7 @@ the validators :data:`~django.core.validators.validate_ipv46_address` and
:data:`~django.core.validators.validate_ipv6_address`.
HTML comparisons in tests
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
The base classes in :mod:`django.test` now have some helpers to
compare HTML without tripping over irrelevant differences in whitespace,
@@ -540,10 +540,10 @@ client's response contains a given HTML fragment. See the :ref:`assertions
documentation <assertions>` for more.
Two new date format strings
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
Two new :tfilter:`date` formats were added for use in template filters,
-template tags and :ref:`format-localization`:
+template tags and :doc:`/topics/i18n/formatting`:
- ``e`` -- the name of the timezone of the given datetime object
- ``o`` -- the ISO 8601 year number
@@ -562,7 +562,7 @@ But now it needs to also escape ``e`` and ``o``::
For more information, see the :tfilter:`date` documentation.
Minor features
-~~~~~~~~~~~~~~
+--------------
Django 1.4 also includes several smaller improvements worth noting:
@@ -666,7 +666,7 @@ Backwards incompatible changes in 1.4
=====================================
SECRET_KEY setting is required
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
Running Django with an empty or known :setting:`SECRET_KEY` disables many of
Django's security protections and can lead to remote-code-execution
@@ -680,7 +680,7 @@ due to the severity of the consequences of running Django with no
:setting:`SECRET_KEY`.
django.contrib.admin
-~~~~~~~~~~~~~~~~~~~~
+--------------------
The included administration app ``django.contrib.admin`` has for a long time
shipped with a default set of static files such as JavaScript, images and
@@ -715,7 +715,7 @@ If your ``ADMIN_MEDIA_PREFIX`` is set to an specific domain (e.g.
:file:`django/contrib/admin/static/admin/`.
Supported browsers for the admin
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Django hasn't had a clear policy on which browsers are supported by the
admin app. Our new policy formalizes existing practices: `YUI's A-grade`_
@@ -733,7 +733,7 @@ any range of browsers.
.. _YUI's A-grade: http://yuilibrary.com/yui/docs/tutorials/gbs/
Removed admin icons
-~~~~~~~~~~~~~~~~~~~
+-------------------
As part of an effort to improve the performance and usability of the admin's
change-list sorting interface and :attr:`horizontal
@@ -751,7 +751,7 @@ If you used those icons to customize the admin, then you'll need to replace
them with your own icons or get the files from a previous release.
CSS class names in admin forms
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
To avoid conflicts with other common CSS class names (e.g. "button"), we added
a prefix ("field-") to all CSS class names automatically generated from the
@@ -761,7 +761,7 @@ style sheets or JavaScript files if you previously used plain field names as
selectors for custom styles or JavaScript transformations.
Compatibility with old signed data
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
Django 1.3 changed the cryptographic signing mechanisms used in a number of
places in Django. While Django 1.3 kept fallbacks that would accept hashes
@@ -831,7 +831,7 @@ instance:
password hashes.
django.contrib.flatpages
-~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------
Starting in 1.4, the
:class:`~django.contrib.flatpages.middleware.FlatpageFallbackMiddleware` only
@@ -845,7 +845,7 @@ Also, redirects returned by flatpages are now permanent (with 301 status code),
to match the behavior of :class:`~django.middleware.common.CommonMiddleware`.
Serialization of :class:`~datetime.datetime` and :class:`~datetime.time`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------------
As a consequence of time-zone support, and according to the ECMA-262
specification, we made changes to the JSON serializer:
@@ -865,7 +865,7 @@ Though the serializers now use these new formats when creating fixtures, they
can still load fixtures that use the old format.
``supports_timezone`` changed to ``False`` for SQLite
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------
The database feature ``supports_timezone`` used to be ``True`` for SQLite.
Indeed, if you saved an aware datetime object, SQLite stored a string that
@@ -878,7 +878,7 @@ datetimes are now stored without time-zone information in SQLite. When
object, Django raises an exception.
``MySQLdb``-specific exceptions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
The MySQL backend historically has raised ``MySQLdb.OperationalError``
when a query triggered an exception. We've fixed this bug, and we now raise
@@ -887,7 +887,7 @@ when a query triggered an exception. We've fixed this bug, and we now raise
clauses.
Database connection's thread-locality
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
``DatabaseWrapper`` objects (i.e. the connection objects referenced by
``django.db.connection`` and ``django.db.connections["some_alias"]``) used to
@@ -913,7 +913,7 @@ Concurrency behavior is defined by the underlying backend implementation.
Check their documentation for details.
`COMMENTS_BANNED_USERS_GROUP` setting
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
Django's comments has historically
supported excluding the comments of a special user group, but we've never
@@ -950,7 +950,7 @@ Save this model manager in your custom comment app (e.g., in
objects = BanningCommentManager()
`IGNORABLE_404_STARTS` and `IGNORABLE_404_ENDS` settings
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
Until Django 1.3, it was possible to exclude some URLs from Django's
:doc:`404 error reporting</howto/error-reporting>` by adding prefixes to
@@ -988,7 +988,7 @@ Don't forget to escape characters that have a special meaning in a regular
expression, such as periods.
CSRF protection extended to PUT and DELETE
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
Previously, Django's :doc:`CSRF protection </ref/csrf/>` provided
protection only against POST requests. Since use of PUT and DELETE methods in
@@ -1000,7 +1000,7 @@ If you're using PUT or DELETE methods in AJAX applications, please see the
:ref:`instructions about using AJAX and CSRF <csrf-ajax>`.
Password reset view now accepts ``subject_template_name``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------
The ``password_reset`` view in ``django.contrib.auth`` now accepts a
``subject_template_name`` parameter, which is passed to the password save form
@@ -1009,21 +1009,21 @@ form, then you will need to ensure your form's ``save()`` method accepts this
keyword argument.
``django.core.template_loaders``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
This was an alias to ``django.template.loader`` since 2005, and we've removed it
without emitting a warning due to the length of the deprecation. If your code
still referenced this, please use ``django.template.loader`` instead.
``django.db.models.fields.URLField.verify_exists``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------
This functionality has been removed due to intractable performance and
security issues. Any existing usage of ``verify_exists`` should be
removed.
``django.core.files.storage.Storage.open``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
The ``open`` method of the base Storage class used to take an obscure parameter
``mixin`` that allowed you to dynamically change the base classes of the
@@ -1049,7 +1049,7 @@ method, like this::
return Spam(open(self.path(name), mode))
YAML deserializer now uses ``yaml.safe_load``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------
``yaml.load`` is able to construct any Python object, which may trigger
arbitrary code execution if you process a YAML document that comes from an
@@ -1059,7 +1059,7 @@ fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load``
for additional security.
Session cookies now have the ``httponly`` flag by default
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------
Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. As a consequence of
@@ -1069,7 +1069,7 @@ compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
settings file.
The :tfilter:`urlize` filter no longer escapes every URL
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
When a URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` now assumes that the URL is already escaped and
@@ -1078,7 +1078,7 @@ contains a ``%xx`` sequence, but such URLs are very unlikely to happen in the
wild, because they would confuse browsers too.
``assertTemplateUsed`` and ``assertTemplateNotUsed`` as context manager
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------------------
It's now possible to check whether a template was used within a block of
code with :meth:`~django.test.SimpleTestCase.assertTemplateUsed` and
@@ -1093,7 +1093,7 @@ can be used as a context manager::
See the :ref:`assertion documentation<assertions>` for more.
Database connections after running the test suite
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
The default test runner no longer restores the database connections after
tests' execution. This prevents the production database from being exposed to
@@ -1106,7 +1106,7 @@ subclassing ``DjangoTestRunner`` and overriding its ``teardown_databases()``
method.
Output of :djadmin:`manage.py help <help>`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
:djadmin:`manage.py help <help>` now groups available commands by application.
If you depended on the output of this command -- if you parsed it, for example
@@ -1115,7 +1115,7 @@ management commands in a script, use
:djadmin:`manage.py help --commands <help>` instead.
``extends`` template tag
-~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------
Previously, the :ttag:`extends` tag used a buggy method of parsing arguments,
which could lead to it erroneously considering an argument as a string literal
@@ -1126,7 +1126,7 @@ interests of full disclosure, the ``ExtendsNode.__init__`` definition has
changed, which may break any custom tags that use this class.
Loading some incomplete fixtures no longer works
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
Prior to 1.4, a default value was inserted for fixture objects that were missing
a specific date or datetime value when auto_now or auto_now_add was set for the
@@ -1135,7 +1135,7 @@ incomplete fixtures will fail. Because fixtures are a raw import, they should
explicitly specify all field values, regardless of field options on the model.
Development Server Multithreading
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
The development server is now is multithreaded by default. Use the
:option:`runserver --nothreading` option to disable the use of threading in the
@@ -1144,7 +1144,7 @@ development server::
django-admin.py runserver --nothreading
Attributes disabled in markdown when safe mode set
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------
Prior to Django 1.4, attributes were included in any markdown output regardless
of safe mode setting of the filter. With version > 2.1 of the Python-Markdown
@@ -1155,7 +1155,7 @@ Python-Markdown library less than 2.1, a warning is issued that the output is
insecure.
FormMixin get_initial returns an instance-specific dictionary
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------
In Django 1.3, the ``get_initial`` method of the
:class:`django.views.generic.edit.FormMixin` class was returning the
@@ -1169,14 +1169,14 @@ Features deprecated in 1.4
==========================
Old styles of calling ``cache_page`` decorator
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
Some legacy ways of calling :func:`~django.views.decorators.cache.cache_page`
have been deprecated. Please see the documentation for the correct way to use
this decorator.
Support for PostgreSQL versions older than 8.2
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
Django 1.3 dropped support for PostgreSQL versions older than 8.0, and we
suggested using a more recent version because of performance improvements
@@ -1187,7 +1187,7 @@ Django 1.4 takes that policy further and sets 8.2 as the minimum PostgreSQL
version it officially supports.
Request exceptions are now always logged
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
When we added :doc:`logging support </topics/logging/>` in Django in 1.3, the
admin error email support was moved into the
@@ -1227,7 +1227,7 @@ The existence of any ``'filters'`` key under the ``'mail_admins'`` handler will
disable this backward-compatibility shim and deprecation warning.
``django.conf.urls.defaults``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
Until Django 1.3, the functions :func:`~django.conf.urls.include`,
``patterns()`` and :func:`~django.conf.urls.url` plus
@@ -1237,7 +1237,7 @@ were located in a ``django.conf.urls.defaults`` module.
In Django 1.4, they live in :mod:`django.conf.urls`.
``django.contrib.databrowse``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
Databrowse has not seen active development for some time, and this does not show
any sign of changing. There had been a suggestion for a `GSOC project`_ to
@@ -1252,7 +1252,7 @@ itself, so it's available to be adopted by an individual or group as
a third-party project.
``django.core.management.setup_environ``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
This function temporarily modified ``sys.path`` in order to make the parent
"project" directory importable under the old flat :djadmin:`startproject`
@@ -1265,7 +1265,7 @@ These uses should be replaced by setting the ``DJANGO_SETTINGS_MODULE``
environment variable or using :func:`django.conf.settings.configure`.
``django.core.management.execute_manager``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
This function was previously used by ``manage.py`` to execute a management
command. It is identical to
@@ -1276,7 +1276,7 @@ of these functions is documented as part of the public API, but a deprecation
path is needed due to use in existing ``manage.py`` files.
``is_safe`` and ``needs_autoescape`` attributes of template filters
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------
Two flags, ``is_safe`` and ``needs_autoescape``, define how each template filter
interacts with Django's auto-escaping behavior. They used to be attributes of
@@ -1299,7 +1299,7 @@ Now, the flags are keyword arguments of :meth:`@register.filter
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
Wildcard expansion of application names in `INSTALLED_APPS`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------
Until Django 1.3, :setting:`INSTALLED_APPS` accepted wildcards in application
names, like ``django.contrib.*``. The expansion was performed by a
@@ -1313,14 +1313,14 @@ settings file to list all your applications explicitly.
.. _this can't be done reliably: https://docs.python.org/tutorial/modules.html#importing-from-a-package
``HttpRequest.raw_post_data`` renamed to ``HttpRequest.body``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------
This attribute was confusingly named ``HttpRequest.raw_post_data``, but it
actually provided the body of the HTTP request. It's been renamed to
``HttpRequest.body``, and ``HttpRequest.raw_post_data`` has been deprecated.
``django.contrib.sitemaps`` bug fix with potential performance implications
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------
In previous versions, ``Paginator`` objects used in sitemap classes were
cached, which could result in stale site maps. We've removed the caching, so
@@ -1332,7 +1332,7 @@ To mitigate the performance impact, consider using the :doc:`caching
framework </topics/cache>` within your ``Sitemap`` subclass.
Versions of Python-Markdown earlier than 2.1
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
Versions of Python-Markdown earlier than 2.1 do not support the option to
disable attributes. As a security issue, earlier versions of this library will
diff --git a/docs/releases/1.5.2.txt b/docs/releases/1.5.2.txt
index 1e6a448948..22a415274a 100644
--- a/docs/releases/1.5.2.txt
+++ b/docs/releases/1.5.2.txt
@@ -7,7 +7,7 @@ Django 1.5.2 release notes
This is Django 1.5.2, a bugfix and security release for Django 1.5.
Mitigated possible XSS attack via user-supplied redirect URLs
--------------------------------------------------------------
+=============================================================
Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
@@ -21,7 +21,7 @@ Django currently, since we only put this URL into the ``Location`` response
header and browsers seem to ignore JavaScript there.
XSS vulnerability in :mod:`django.contrib.admin`
-------------------------------------------------
+================================================
If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the
current value of the field and a link to the target on the admin change page.
diff --git a/docs/releases/1.5.3.txt b/docs/releases/1.5.3.txt
index 3d03eed74a..efb662e989 100644
--- a/docs/releases/1.5.3.txt
+++ b/docs/releases/1.5.3.txt
@@ -9,7 +9,7 @@ one security issue and also contains an opt-in feature to enhance the security
of :mod:`django.contrib.sessions`.
Directory traversal vulnerability in ``ssi`` template tag
----------------------------------------------------------
+=========================================================
In previous versions of Django it was possible to bypass the
``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi``
@@ -26,7 +26,7 @@ author to put the ``ssi`` file in a user-controlled variable, but it's possible
in principle.
Mitigating a remote-code execution vulnerability in :mod:`django.contrib.sessions`
-----------------------------------------------------------------------------------
+==================================================================================
:mod:`django.contrib.sessions` currently uses :mod:`pickle` to serialize
session data before storing it in the backend. If you're using the :ref:`signed
diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt
index 68deeb5de0..48b27b25a7 100644
--- a/docs/releases/1.5.4.txt
+++ b/docs/releases/1.5.4.txt
@@ -8,7 +8,7 @@ This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
two security issues and one bug.
Denial-of-service via password hashers
---------------------------------------
+======================================
In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allowed a denial-of-service attack through
@@ -21,7 +21,7 @@ limit on passwords, and will fail authentication with any submitted
password of greater length.
Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin
--------------------------------------------------------------------------------------------------------------------------
+=========================================================================================================================
The decoration of the ``add_view`` and ``user_change_password`` user admin
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
diff --git a/docs/releases/1.5.5.txt b/docs/releases/1.5.5.txt
index a1f5ca45de..8dfd3d3834 100644
--- a/docs/releases/1.5.5.txt
+++ b/docs/releases/1.5.5.txt
@@ -8,7 +8,7 @@ Django 1.5.5 fixes a couple security-related bugs and several other bugs in the
1.5 series.
Readdressed denial-of-service via password hashers
---------------------------------------------------
+==================================================
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a
denial-of-service attack through submission of bogus but extremely large
@@ -16,7 +16,7 @@ passwords. In Django 1.5.5, we've reverted this change and instead improved
the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
------------------------------------
+===================================
This behavior introduced as a security hardening measure in Django 1.5.2 did
not work properly and is now fixed.
diff --git a/docs/releases/1.5.txt b/docs/releases/1.5.txt
index 44f96d248c..3ecdcca12e 100644
--- a/docs/releases/1.5.txt
+++ b/docs/releases/1.5.txt
@@ -85,7 +85,7 @@ offer an alpha release featuring 2.7 support, and Django 1.5 supports that alpha
release.
Python 3 support
-~~~~~~~~~~~~~~~~
+----------------
Django 1.5 introduces support for Python 3 - specifically, Python
3.2 and above. This comes in the form of a **single** codebase; you don't
@@ -122,7 +122,7 @@ What's new in Django 1.5
========================
Configurable User model
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
In Django 1.5, you can now use your own model as the store for user-related
data. If your project needs a username with more than 30 characters, or if
@@ -139,7 +139,7 @@ See the :ref:`documentation on custom User models <auth-custom-user>` for
more details.
Support for saving a subset of model's fields
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------
The method :meth:`Model.save() <django.db.models.Model.save()>` has a new
keyword argument ``update_fields``. By using this argument it is possible to
@@ -154,7 +154,7 @@ See the :meth:`Model.save() <django.db.models.Model.save()>` documentation for
more details.
Caching of related model instances
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
When traversing relations, the ORM will avoid re-fetching objects that were
previously loaded. For example, with the tutorial's models::
@@ -174,7 +174,7 @@ is particularly helpful in combination with ``prefetch_related``.
.. _explicit-streaming-responses:
Explicit support for streaming responses
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
Before Django 1.5, it was possible to create a streaming response by passing
an iterator to :class:`~django.http.HttpResponse`. But this was unreliable:
@@ -192,14 +192,14 @@ streaming responses and behave accordingly. See :ref:`response-middleware` for
more information.
``{% verbatim %}`` template tag
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
To make it easier to deal with JavaScript templates which collide with Django's
syntax, you can now use the :ttag:`verbatim` block tag to avoid parsing the
tag's content.
Retrieval of ``ContentType`` instances associated with proxy models
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------
The methods :meth:`ContentTypeManager.get_for_model() <django.contrib.contenttypes.models.ContentTypeManager.get_for_model()>`
and :meth:`ContentTypeManager.get_for_models() <django.contrib.contenttypes.models.ContentTypeManager.get_for_models()>`
@@ -209,14 +209,14 @@ By passing ``False`` using this argument it is now possible to retrieve the
associated with proxy models.
New ``view`` variable in class-based views context
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------
In all :doc:`generic class-based views </topics/class-based-views/index>`
(or any class-based view inheriting from ``ContextMixin``), the context dictionary
contains a ``view`` variable that points to the ``View`` instance.
GeoDjango
-~~~~~~~~~
+---------
* :class:`~django.contrib.gis.geos.LineString` and
:class:`~django.contrib.gis.geos.MultiLineString` GEOS objects now support the
@@ -232,7 +232,7 @@ GeoDjango
dropped.
New tutorials
-~~~~~~~~~~~~~
+-------------
Additions to the docs include a revamped :doc:`Tutorial 3</intro/tutorial03>`
and a new :doc:`tutorial on testing</intro/tutorial05>`. A new section,
@@ -241,7 +241,7 @@ and a new :doc:`tutorial on testing</intro/tutorial05>`. A new section,
:doc:`Writing your first patch for Django </intro/contributing>`.
Minor features
-~~~~~~~~~~~~~~
+--------------
Django 1.5 also includes several smaller improvements worth noting:
@@ -360,7 +360,7 @@ Backwards incompatible changes in 1.5
backwards incompatible change.
``ALLOWED_HOSTS`` required in production
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
The new :setting:`ALLOWED_HOSTS` setting validates the request's ``Host``
header and protects against host-poisoning attacks. This setting is now
@@ -370,7 +370,7 @@ required whenever :setting:`DEBUG` is ``False``, or else
:setting:`full documentation<ALLOWED_HOSTS>` for the new setting.
Managers on abstract models
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
Abstract models are able to define a custom manager, and that manager
:ref:`will be inherited by any concrete models extending the abstract model
@@ -385,7 +385,7 @@ the abstract class, you should migrate that logic to a Python
``staticmethod`` or ``classmethod`` on the abstract class.
Context in year archive class-based views
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------
For consistency with the other date-based generic views,
:class:`~django.views.generic.dates.YearArchiveView` now passes ``year`` in
@@ -397,7 +397,7 @@ year|date:"Y" }}``.
calculated according to ``allow_empty`` and ``allow_future``.
Context in year and month archive class-based views
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
:class:`~django.views.generic.dates.YearArchiveView` and
:class:`~django.views.generic.dates.MonthArchiveView` were documented to
@@ -412,7 +412,7 @@ the documented order was restored. You may want to add (or remove) the
``date_list`` in descending order.
Context in TemplateView
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
For consistency with the design of the other generic views,
:class:`~django.views.generic.base.TemplateView` no longer passes a ``params``
@@ -420,7 +420,7 @@ dictionary into the context, instead passing the variables from the URLconf
directly into the context.
Non-form data in HTTP requests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
:attr:`request.POST <django.http.HttpRequest.POST>` will no longer include data
posted via HTTP requests with non form-specific content-types in the header.
@@ -432,7 +432,7 @@ should use the :attr:`request.body <django.http.HttpRequest.body>` attribute
instead.
:data:`~django.core.signals.request_finished` signal
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------
Django used to send the :data:`~django.core.signals.request_finished` signal
as soon as the view function returned a response. This interacted badly with
@@ -453,7 +453,7 @@ consider using :doc:`middleware </topics/http/middleware>` instead.
connections to database and memcache servers.
OPTIONS, PUT and DELETE requests in the test client
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
Unlike GET and POST, these HTTP methods aren't implemented by web browsers.
Rather, they're used in APIs, which transfer data in various formats such as
@@ -475,7 +475,7 @@ client and set the ``content_type`` argument.
.. _simplejson-incompatibilities:
System version of ``simplejson`` no longer used
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
:ref:`As explained below <simplejson-deprecation>`, Django 1.5 deprecates
``django.utils.simplejson`` in favor of Python 2.6's built-in :mod:`json`
@@ -521,7 +521,7 @@ They recommend to use it from now on.
.. _ticket #18023: https://code.djangoproject.com/ticket/18023#comment:10
String types of hasher method parameters
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
If you have written a :ref:`custom password hasher <auth_password_storage>`,
your ``encode()``, ``verify()`` or ``safe_summary()`` methods should accept
@@ -530,7 +530,7 @@ hashing methods need byte strings, you can use the
:func:`~django.utils.encoding.force_bytes` utility to encode the strings.
Validation of previous_page_number and next_page_number
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------
When using :doc:`object pagination </topics/pagination>`,
the ``previous_page_number()`` and ``next_page_number()`` methods of the
@@ -540,7 +540,7 @@ It does check it now and raises an :exc:`~django.core.paginator.InvalidPage`
exception when the number is either too low or too high.
Behavior of autocommit database option on PostgreSQL changed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------
PostgreSQL's autocommit option didn't work as advertised previously. It did
work for single transaction block, but after the first block was left the
@@ -549,13 +549,13 @@ this is only a bug fix, it is worth checking your applications behavior if
you are using PostgreSQL together with the autocommit option.
Session not saved on 500 responses
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
Django's session middleware will skip saving the session data if the
response's status code is 500.
Email checks on failed admin login
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
Prior to Django 1.5, if you attempted to log into the admin interface and
mistakenly used your email address instead of your username, the admin
@@ -567,13 +567,13 @@ affects the warning message that is displayed under one particular mode of
login failure.
Changes in tests execution
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------
Some changes have been introduced in the execution of tests that might be
backward-incompatible for some testing setups:
Database flushing in ``django.test.TransactionTestCase``
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Previously, the test database was truncated *before* each test run in a
:class:`~django.test.TransactionTestCase`.
@@ -583,7 +583,7 @@ always isolated from each other, :class:`~django.test.TransactionTestCase` will
now reset the database *after* each test run instead.
No more implicit DB sequences reset
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:class:`~django.test.TransactionTestCase` tests used to reset primary key
sequences automatically together with the database flushing actions described
@@ -598,7 +598,7 @@ be used to force the old behavior for :class:`~django.test.TransactionTestCase`
that might need it.
Ordering of tests
-^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~
In order to make sure all ``TestCase`` code starts with a clean database,
tests are now executed in the following order:
@@ -618,7 +618,7 @@ preserved after the execution of other tests. Such tests are already very
fragile, and must now be changed to be able to run independently.
`cleaned_data` dictionary kept for invalid forms
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
The :attr:`~django.forms.Form.cleaned_data` dictionary is now always present
after form validation. When the form doesn't validate, it contains only the
@@ -628,7 +628,7 @@ presence or absence of the :attr:`~django.forms.Form.cleaned_data` attribute
on the form.
Behavior of ``syncdb`` with multiple databases
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
``syncdb`` now queries the database routers to determine if content
types (when :mod:`~django.contrib.contenttypes` is enabled) and permissions
@@ -642,7 +642,7 @@ them. See the docs on the :ref:`behavior of contrib apps with multiple
databases <contrib_app_multiple_databases>` for more information.
XML deserializer will not parse documents with a DTD
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------
In order to prevent exposure to denial-of-service attacks related to external
entity references and entity expansion, the XML model deserializer now refuses
@@ -652,7 +652,7 @@ cases where custom-created XML documents are passed to Django's model
deserializer.
Formsets default ``max_num``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
A (default) value of ``None`` for the ``max_num`` argument to a formset factory
no longer defaults to allowing any number of forms in the formset. Instead, in
@@ -661,7 +661,7 @@ forms. This limit can be raised by explicitly setting a higher value for
``max_num``.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* :class:`django.forms.ModelMultipleChoiceField` now returns an empty
``QuerySet`` as the empty value instead of an empty list.
@@ -720,7 +720,7 @@ Features deprecated in 1.5
==========================
``django.contrib.localflavor``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
The localflavor contrib app has been split into separate packages.
``django.contrib.localflavor`` itself will be removed in Django 1.6,
@@ -732,7 +732,7 @@ dozen countries at this time; similar to translations, maintenance
will be handed over to interested members of the community.
``django.contrib.markup``
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
The markup contrib module has been deprecated and will follow an accelerated
deprecation schedule. Direct use of Python markup libraries or 3rd party tag
@@ -740,7 +740,7 @@ libraries is preferred to Django maintaining this functionality in the
framework.
``AUTH_PROFILE_MODULE``
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
With the introduction of :ref:`custom User models <auth-custom-user>`, there is
no longer any need for a built-in mechanism to store user profile data.
@@ -753,7 +753,7 @@ the ``AUTH_PROFILE_MODULE`` setting, and the
the user profile model, should not be used any longer.
Streaming behavior of :class:`~django.http.HttpResponse`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
Django 1.5 deprecates the ability to stream a response by passing an iterator
to :class:`~django.http.HttpResponse`. If you rely on this behavior, switch to
@@ -766,7 +766,7 @@ In Django 1.7 and above, the iterator will be consumed immediately by
.. _simplejson-deprecation:
``django.utils.simplejson``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
Since Django 1.5 drops support for Python 2.5, we can now rely on the
:mod:`json` module being available in Python's standard library, so we've
@@ -780,32 +780,32 @@ If you rely on features added to ``simplejson`` after it became Python's
:mod:`json`, you should import ``simplejson`` explicitly.
``django.utils.encoding.StrAndUnicode``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
The ``django.utils.encoding.StrAndUnicode`` mix-in has been deprecated.
Define a ``__str__`` method and apply the
:func:`~django.utils.encoding.python_2_unicode_compatible` decorator instead.
``django.utils.itercompat.product``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------
The ``django.utils.itercompat.product`` function has been deprecated. Use
the built-in :func:`itertools.product` instead.
``cleanup`` management command
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
The ``cleanup`` management command has been deprecated and replaced by
:djadmin:`clearsessions`.
``daily_cleanup.py`` script
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
The undocumented ``daily_cleanup.py`` script has been deprecated. Use the
:djadmin:`clearsessions` management command instead.
``depth`` keyword argument in ``select_related``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
The ``depth`` keyword argument in
:meth:`~django.db.models.query.QuerySet.select_related` has been deprecated.
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index bb24f60969..c7cee7e47e 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -50,7 +50,7 @@ What's new in Django 1.6
========================
Simplified default project and app templates
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
The default templates used by :djadmin:`startproject` and :djadmin:`startapp`
have been simplified and modernized. The :doc:`admin
@@ -63,7 +63,7 @@ If the default templates don't suit your tastes, you can use :ref:`custom
project and app templates <custom-app-and-project-templates>`.
Improved transaction management
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
Django's transaction management was overhauled. Database-level autocommit is
now turned on by default. This makes transaction handling more explicit and
@@ -72,7 +72,7 @@ were introduced, as described in the :doc:`transaction management docs
</topics/db/transactions>`.
Persistent database connections
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
Django now supports reusing the same database connection for several requests.
This avoids the overhead of re-establishing a connection at the beginning of
@@ -80,7 +80,7 @@ each request. For backwards compatibility, this feature is disabled by
default. See :ref:`persistent-database-connections` for details.
Discovery of tests in any test module
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
Django 1.6 ships with a new test runner that allows more flexibility in the
location of tests. The previous runner
@@ -103,7 +103,7 @@ This change is backwards-incompatible; see the :ref:`backwards-incompatibility
notes<new-test-runner>`.
Time zone aware aggregation
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
The support for :doc:`time zones </topics/i18n/timezones>` introduced in
Django 1.4 didn't work well with :meth:`QuerySet.dates()
@@ -113,33 +113,33 @@ UTC. This limitation was lifted in Django 1.6. Use :meth:`QuerySet.datetimes()
aggregation on a :class:`~django.db.models.DateTimeField`.
Support for savepoints in SQLite
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Django 1.6 adds support for savepoints in SQLite, with some :ref:`limitations
<savepoints-in-sqlite>`.
``BinaryField`` model field
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
A new :class:`django.db.models.BinaryField` model field allows storage of raw
binary data in the database.
GeoDjango form widgets
-~~~~~~~~~~~~~~~~~~~~~~
+----------------------
GeoDjango now provides :doc:`form fields and widgets </ref/contrib/gis/forms-api>`
for its geo-specialized fields. They are OpenLayers-based by default, but they
can be customized to use any other JS framework.
``check`` management command added for verifying compatibility
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------------
A :djadmin:`check` management command was added, enabling you to verify if your
current configuration (currently oriented at settings) is compatible with the
current version of Django.
:meth:`Model.save() <django.db.models.Model.save()>` algorithm changed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------------
The :meth:`Model.save() <django.db.models.Model.save()>` method now
tries to directly ``UPDATE`` the database if the instance has a primary
@@ -155,7 +155,7 @@ trigger which returns ``NULL``. In such cases it is possible to set
use the old algorithm.
Minor features
-~~~~~~~~~~~~~~
+--------------
* Authentication backends can raise ``PermissionDenied`` to immediately fail
the authentication chain.
@@ -381,17 +381,17 @@ Backwards incompatible changes in 1.6
backwards incompatible change.
New transaction management model
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Behavior changes
-^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~
Database-level autocommit is enabled by default in Django 1.6. While this
doesn't change the general spirit of Django's transaction management, there
are a few backwards-incompatibilities.
Savepoints and ``assertNumQueries``
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The changes in transaction management may result in additional statements to
create, release or rollback savepoints. This is more likely to happen with
@@ -403,7 +403,7 @@ queries are related to savepoints, and adjust the expected number of queries
accordingly.
Autocommit option for PostgreSQL
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In previous versions, database-level autocommit was only an option for
PostgreSQL, and it was disabled by default. This option is now ignored and can
@@ -412,7 +412,7 @@ be removed.
.. _new-test-runner:
New test runner
-~~~~~~~~~~~~~~~
+---------------
In order to maintain greater consistency with Python's unittest module, the new
test runner (``django.test.runner.DiscoverRunner``) does not automatically
@@ -438,7 +438,7 @@ but will not be removed from Django until version 1.8.
.. _recommendations in the Python documentation: https://docs.python.org/library/doctest.html#unittest-api
Removal of ``django.contrib.gis.tests.GeoDjangoTestSuiteRunner`` GeoDjango custom test runner
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------------------------
This is for developers working on the GeoDjango application itself and related
to the item above about changes in the test runners:
@@ -449,7 +449,7 @@ supported anymore. To run the GeoDjango tests simply use the new
``DiscoverRunner`` and specify the ``django.contrib.gis`` app.
Custom User models in tests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
The introduction of the new test runner has also slightly changed the way that
test models are imported. As a result, any test that overrides ``AUTH_USER_MODEL``
@@ -472,7 +472,7 @@ error reporting::
ImproperlyConfigured: AUTH_USER_MODEL refers to model 'auth.CustomUser' that has not been installed
Time zone-aware ``day``, ``month``, and ``week_day`` lookups
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------
Django 1.6 introduces time zone support for :lookup:`day`, :lookup:`month`,
and :lookup:`week_day` lookups when :setting:`USE_TZ` is ``True``. These
@@ -487,7 +487,7 @@ tables with `mysql_tzinfo_to_sql`_.
.. _mysql_tzinfo_to_sql: https://dev.mysql.com/doc/refman/5.6/en/mysql-tzinfo-to-sql.html
Addition of ``QuerySet.datetimes()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------
When the :doc:`time zone support </topics/i18n/timezones>` added in Django 1.4
was active, :meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>`
@@ -497,7 +497,7 @@ UTC. To fix this, Django 1.6 introduces a new API, :meth:`QuerySet.datetimes()
your code.
``QuerySet.dates()`` returns ``date`` objects
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` now returns a
list of :class:`~datetime.date`. It used to return a list of
@@ -507,7 +507,7 @@ list of :class:`~datetime.date`. It used to return a list of
returns a list of :class:`~datetime.datetime`.
``QuerySet.dates()`` no longer usable on ``DateTimeField``
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` raises an
error if it's used on :class:`~django.db.models.DateTimeField` when time
@@ -515,7 +515,7 @@ zone support is active. Use :meth:`QuerySet.datetimes()
<django.db.models.query.QuerySet.datetimes>` instead.
``date_hierarchy`` requires time zone definitions
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The :attr:`~django.contrib.admin.ModelAdmin.date_hierarchy` feature of the
admin now relies on :meth:`QuerySet.datetimes()
@@ -526,7 +526,7 @@ This requires time zone definitions in the database when :setting:`USE_TZ` is
``True``. :ref:`Learn more <database-time-zone-definitions>`.
``date_list`` in generic views requires time zone definitions
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For the same reason, accessing ``date_list`` in the context of a date-based
generic view requires time zone definitions in the database when the view is
@@ -534,7 +534,7 @@ based on a :class:`~django.db.models.DateTimeField` and :setting:`USE_TZ` is
``True``. :ref:`Learn more <database-time-zone-definitions>`.
New lookups may clash with model fields
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
Django 1.6 introduces ``hour``, ``minute``, and ``second`` lookups on
:class:`~django.db.models.DateTimeField`. If you had model fields called
@@ -542,7 +542,7 @@ Django 1.6 introduces ``hour``, ``minute``, and ``second`` lookups on
names. Append an explicit :lookup:`exact` lookup if this is an issue.
``BooleanField`` no longer defaults to ``False``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
When a :class:`~django.db.models.BooleanField` doesn't have an explicit
:attr:`~django.db.models.Field.default`, the implicit default value is
@@ -556,10 +556,10 @@ either specify ``default=False`` in the field definition, or ensure the field
is set to ``True`` or ``False`` before saving the object.
Translations and comments in templates
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
Extraction of translations after comments
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Extraction of translatable literals from templates with the
:djadmin:`makemessages` command now correctly detects i18n constructs when
@@ -570,7 +570,7 @@ they are located after a ``{#`` / ``#}``-type comment on the same line. E.g.:
{# A comment #}{% trans "This literal was incorrectly ignored. Not anymore" %}
Location of translator comments
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:ref:`translator-comments-in-templates` specified using ``{#`` / ``#}`` need to
be at the end of a line. If they are not, the comments are ignored and
@@ -583,7 +583,7 @@ be at the end of a line. If they are not, the comments are ignored and
<h1>{% trans "Welcome" %}</h1>
Quoting in ``reverse()``
-~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------
When reversing URLs, Django didn't apply :func:`~django.utils.http.urlquote`
to arguments before interpolating them in URL patterns. This bug is fixed in
@@ -595,7 +595,7 @@ replace special characters in URLs used in
versions.
Storage of IP addresses in the comments app
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
The comments app now uses a
``GenericIPAddressField`` for storing commenters' IP addresses, to support
@@ -622,7 +622,7 @@ addresses are silently truncated; on Oracle, an exception is generated. No
database change is needed for SQLite or PostgreSQL databases.
Percent literals in ``cursor.execute`` queries
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
When you are running raw SQL queries through the
:ref:`cursor.execute <executing-custom-sql>` method, the rule about doubling
@@ -642,7 +642,7 @@ parameters. For example::
.. _m2m-help_text:
Help text of model form fields for ManyToManyField fields
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------
HTML rendering of model form fields corresponding to
:class:`~django.db.models.ManyToManyField` model fields used to get the
@@ -676,7 +676,7 @@ and :doc:`widgets </ref/forms/widgets>` aren't affected but need to be aware of
what's described in :ref:`m2m-help_text-deprecation` below.
QuerySet iteration
-~~~~~~~~~~~~~~~~~~
+------------------
The ``QuerySet`` iteration was changed to immediately convert all fetched
rows to ``Model`` objects. In Django 1.5 and earlier the fetched rows were
@@ -695,7 +695,7 @@ lazily by using the :meth:`~django.db.models.query.QuerySet.iterator()`
method.
:meth:`BoundField.label_tag<django.forms.BoundField.label_tag>` now includes the form's :attr:`~django.forms.Form.label_suffix`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------------------------------------------------------------------
This is consistent with how methods like
:meth:`Form.as_p<django.forms.Form.as_p>` and
@@ -728,7 +728,7 @@ customize the ``label_suffix`` on a per-field basis using the new
``label_suffix`` parameter on :meth:`~django.forms.BoundField.label_tag`.
Admin views ``_changelist_filters`` GET parameter
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
To achieve preserving and restoring list view filters, admin views now
pass around the `_changelist_filters` GET parameter. It's important that you
@@ -738,7 +738,7 @@ can set the
:attr:`~django.contrib.admin.ModelAdmin.preserve_filters` attribute to ``False``.
``django.contrib.auth`` password reset uses base 64 encoding of ``User`` PK
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------
Past versions of Django used base 36 encoding of the ``User`` primary key in
the password reset views and URLs
@@ -791,7 +791,7 @@ You can remove this url pattern after your app has been deployed with Django
1.6 for :setting:`PASSWORD_RESET_TIMEOUT_DAYS`.
Default session serialization switched to JSON
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
Historically, :mod:`django.contrib.sessions` used :mod:`pickle` to serialize
session data before storing it in the backend. If you're using the :ref:`signed
@@ -825,7 +825,7 @@ serialization will work for your application:
See the :ref:`session_serialization` documentation for more details.
Object Relational Mapper changes
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Django 1.6 contains many changes to the ORM. These changes fall mostly in
three categories:
@@ -850,7 +850,7 @@ neither Django 1.5 nor 1.6 produce correct results.
Finally, there have been many changes to the ORM internal APIs.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* The ``django.db.models.query.EmptyQuerySet`` can't be instantiated any more -
it is only usable as a marker class for checking if
@@ -964,7 +964,7 @@ Features deprecated in 1.6
==========================
Transaction management APIs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
Transaction management was completely overhauled in Django 1.6, and the
current APIs are deprecated:
@@ -976,7 +976,7 @@ current APIs are deprecated:
- the ``TRANSACTIONS_MANAGED`` setting
``django.contrib.comments``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
Django's comment framework has been deprecated and is no longer supported. It
will be available in Django 1.6 and 1.7, and removed in Django 1.8. Most users
@@ -989,7 +989,7 @@ __ https://disqus.com/
__ https://github.com/django/django-contrib-comments
Support for PostgreSQL versions older than 8.4
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
The end of upstream support periods was reached in December 2011 for
PostgreSQL 8.2 and in February 2013 for 8.3. As a consequence, Django 1.6 sets
@@ -1000,7 +1000,7 @@ available, because of performance improvements and to take advantage of the
native streaming replication available in PostgreSQL 9.x.
Changes to :ttag:`cycle` and :ttag:`firstof`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
The template system generally escapes all variables to avoid XSS attacks.
However, due to an accident of history, the :ttag:`cycle` and :ttag:`firstof`
@@ -1028,7 +1028,7 @@ If necessary, you can temporarily disable auto-escaping with
<autoescape>`.
``CACHE_MIDDLEWARE_ANONYMOUS_ONLY`` setting
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
``CacheMiddleware`` and ``UpdateCacheMiddleware`` used to provide a way to
cache requests only if they weren't made by a logged-in user. This mechanism
@@ -1046,7 +1046,7 @@ This makes the cache effectively work on a per-session basis regardless of the
__ https://www.google.com/analytics/
``SEND_BROKEN_LINK_EMAILS`` setting
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------
:class:`~django.middleware.common.CommonMiddleware` used to provide basic
reporting of broken links by email when ``SEND_BROKEN_LINK_EMAILS`` is set to
@@ -1064,19 +1064,19 @@ If you're relying on this feature, you should add
from your settings.
``_has_changed`` method on widgets
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
If you defined your own form widgets and defined the ``_has_changed`` method
on a widget, you should now define this method on the form field itself.
``module_name`` model _meta attribute
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
``Model._meta.module_name`` was renamed to ``model_name``. Despite being a
private API, it will go through a regular deprecation path.
``get_(add|change|delete)_permission`` model _meta methods
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------
``Model._meta.get_(add|change|delete)_permission`` methods were deprecated.
Even if they were not part of the public API they'll also go through
@@ -1085,7 +1085,7 @@ a regular deprecation path. You can replace them with
``'action'`` is ``'add'``, ``'change'``, or ``'delete'``.
``get_query_set`` and similar methods renamed to ``get_queryset``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------------
Methods that return a ``QuerySet`` such as ``Manager.get_query_set`` or
``ModelAdmin.queryset`` have been renamed to ``get_queryset``.
@@ -1139,7 +1139,7 @@ override either ``get_query_set`` or ``get_queryset``.
``shortcut`` view and URLconf
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
The ``shortcut`` view was moved from ``django.views.defaults`` to
``django.contrib.contenttypes.views`` shortly after the 1.0 release, but the
@@ -1156,7 +1156,7 @@ with::
(r'^prefix/(?P<content_type_id>\d+)/(?P<object_id>.*)/$', 'django.contrib.contenttypes.views.shortcut'),
``ModelForm`` without ``fields`` or ``exclude``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
Previously, if you wanted a :class:`~django.forms.ModelForm` to use all fields on
the model, you could simply omit the ``Meta.fields`` attribute, and all fields
@@ -1191,7 +1191,7 @@ functioning ``ModelForm``. This behavior also works for earlier Django
versions.
``UpdateView`` and ``CreateView`` without explicit fields
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------
The generic views :class:`~django.views.generic.edit.CreateView` and
:class:`~django.views.generic.edit.UpdateView`, and anything else derived from
@@ -1210,7 +1210,7 @@ but without an explicit list of fields is deprecated.
.. _m2m-help_text-deprecation:
Munging of help text of model form fields for ``ManyToManyField`` fields
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------------
All special handling of the ``help_text`` attribute of ``ManyToManyField`` model
fields performed by standard model or model form fields as described in
diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt
index 005882afe6..ef14a68632 100644
--- a/docs/releases/1.7.txt
+++ b/docs/releases/1.7.txt
@@ -37,7 +37,7 @@ What's new in Django 1.7
========================
Schema migrations
-~~~~~~~~~~~~~~~~~
+-----------------
Django now has built-in support for schema migrations. It allows models
to be updated, changed, and deleted by creating migration files that represent
@@ -82,7 +82,7 @@ but a few of the key features are:
.. _app-loading-refactor-17-release-note:
App-loading refactor
-~~~~~~~~~~~~~~~~~~~~
+--------------------
Historically, Django applications were tightly linked to models. A singleton
known as the "app cache" dealt with both installed applications and models.
@@ -120,7 +120,7 @@ Improvements thus far include:
make it easier to diagnose import issues such as import loops.
New method on Field subclasses
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
To help power both schema migrations and to enable easier addition of
composite keys in future releases of Django, the
@@ -154,7 +154,7 @@ classes serializable, read the
:ref:`migration serialization documentation <migration-serializing>`.
Calling custom ``QuerySet`` methods from the ``Manager``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
Historically, the recommended way to make reusable model queries was to create
methods on a custom ``Manager`` class. The problem with this approach was that
@@ -192,7 +192,7 @@ class method can now directly :ref:`create Manager with QuerySet methods
Food.objects.pizzas().vegetarian()
Using a custom manager when traversing reverse relations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
It is now possible to :ref:`specify a custom manager
<using-custom-reverse-manager>` when traversing a reverse relationship::
@@ -210,7 +210,7 @@ It is now possible to :ref:`specify a custom manager
b.entry_set(manager='entries').all()
New system check framework
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------
We've added a new :doc:`System check framework </ref/checks>` for
detecting common problems (like invalid models) and providing hints for
@@ -221,7 +221,7 @@ To perform system checks, you use the :djadmin:`check` management command.
This command replaces the older ``validate`` management command.
New ``Prefetch`` object for advanced ``prefetch_related`` operations.
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------
The new :class:`~django.db.models.Prefetch` object allows customizing
prefetch operations.
@@ -236,7 +236,7 @@ querysets. See :meth:`~django.db.models.query.QuerySet.prefetch_related()`
for more details.
Admin shortcuts support time zones
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
The "today" and "now" shortcuts next to date and time input widgets in the
admin are now operating in the :ref:`current time zone
@@ -249,7 +249,7 @@ server time zone are different, to clarify how the value inserted in the field
will be interpreted.
Using database cursors as context managers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
Prior to Python 2.7, database cursors could be used as a context manager. The
specific backend's cursor defined the behavior of the context manager. The
@@ -271,7 +271,7 @@ instead of::
c.close()
Custom lookups
-~~~~~~~~~~~~~~
+--------------
It is now possible to write custom lookups and transforms for the ORM.
Custom lookups work just like Django's built-in lookups (e.g. ``lte``,
@@ -292,10 +292,10 @@ For more information about both custom lookups and transforms refer to
the :doc:`custom lookups </howto/custom-lookups>` documentation.
Improvements to ``Form`` error handling
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
``Form.add_error()``
-^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~
Previously there were two main patterns for handling errors in forms:
@@ -323,7 +323,7 @@ See :ref:`validating-fields-with-clean` for an example using
``Form.add_error()``.
Error metadata
-^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~
The :exc:`~django.core.exceptions.ValidationError` constructor accepts metadata
such as error ``code`` or ``params`` which are then available for interpolating
@@ -347,7 +347,7 @@ codes serialized as JSON. ``as_json()`` uses ``as_data()`` and gives an idea
of how the new system could be extended.
Error containers and backward compatibility
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Heavy changes to the various error containers were necessary in order
to support the features above, specifically
@@ -360,10 +360,10 @@ using private APIs, some of the changes are backwards incompatible; see
:ref:`validation-error-constructor-and-internal-storage` for more details.
Minor features
-~~~~~~~~~~~~~~
+--------------
:mod:`django.contrib.admin`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* You can now implement :attr:`~django.contrib.admin.AdminSite.site_header`,
:attr:`~django.contrib.admin.AdminSite.site_title`, and
@@ -410,7 +410,7 @@ Minor features
overridden to define custom behavior for setting initial change form data.
:mod:`django.contrib.auth`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~
* Any ``**kwargs`` passed to
:meth:`~django.contrib.auth.models.User.email_user()` are passed to the
@@ -436,14 +436,14 @@ Minor features
enabled. See :ref:`session-invalidation-on-password-change` for more details.
``django.contrib.formtools``
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Calls to :meth:`WizardView.done()
<formtools.wizard.views.WizardView.done>` now include a
``form_dict`` to allow easier access to forms by their step name.
:mod:`django.contrib.gis`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~
* The default OpenLayers library version included in widgets has been updated
from 2.11 to 2.13.
@@ -453,7 +453,7 @@ Minor features
installed.
:mod:`django.contrib.messages`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The backends for :mod:`django.contrib.messages` that use cookies, will now
follow the :setting:`SESSION_COOKIE_SECURE` and
@@ -467,7 +467,7 @@ Minor features
message level.
:mod:`django.contrib.redirects`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* :class:`~django.contrib.redirects.middleware.RedirectFallbackMiddleware`
has two new attributes
@@ -478,14 +478,14 @@ Minor features
middleware returns.
:mod:`django.contrib.sessions`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The ``"django.contrib.sessions.backends.cached_db"`` session backend now
respects :setting:`SESSION_CACHE_ALIAS`. In previous versions, it always used
the `default` cache.
:mod:`django.contrib.sitemaps`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :mod:`sitemap framework<django.contrib.sitemaps>` now makes use of
:attr:`~django.contrib.sitemaps.Sitemap.lastmod` to set a ``Last-Modified``
@@ -494,13 +494,13 @@ Minor features
conditional ``GET`` requests for sitemaps which set ``lastmod``.
:mod:`django.contrib.sites`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The new :class:`django.contrib.sites.middleware.CurrentSiteMiddleware` allows
setting the current site on each request.
:mod:`django.contrib.staticfiles`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :ref:`static files storage classes <staticfiles-storages>` may be
subclassed to override the permissions that collected static files and
@@ -527,7 +527,7 @@ Minor features
:djadmin:`findstatic` for example output.
:mod:`django.contrib.syndication`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :class:`~django.utils.feedgenerator.Atom1Feed` syndication feed's
``updated`` element now utilizes ``updateddate`` instead of ``pubdate``,
@@ -535,7 +535,7 @@ Minor features
relies on ``pubdate``).
Cache
-^^^^^
+~~~~~
* Access to caches configured in :setting:`CACHES` is now available via
:data:`django.core.cache.caches`. This dict-like object provides a different
@@ -552,13 +552,13 @@ Cache
``timeout=None`` to the cache backend's ``set()`` method.
Cross Site Request Forgery
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~
* The :setting:`CSRF_COOKIE_AGE` setting facilitates the use of session-based
CSRF cookies.
Email
-^^^^^
+~~~~~
* :func:`~django.core.mail.send_mail` now accepts an ``html_message``
parameter for sending a multipart ``text/plain`` and ``text/html`` email.
@@ -566,7 +566,7 @@ Email
``timeout`` parameter.
File Storage
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* File locking on Windows previously depended on the PyWin32 package; if it
wasn't installed, file locking failed silently. That dependency has been
@@ -574,7 +574,7 @@ File Storage
and Unix.
File Uploads
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* The new :attr:`UploadedFile.content_type_extra
<django.core.files.uploadedfile.UploadedFile.content_type_extra>` attribute
@@ -601,7 +601,7 @@ File Uploads
This change was also made in the 1.6.6, 1.5.9, and 1.4.14 security releases.
Forms
-^^^^^
+~~~~~
* The ``<label>`` and ``<input>`` tags rendered by
:class:`~django.forms.RadioSelect` and
@@ -657,7 +657,7 @@ Forms
<considerations-regarding-model-errormessages>` for more details.
Internationalization
-^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~
* The :attr:`django.middleware.locale.LocaleMiddleware.response_redirect_class`
attribute allows you to customize the redirects issued by the middleware.
@@ -693,10 +693,10 @@ Internationalization
:setting:`LANGUAGE_COOKIE_AGE`, :setting:`LANGUAGE_COOKIE_DOMAIN`
and :setting:`LANGUAGE_COOKIE_PATH`.
-* Added :ref:`format definitions <format-localization>` for Esperanto.
+* Added :doc:`/topics/i18n/formatting` for Esperanto.
Management Commands
-^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~
* The new :option:`--no-color` option for ``django-admin`` disables the
colorization of management command output.
@@ -743,7 +743,7 @@ Management Commands
.. _sqlparse: https://pypi.python.org/pypi/sqlparse
Models
-^^^^^^
+~~~~~~
* The :meth:`QuerySet.update_or_create()
<django.db.models.query.QuerySet.update_or_create>` method was added.
@@ -803,7 +803,7 @@ Models
a relation ``_id`` field by using its attribute name.
Signals
-^^^^^^^
+~~~~~~~
* The ``enter`` argument was added to the
:data:`~django.test.signals.setting_changed` signal.
@@ -813,7 +813,7 @@ Signals
reference their senders.
Templates
-^^^^^^^^^
+~~~~~~~~~
* The :meth:`Context.push() <django.template.Context.push>` method now returns
a context manager which automatically calls :meth:`pop()
@@ -870,7 +870,7 @@ Templates
longer than the specified number of characters, taking HTML into account.
Requests and Responses
-^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~
* The new :attr:`HttpRequest.scheme <django.http.HttpRequest.scheme>` attribute
specifies the scheme of the request (``http`` or ``https`` normally).
@@ -883,7 +883,7 @@ Requests and Responses
:class:`~django.http.HttpResponse` helps easily create JSON-encoded responses.
Tests
-^^^^^
+~~~~~
* :class:`~django.test.runner.DiscoverRunner` has two new attributes,
:attr:`~django.test.runner.DiscoverRunner.test_suite` and
@@ -912,13 +912,13 @@ Tests
named :setting:`TEST <DATABASE-TEST>`.
Utilities
-^^^^^^^^^
+~~~~~~~~~
* Improved :func:`~django.utils.html.strip_tags` accuracy (but it still cannot
guarantee an HTML-safe result, as stated in the documentation).
Validators
-^^^^^^^^^^
+~~~~~~~~~~
* :class:`~django.core.validators.RegexValidator` now accepts the optional
:attr:`~django.core.validators.RegexValidator.flags` and
@@ -949,7 +949,7 @@ Backwards incompatible changes in 1.7
backwards incompatible change.
``allow_syncdb`` / ``allow_migrate``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------
While Django will still look at ``allow_syncdb`` methods even though they
should be renamed to ``allow_migrate``, there is a subtle difference in which
@@ -961,7 +961,7 @@ without custom attributes, methods or managers. Make sure your ``allow_migrate``
methods are only referring to fields or other items in ``model._meta``.
initial_data
-~~~~~~~~~~~~
+------------
Apps with migrations will not load ``initial_data`` fixtures when they have
finished migrating. Apps without migrations will continue to load these fixtures
@@ -977,7 +977,7 @@ Additionally, like the rest of Django's old ``syncdb`` code, ``initial_data``
has been started down the deprecation path and will be removed in Django 1.9.
deconstruct() and serializability
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
Django now requires all Field classes and all of their constructor arguments
to be serializable. If you modify the constructor signature in your custom
@@ -993,10 +993,10 @@ them as well <custom-deconstruct-method>`, though Django provides a handy
class decorator that will work for most applications.
App-loading changes
-~~~~~~~~~~~~~~~~~~~
+-------------------
Start-up sequence
-^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~
Django 1.7 loads application configurations and models as soon as it starts.
While this behavior is more straightforward and is believed to be more robust,
@@ -1004,7 +1004,7 @@ regressions cannot be ruled out. See :ref:`applications-troubleshooting` for
solutions to some problems you may encounter.
Standalone scripts
-^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~
If you're using Django in a plain Python script — rather than a management
command — and you rely on the :envvar:`DJANGO_SETTINGS_MODULE` environment
@@ -1017,7 +1017,7 @@ script with::
Otherwise, you will hit an ``AppRegistryNotReady`` exception.
WSGI scripts
-^^^^^^^^^^^^
+~~~~~~~~~~~~
Until Django 1.3, the recommended way to create a WSGI application was::
@@ -1033,7 +1033,7 @@ If you're still using the former style in your WSGI script, you need to
upgrade to the latter, or you will hit an ``AppRegistryNotReady`` exception.
App registry consistency
-^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~
It is no longer possible to have multiple installed applications with the same
label. In previous versions of Django, this didn't always work correctly, but
@@ -1064,7 +1064,7 @@ Django will enforce these requirements as of version 1.9, after a deprecation
period.
Subclassing AppCommand
-^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~
Subclasses of :class:`~django.core.management.AppCommand` must now implement a
:meth:`~django.core.management.AppCommand.handle_app_config` method instead of
@@ -1072,7 +1072,7 @@ Subclasses of :class:`~django.core.management.AppCommand` must now implement a
instance instead of a models module.
Introspecting applications
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~
Since :setting:`INSTALLED_APPS` now supports application configuration classes
in addition to application modules, you should review code that accesses this
@@ -1090,7 +1090,7 @@ following changes that take effect immediately:
longer exists, nor does the ``seed_cache`` argument of ``get_model``.
Management commands and order of :setting:`INSTALLED_APPS`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------
When several applications provide management commands with the same name,
Django loads the command from the application that comes first in
@@ -1104,7 +1104,7 @@ files, templates, and translations.
.. _validation-error-constructor-and-internal-storage:
``ValidationError`` constructor and internal storage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------
The behavior of the ``ValidationError`` constructor has changed when it
receives a container of errors as an argument (e.g. a ``list`` or an
@@ -1161,7 +1161,7 @@ workaround to convert any ``list`` into ``ErrorList``::
self._errors[field] = self.error_class(error_list)
Behavior of ``LocMemCache`` regarding pickle errors
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
An inconsistency existed in previous versions of Django regarding how pickle
errors are handled by different cache backends.
@@ -1171,7 +1171,7 @@ cache-specific errors. This has been fixed in Django 1.7, see
:ticket:`21200` for more details.
Cache keys are now generated from the request's absolute URL
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------
Previous versions of Django generated cache keys using a request's path and
query string but not the scheme or host. If a Django application was serving
@@ -1184,7 +1184,7 @@ generated by older versions of Django. After upgrading to Django 1.7, the first
request to any previously cached URL will be a cache miss.
Passing ``None`` to ``Manager.db_manager()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
In previous versions of Django, it was possible to use
``db_manager(using=None)`` on a model manager instance to obtain a manager
@@ -1196,7 +1196,7 @@ the way routing information cascaded over joins. See :ticket:`13724` for more
details.
pytz may be required
-~~~~~~~~~~~~~~~~~~~~
+--------------------
If your project handles datetimes before 1970 or after 2037 and Django raises
a :exc:`ValueError` when encountering them, you will have to install pytz_. You
@@ -1206,7 +1206,7 @@ formats or :mod:`django.contrib.syndication`.
.. _pytz: https://pypi.python.org/pypi/pytz/
``remove()`` and ``clear()`` methods of related managers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
The ``remove()`` and ``clear()`` methods of the related managers created by
``ForeignKey``, ``GenericForeignKey``, and ``ManyToManyField`` suffered from a
@@ -1234,7 +1234,7 @@ Fixing the issues introduced some backward incompatible changes:
See :ref:`this note <nested-queries-performance>` for more details.
Admin login redirection strategy
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
Historically, the Django admin site passed the request from an unauthorized or
unauthenticated user directly to the login view, without HTTP redirection. In
@@ -1248,7 +1248,7 @@ Note also that the admin login form has been updated to not contain the
has been set to the more regular ``invalid_login`` key.
``select_for_update()`` requires a transaction
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
Historically, queries that use
:meth:`~django.db.models.query.QuerySet.select_for_update()` could be
@@ -1272,7 +1272,7 @@ in a test class which is a subclass of
:class:`~django.test.TestCase`.
Contrib middleware removed from default :setting:`MIDDLEWARE_CLASSES`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------
The :ref:`app-loading refactor <app-loading-refactor-17-release-note>`
deprecated using models from apps which are not part of the
@@ -1293,7 +1293,7 @@ project's needs. You should also check for any code that accesses
``django.conf.global_settings.MIDDLEWARE_CLASSES`` directly.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* The :meth:`django.core.files.uploadhandler.FileUploadHandler.new_file()`
method is now passed an additional ``content_type_extra`` parameter. If you
@@ -1466,20 +1466,20 @@ Features deprecated in 1.7
==========================
``django.core.cache.get_cache``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
``django.core.cache.get_cache`` has been supplanted by
:data:`django.core.cache.caches`.
``django.utils.dictconfig``/``django.utils.importlib``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------
``django.utils.dictconfig`` and ``django.utils.importlib`` were copies of
respectively :mod:`logging.config` and :mod:`importlib` provided for Python
versions prior to 2.7. They have been deprecated.
``django.utils.module_loading.import_by_path``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
The current ``django.utils.module_loading.import_by_path`` function
catches ``AttributeError``, ``ImportError``, and ``ValueError`` exceptions,
@@ -1490,7 +1490,7 @@ It has been deprecated in favor of
:meth:`~django.utils.module_loading.import_string`.
``django.utils.tzinfo``
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
``django.utils.tzinfo`` provided two :class:`~datetime.tzinfo` subclasses,
``LocalTimezone`` and ``FixedOffset``. They've been deprecated in favor of
@@ -1499,7 +1499,7 @@ more correct alternatives provided by :mod:`django.utils.timezone`,
:func:`django.utils.timezone.get_fixed_timezone`.
``django.utils.unittest``
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
``django.utils.unittest`` provided uniform access to the ``unittest2`` library
on all Python versions. Since ``unittest2`` became the standard library's
@@ -1508,7 +1508,7 @@ Python versions, this module isn't useful anymore. It has been deprecated. Use
:mod:`unittest` instead.
``django.utils.datastructures.SortedDict``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
As :class:`~collections.OrderedDict` was added to the standard library in
Python 2.7, ``SortedDict`` is no longer needed and has been deprecated.
@@ -1530,7 +1530,7 @@ for a particular form instance. For example (from Django itself)::
)
Custom SQL location for models package
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
Previously, if models were organized in a package (``myapp/models/``) rather
than simply ``myapp/models.py``, Django would look for initial SQL data in
@@ -1541,7 +1541,7 @@ exists, the deprecation is irrelevant as the entire feature will be removed in
Django 1.9.
Reorganization of ``django.contrib.sites``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
``django.contrib.sites`` provides reduced functionality when it isn't in
:setting:`INSTALLED_APPS`. The app-loading refactor adds some constraints in
@@ -1554,7 +1554,7 @@ locations are deprecated:
``django.contrib.sites.shortcuts``.
``declared_fieldsets`` attribute on ``ModelAdmin``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------
``ModelAdmin.declared_fieldsets`` has been deprecated. Despite being a private
API, it will go through a regular deprecation path. This attribute was mostly
@@ -1562,7 +1562,7 @@ used by methods that bypassed ``ModelAdmin.get_fieldsets()`` but this was
considered a bug and has been addressed.
Reorganization of ``django.contrib.contenttypes``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
Since ``django.contrib.contenttypes.generic`` defined both admin and model
related objects, an import of this module could trigger unexpected side effects.
@@ -1581,14 +1581,14 @@ submodules and the ``django.contrib.contenttypes.generic`` module is deprecated:
:mod:`~django.contrib.contenttypes.admin`.
``syncdb``
-~~~~~~~~~~
+----------
The ``syncdb`` command has been deprecated in favor of the new :djadmin:`migrate`
command. ``migrate`` takes the same arguments as ``syncdb`` used to plus a few
more, so it's safe to just change the name you're calling and nothing else.
``util`` modules renamed to ``utils``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
The following instances of ``util.py`` in the Django codebase have been renamed
to ``utils.py`` in an effort to unify all util and utils references:
@@ -1599,14 +1599,14 @@ to ``utils.py`` in an effort to unify all util and utils references:
* ``django.forms.util``
``get_formsets`` method on ``ModelAdmin``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------
``ModelAdmin.get_formsets`` has been deprecated in favor of the new
:meth:`~django.contrib.admin.ModelAdmin.get_formsets_with_inlines`, in order to
better handle the case of selectively showing inlines on a ``ModelAdmin``.
``IPAddressField``
-~~~~~~~~~~~~~~~~~~
+------------------
The ``django.db.models.IPAddressField`` and ``django.forms.IPAddressField``
fields have been deprecated in favor of
@@ -1614,14 +1614,14 @@ fields have been deprecated in favor of
:class:`django.forms.GenericIPAddressField`.
``BaseMemcachedCache._get_memcache_timeout`` method
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
The ``BaseMemcachedCache._get_memcache_timeout()`` method has been renamed to
``get_backend_timeout()``. Despite being a private API, it will go through the
normal deprecation.
Natural key serialization options
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
The ``--natural`` and ``-n`` options for :djadmin:`dumpdata` have been
deprecated. Use :option:`dumpdata --natural-foreign` instead.
@@ -1630,14 +1630,14 @@ Similarly, the ``use_natural_keys`` argument for ``serializers.serialize()``
has been deprecated. Use ``use_natural_foreign_keys`` instead.
Merging of ``POST`` and ``GET`` arguments into ``WSGIRequest.REQUEST``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------------
It was already strongly suggested that you use ``GET`` and ``POST`` instead of
``REQUEST``, because the former are more explicit. The property ``REQUEST`` is
deprecated and will be removed in Django 1.9.
``django.utils.datastructures.MergeDict`` class
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
``MergeDict`` exists primarily to support merging ``POST`` and ``GET``
arguments into a ``REQUEST`` property on ``WSGIRequest``. To merge
@@ -1645,7 +1645,7 @@ dictionaries, use ``dict.update()`` instead. The class ``MergeDict`` is
deprecated and will be removed in Django 1.9.
Language codes ``zh-cn``, ``zh-tw`` and ``fy-nl``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
The currently used language codes for Simplified Chinese ``zh-cn``,
Traditional Chinese ``zh-tw`` and (Western) Frysian ``fy-nl`` are deprecated
@@ -1655,7 +1655,7 @@ locale directories and update your settings to reflect these changes. The
deprecated language codes will be removed in Django 1.9.
``django.utils.functional.memoize`` function
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
The function ``memoize`` is deprecated and should be replaced by the
``functools.lru_cache`` decorator (available from Python 3.2 onwards).
@@ -1665,13 +1665,13 @@ available at ``django.utils.lru_cache.lru_cache``. The deprecated function will
be removed in Django 1.9.
Geo Sitemaps
-~~~~~~~~~~~~
+------------
Google has retired support for the Geo Sitemaps format. Hence Django support
for Geo Sitemaps is deprecated and will be removed in Django 1.8.
Passing callable arguments to queryset methods
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
Callable arguments for querysets were an undocumented feature that was
unreliable. It's been deprecated and will be removed in Django 1.9.
@@ -1682,26 +1682,26 @@ evaluating arguments before passing them to queryset and created confusion that
the arguments may have been evaluated at query time.
``ADMIN_FOR`` setting
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
The ``ADMIN_FOR`` feature, part of the admindocs, has been removed. You can
remove the setting from your configuration at your convenience.
``SplitDateTimeWidget`` with ``DateTimeField``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
``SplitDateTimeWidget`` support in :class:`~django.forms.DateTimeField` is
deprecated, use ``SplitDateTimeWidget`` with
:class:`~django.forms.SplitDateTimeField` instead.
``validate``
-~~~~~~~~~~~~
+------------
The ``validate`` management command is deprecated in favor of the
:djadmin:`check` command.
``django.core.management.BaseCommand``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
``requires_model_validation`` is deprecated in favor of a new
``requires_system_checks`` flag. If the latter flag is missing, then the
@@ -1711,7 +1711,7 @@ value of the former flag is used. Defining both ``requires_system_checks`` and
The ``check()`` method has replaced the old ``validate()`` method.
``ModelAdmin`` validators
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
The ``ModelAdmin.validator_class`` and ``default_validator_class`` attributes
are deprecated in favor of the new ``checks_class`` attribute.
@@ -1722,7 +1722,7 @@ The ``ModelAdmin.validate()`` method is deprecated in favor of
The ``django.contrib.admin.validation`` module is deprecated.
``django.db.backends.DatabaseValidation.validate_field``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
This method is deprecated in favor of a new ``check_field`` method.
The functionality required by ``check_field()`` is the same as that provided
@@ -1731,7 +1731,7 @@ backends needing this functionality should provide an implementation of
``check_field()``.
Loading ``ssi`` and ``url`` template tags from ``future`` library
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------------
Django 1.3 introduced ``{% load ssi from future %}`` and
``{% load url from future %}`` syntax for forward compatibility of the
@@ -1740,7 +1740,7 @@ will be removed in Django 1.9. You can simply remove the
``{% load ... from future %}`` tags.
``django.utils.text.javascript_quote``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
``javascript_quote()`` was an undocumented function present in ``django.utils.text``.
It was used internally in the :ref:`javascript_catalog view <javascript_catalog-view>`
@@ -1752,7 +1752,7 @@ If all you need is to generate valid JavaScript strings, you can simply use
``json.dumps()``.
``fix_ampersands`` utils method and template filter
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
The ``django.utils.html.fix_ampersands`` method and the ``fix_ampersands``
template filter are deprecated, as the escaping of ampersands is already taken care
@@ -1765,7 +1765,7 @@ As this is an accelerated deprecation, ``fix_ampersands`` and ``clean_html``
will be removed in Django 1.8.
Reorganization of database test settings
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
All database settings with a ``TEST_`` prefix have been deprecated in favor of
entries in a :setting:`TEST <DATABASE-TEST>` dictionary in the database
@@ -1774,13 +1774,13 @@ compatibility with older versions of Django, you can define both versions of
the settings as long as they match.
FastCGI support
-~~~~~~~~~~~~~~~
+---------------
FastCGI support via the ``runfcgi`` management command will be removed in
Django 1.9. Please deploy your project using WSGI.
Moved objects in ``contrib.sites``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
Following the app-loading refactor, two objects in
``django.contrib.sites.models`` needed to be moved because they must be
@@ -1791,13 +1791,13 @@ available without importing ``django.contrib.sites.models`` when
Django 1.9.
``django.forms.forms.get_declared_fields()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
Django no longer uses this functional internally. Even though it's a private
API, it'll go through the normal deprecation cycle.
Private Query Lookup APIs
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
Private APIs ``django.db.models.sql.where.WhereNode.make_atom()`` and
``django.db.models.sql.where.Constraint`` are deprecated in favor of the new
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt
index d75250082e..2342e587fe 100644
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -37,7 +37,7 @@ What's new in Django 1.8
========================
``Model._meta`` API
-~~~~~~~~~~~~~~~~~~~
+-------------------
Django now has a formalized API for :doc:`Model._meta </ref/models/meta>`,
providing an officially supported way to :ref:`retrieve fields
@@ -53,7 +53,7 @@ new official API have been deprecated and will eventually be removed. A
<migrating-old-meta-api>` has been provided.
Multiple template engines
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
Django 1.8 defines a stable API for integrating template backends. It includes
built-in support for the Django template language and for
@@ -63,7 +63,7 @@ new features in the :doc:`topic guide </topics/templates>` and check the
:doc:`upgrade instructions </ref/templates/upgrading>` for details.
Security enhancements
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
Several features of the django-secure_ third-party library have been
integrated into Django. :class:`django.middleware.security.SecurityMiddleware`
@@ -74,7 +74,7 @@ file for ways to increase the security of your site.
.. _django-secure: https://pypi.python.org/pypi/django-secure
New PostgreSQL specific functionality
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
Django now has a module with extensions for PostgreSQL specific features, such
as :class:`~django.contrib.postgres.fields.ArrayField`,
@@ -83,7 +83,7 @@ as :class:`~django.contrib.postgres.fields.ArrayField`,
:doc:`in the documentation </ref/contrib/postgres/index>`.
New data types
-~~~~~~~~~~~~~~
+--------------
* Django now has a :class:`~django.db.models.UUIDField` for storing
universally unique identifiers. It is stored as the native ``uuid`` data type
@@ -99,7 +99,7 @@ New data types
<django.forms.DurationField>`.
Query Expressions, Conditional Expressions, and Database Functions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------
:doc:`Query Expressions </ref/models/expressions>` allow you to create,
customize, and compose complex SQL expressions. This has enabled annotate
@@ -119,7 +119,7 @@ also included with functionality such as
:class:`~django.db.models.functions.Substr`.
``TestCase`` data setup
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
:class:`~django.test.TestCase` has been refactored to allow for data
initialization at the class level using transactions and savepoints. Database
@@ -138,10 +138,10 @@ for each test.
``TestCase``.
Minor features
-~~~~~~~~~~~~~~
+--------------
:mod:`django.contrib.admin`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* :class:`~django.contrib.admin.ModelAdmin` now has a
:meth:`~django.contrib.admin.ModelAdmin.has_module_permission`
@@ -186,12 +186,12 @@ Minor features
objects using a popup.
:mod:`django.contrib.admindocs`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* reStructuredText is now parsed in model docstrings.
:mod:`django.contrib.auth`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~
* Authorization backends can now raise
:class:`~django.core.exceptions.PermissionDenied` in
@@ -216,7 +216,7 @@ Minor features
change the default value.
:mod:`django.contrib.gis`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~
* A new :doc:`GeoJSON serializer </ref/contrib/gis/serializers>` is now
available.
@@ -242,19 +242,19 @@ Minor features
used any longer.
:mod:`django.contrib.sessions`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Session cookie is now deleted after
:meth:`~django.contrib.sessions.backends.base.SessionBase.flush()` is called.
:mod:`django.contrib.sitemaps`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The new :attr:`Sitemap.i18n <django.contrib.sitemaps.Sitemap.i18n>` attribute
allows you to generate a sitemap based on the :setting:`LANGUAGES` setting.
:mod:`django.contrib.sites`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* :func:`~django.contrib.sites.shortcuts.get_current_site` will now lookup
the current site based on :meth:`request.get_host()
@@ -266,20 +266,20 @@ Minor features
using ``pk=1``).
Cache
-^^^^^
+~~~~~
* The ``incr()`` method of the
``django.core.cache.backends.locmem.LocMemCache`` backend is now thread-safe.
Cryptography
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* The ``max_age`` parameter of the
:meth:`django.core.signing.TimestampSigner.unsign` method now also accepts a
:py:class:`datetime.timedelta` object.
Database backends
-^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~
* The MySQL backend no longer strips microseconds from ``datetime`` values as
MySQL 5.6.4 and up supports fractional seconds depending on the declaration
@@ -296,7 +296,7 @@ Database backends
when getting the description of a table.
Email
-^^^^^
+~~~~~
* :ref:`Email backends <topic-email-backends>` now support the context manager
protocol for opening and closing connections.
@@ -312,7 +312,7 @@ Email
support the ``reply_to`` parameter.
File Storage
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* :meth:`Storage.get_available_name()
<django.core.files.storage.Storage.get_available_name>` and
@@ -325,7 +325,7 @@ File Storage
storage classes.
Forms
-^^^^^
+~~~~~
* Form widgets now render attributes with a value of ``True`` or ``False``
as HTML5 boolean attributes.
@@ -363,7 +363,7 @@ Forms
instantiating a :class:`~django.forms.ChoiceField`.
Generic Views
-^^^^^^^^^^^^^
+~~~~~~~~~~~~~
* Generic views that use :class:`~django.views.generic.list.MultipleObjectMixin`
may now specify the ordering applied to the
@@ -387,7 +387,7 @@ Generic Views
supported but will be removed in Django 1.10.
Internationalization
-^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~
* :setting:`FORMAT_MODULE_PATH` can now be a list of strings representing
module paths. This allows importing several format modules from different
@@ -395,14 +395,14 @@ Internationalization
Django project.
Logging
-^^^^^^^
+~~~~~~~
* The :class:`django.utils.log.AdminEmailHandler` class now has a
:meth:`~django.utils.log.AdminEmailHandler.send_mail` method to make it more
subclass friendly.
Management Commands
-^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~
* Database connections are now always closed after a management command called
from the command line has finished doing its job.
@@ -451,7 +451,7 @@ Management Commands
their dependencies in a project.
Middleware
-^^^^^^^^^^
+~~~~~~~~~~
* The :attr:`CommonMiddleware.response_redirect_class
<django.middleware.common.CommonMiddleware.response_redirect_class>`
@@ -462,7 +462,7 @@ Middleware
in :setting:`DEBUG` mode.
Migrations
-^^^^^^^^^^
+~~~~~~~~~~
* The :class:`~django.db.migrations.operations.RunSQL` operation can now handle
parameters passed to the SQL statements.
@@ -490,7 +490,7 @@ Migrations
<deprecated-signature-of-allow-migrate>` for more details.
Models
-^^^^^^
+~~~~~~
* Django now logs at most 9000 queries in ``connections.queries``, in order
to prevent excessive memory usage in long-running processes in debug mode.
@@ -537,7 +537,7 @@ Models
``None``.
Signals
-^^^^^^^
+~~~~~~~
* Exceptions from the ``(receiver, exception)`` tuples returned by
:meth:`Signal.send_robust() <django.dispatch.Signal.send_robust>` now have
@@ -552,12 +552,12 @@ Signals
situations. Django no longer does so itself.
System Check Framework
-^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~
* :attr:`~django.core.checks.register` can now be used as a function.
Templates
-^^^^^^^^^
+~~~~~~~~~
* :tfilter:`urlize` now supports domain-only links that include characters after
the top-level domain (e.g. ``djangoproject.com/`` and
@@ -574,7 +574,7 @@ Templates
usual syntax: ``{% now 'j n Y' as varname %}``.
Requests and Responses
-^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~
* ``WSGIRequest`` now respects paths starting with ``//``.
@@ -621,7 +621,7 @@ Requests and Responses
conditional view processing now supports the ``If-unmodified-since`` header.
Tests
-^^^^^
+~~~~~
* The :class:`RequestFactory.trace() <django.test.RequestFactory>`
and :class:`Client.trace() <django.test.Client.trace>` methods were
@@ -656,7 +656,7 @@ Tests
between threads.
Validators
-^^^^^^^^^^
+~~~~~~~~~~
* :class:`~django.core.validators.URLValidator` now supports IPv6 addresses,
unicode domains, and URLs containing authentication data.
@@ -673,7 +673,7 @@ Backwards incompatible changes in 1.8
backwards incompatible change.
Related object operations are run in a transaction
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------
Some operations on related objects such as
:meth:`~django.db.models.fields.related.RelatedManager.add()` or direct
@@ -690,7 +690,7 @@ exception in a signal handler will prevent the whole operation.
.. _unsaved-model-instance-check-18:
Assigning unsaved objects to relations raises an error
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------
.. note::
@@ -737,7 +737,7 @@ objects to the database), you can disable this check by using the
removed in 1.8.4 as it's no longer relevant.)
Management commands that only accept positional arguments
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------
If you have written a custom management command that only accepts positional
arguments and you didn't specify the ``args`` command variable, you might get
@@ -750,7 +750,7 @@ older Django versions, it's better to implement the new
in :doc:`/howto/custom-management-commands`.
Custom test management command arguments through test runner
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------
The method to add custom arguments to the `test` management command through the
test runner has changed. Previously, you could provide an `option_list` class
@@ -761,7 +761,7 @@ Now to implement the same behavior, you have to create an
:py:class:`argparse.ArgumentParser` instance.
Model check ensures auto-generated column names are within limits specified by database
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------------------
A field name that's longer than the column name length supported by a database
can create problems. For example, with MySQL you'll get an exception trying to
@@ -783,7 +783,7 @@ and then specify :attr:`~django.db.models.Field.db_column` on its column(s)
as needed.
Query relation lookups now check object types
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------
Querying for model lookups now checks if the object passed is of correct type
and raises a :exc:`ValueError` if not. Previously, Django didn't care if the
@@ -798,7 +798,7 @@ lookups::
ValueError: Cannot query "<Book: Django>": Must be "Author" instance.
``select_related()`` now checks given fields
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
``select_related()`` now validates that the given fields actually exist.
Previously, nonexistent fields were silently ignored. Now, an error is raised::
@@ -816,7 +816,7 @@ The validation also makes sure that the given field is relational::
FieldError: Non-relational field given in select_related: 'name'
Default ``EmailField.max_length`` increased to 254
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------
The old default 75 character ``max_length`` was not capable of storing all
possible RFC3696/5321-compliant email addresses. In order to store all
@@ -827,7 +827,7 @@ your current fields). A migration for
:attr:`django.contrib.auth.models.User.email` is included.
Support for PostgreSQL versions older than 9.0
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
The end of upstream support periods was reached in July 2014 for PostgreSQL 8.4.
As a consequence, Django 1.8 sets 9.0 as the minimum PostgreSQL version it
@@ -840,21 +840,21 @@ Django also now requires the use of Psycopg2 version 2.4.5 or higher (or 2.5+
if you want to use :mod:`django.contrib.postgres`).
Support for MySQL versions older than 5.5
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------
The end of upstream support periods was reached in January 2012 for MySQL 5.0
and December 2013 for MySQL 5.1. As a consequence, Django 1.8 sets 5.5 as the
minimum MySQL version it officially supports.
Support for Oracle versions older than 11.1
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
The end of upstream support periods was reached in July 2010 for Oracle 9.2,
January 2012 for Oracle 10.1, and July 2013 for Oracle 10.2. As a consequence,
Django 1.8 sets 11.1 as the minimum Oracle version it officially supports.
Specific privileges used instead of roles for tests on Oracle
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------
Earlier versions of Django granted the CONNECT and RESOURCE roles to the test
user on Oracle. These roles have been deprecated, so Django 1.8 uses the
@@ -864,7 +864,7 @@ creating a test user). The exact privileges required now are detailed in
:ref:`Oracle notes <oracle-notes>`.
``AbstractUser.last_login`` allows null values
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
The :attr:`AbstractUser.last_login <django.contrib.auth.models.User.last_login>`
field now allows null values. Previously, it defaulted to the time when the user
@@ -888,7 +888,7 @@ for users who haven't logged in, you can run this query::
).update(last_login=None)
:mod:`django.contrib.gis`
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
* Support for GEOS 3.1 and GDAL 1.6 has been dropped.
@@ -904,7 +904,7 @@ for users who haven't logged in, you can run this query::
contain the SRID value of geometry objects.
Priority of context processors for ``TemplateResponse`` brought in line with ``render``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------------------
The :class:`~django.template.response.TemplateResponse` constructor is designed to be a
drop-in replacement for the :func:`~django.shortcuts.render` function. However,
@@ -918,7 +918,7 @@ in the view. If you were relying on the fact context data in a
need to change your code.
Overriding ``setUpClass`` / ``tearDownClass`` in test cases
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------
The decorators :func:`~django.test.override_settings` and
:func:`~django.test.modify_settings` now act at the class level when used as
@@ -926,7 +926,7 @@ class decorators. As a consequence, when overriding ``setUpClass()`` or
``tearDownClass()``, the ``super`` implementation should always be called.
Removal of ``django.contrib.formtools``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
The formtools contrib app has been moved to a separate package and the
relevant documentation pages have been updated or removed.
@@ -936,7 +936,7 @@ The new package is available `on GitHub`_ and on PyPI.
.. _on GitHub: https://github.com/django/django-formtools/
Database connection reloading between tests
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
Django previously closed database connections between each test within a
``TestCase``. This is no longer the case as Django now wraps the whole
@@ -944,7 +944,7 @@ Django previously closed database connections between each test within a
behavior, you should have them inherit from ``TransactionTestCase`` instead.
Cleanup of the ``django.template`` namespace
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
If you've been relying on private APIs exposed in the ``django.template``
module, you may have to import them from ``django.template.base`` instead.
@@ -954,7 +954,7 @@ Also private APIs ``django.template.base.compile_string()``,
``django.template.loader.get_template_from_string()`` were removed.
``model`` attribute on private model relations
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------
In earlier versions of Django, on a model with a reverse foreign key
relationship (for example), ``model._meta.get_all_related_objects()`` returned
@@ -992,7 +992,7 @@ Also note that ``get_all_related_objects()`` is deprecated in 1.8. See the
:ref:`upgrade guide <migrating-old-meta-api>` for the new API.
Database backend API
-~~~~~~~~~~~~~~~~~~~~
+--------------------
The following changes to the database backend API are documented to assist
those writing third-party backends in updating their code:
@@ -1021,7 +1021,7 @@ those writing third-party backends in updating their code:
``timedelta`` parameter.
:mod:`django.contrib.admin`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------
* ``AdminSite`` no longer takes an ``app_name`` argument and its ``app_name``
attribute has been removed. The application name is always ``admin`` (as
@@ -1038,7 +1038,7 @@ those writing third-party backends in updating their code:
identifier used to retrieve the object before deletion.
Default autoescaping of functions in ``django.template.defaultfilters``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------------------
In order to make built-in template filters that output HTML "safe by default"
when calling them in Python code, the following functions in
@@ -1058,7 +1058,7 @@ are passing trusted content. This change doesn't have any effect when using
the corresponding filters in templates.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* ``connections.queries`` is now a read-only attribute.
@@ -1203,7 +1203,7 @@ Features deprecated in 1.8
==========================
Selected methods in ``django.db.models.options.Options``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------------------
As part of the formalization of the ``Model._meta`` API (from the
:class:`django.db.models.options.Options` class), a number of methods have been
@@ -1223,7 +1223,7 @@ A :ref:`migration guide <migrating-old-meta-api>` has been provided to assist
in converting your code from the old API to the new, official API.
Loading ``cycle`` and ``firstof`` template tags from ``future`` library
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------------------
Django 1.6 introduced ``{% load cycle from future %}`` and
``{% load firstof from future %}`` syntax for forward compatibility of the
@@ -1232,7 +1232,7 @@ and will be removed in Django 1.10. You can simply remove the
``{% load ... from future %}`` tags.
``django.conf.urls.patterns()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
In the olden days of Django, it was encouraged to reference views as strings
in ``urlpatterns``::
@@ -1284,14 +1284,14 @@ Updating your code is as simple as ensuring that ``urlpatterns`` is a list of
]
Passing a string as ``view`` to :func:`~django.conf.urls.url`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------
Related to the previous item, referencing views as strings in the ``url()``
function is deprecated. Pass the callable view as described in the previous
section instead.
Template-related settings
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
As a consequence of the multiple template engines refactor, several settings
are deprecated in favor of :setting:`TEMPLATES`:
@@ -1304,13 +1304,13 @@ are deprecated in favor of :setting:`TEMPLATES`:
* ``TEMPLATE_STRING_IF_INVALID``
``django.core.context_processors``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
Built-in template context processors have been moved to
``django.template.context_processors``.
``django.test.SimpleTestCase.urls``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------
The attribute ``SimpleTestCase.urls`` for specifying URLconf configuration in
tests has been deprecated and will be removed in Django 1.10. Use
@@ -1318,20 +1318,20 @@ tests has been deprecated and will be removed in Django 1.10. Use
instead.
``prefix`` argument to :func:`~django.conf.urls.i18n.i18n_patterns`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------
Related to the previous item, the ``prefix`` argument to
:func:`django.conf.urls.i18n.i18n_patterns` has been deprecated. Simply pass a
list of :func:`django.conf.urls.url` instances instead.
Using an incorrect count of unpacked values in the :ttag:`for` template tag
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------
Using an incorrect count of unpacked values in :ttag:`for` tag will raise an
exception rather than fail silently in Django 1.10.
Passing a dotted path to ``reverse()`` and :ttag:`url`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------
Reversing URLs by Python path is an expensive operation as it causes the
path being reversed to be imported. This behavior has also resulted in a
@@ -1354,7 +1354,7 @@ or ``name='django.contrib.gis.sitemaps.views.kmz'``.
.. _security issue: https://www.djangoproject.com/weblog/2014/apr/21/security/#s-issue-unexpected-code-execution-using-reverse
Aggregate methods and modules
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
The ``django.db.models.sql.aggregates`` and
``django.contrib.gis.db.models.sql.aggregates`` modules (both private API), have
@@ -1377,7 +1377,7 @@ in Django 1.10:
* ``Query.append_aggregate_mask()``, replaced by ``append_annotation_mask()``.
Extending management command arguments through ``Command.option_list``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------------
Management commands now use :py:mod:`argparse` instead of :py:mod:`optparse` to
parse command-line arguments passed to commands. This also means that the way
@@ -1388,21 +1388,21 @@ arguments through ``argparse.add_argument()``. See
:ref:`this example <custom-commands-options>` for more details.
``django.core.management.NoArgsCommand``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
The class ``NoArgsCommand`` is now deprecated and will be removed in Django
1.10. Use :class:`~django.core.management.BaseCommand` instead, which takes no
arguments by default.
Listing all migrations in a project
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------
The ``--list`` option of the :djadmin:`migrate` management command is
deprecated and will be removed in Django 1.10. Use :djadmin:`showmigrations`
instead.
``cache_choices`` option of ``ModelChoiceField`` and ``ModelMultipleChoiceField``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------------
:class:`~django.forms.ModelChoiceField` and
:class:`~django.forms.ModelMultipleChoiceField` took an undocumented, untested
@@ -1411,27 +1411,27 @@ the same ``Form`` object. This option is subject to an accelerated deprecation
and will be removed in Django 1.9.
``django.template.resolve_variable()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
The function has been informally marked as "Deprecated" for some time. Replace
``resolve_variable(path, context)`` with
``django.template.Variable(path).resolve(context)``.
``django.contrib.webdesign``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
It provided the :ttag:`lorem` template tag which is now included in the
built-in tags. Simply remove ``'django.contrib.webdesign'`` from
:setting:`INSTALLED_APPS` and ``{% load webdesign %}`` from your templates.
``error_message`` argument to ``django.forms.RegexField``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------
It provided backwards compatibility for pre-1.0 code, but its functionality is
redundant. Use ``Field.error_messages['invalid']`` instead.
Old :tfilter:`unordered_list` syntax
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------
An older (pre-1.0), more restrictive and verbose input format for the
:tfilter:`unordered_list` template filter has been deprecated::
@@ -1443,13 +1443,13 @@ Using the new syntax, this becomes::
``['States', ['Kansas', ['Lawrence', 'Topeka'], 'Illinois']]``
``django.forms.Field._has_changed()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
Rename this method to :meth:`~django.forms.Field.has_changed` by removing the
leading underscore. The old name will still work until Django 1.10.
``django.utils.html.remove_tags()`` and ``removetags`` template filter
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------------
``django.utils.html.remove_tags()`` as well as the template filter
``removetags`` have been deprecated as they cannot guarantee safe output. Their
@@ -1460,12 +1460,12 @@ The unused and undocumented ``django.utils.html.strip_entities()`` function has
also been deprecated.
``is_admin_site`` argument to ``django.contrib.auth.views.password_reset()``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------------------
It's a legacy option that should no longer be necessary.
``SubfieldBase``
-~~~~~~~~~~~~~~~~
+----------------
``django.db.models.fields.subclassing.SubfieldBase`` has been deprecated and
will be removed in Django 1.10. Historically, it was used to handle fields where
@@ -1476,7 +1476,7 @@ not call the :meth:`~django.db.models.Field.to_python` method on assignment
as was the case with ``SubfieldBase``.
``django.utils.checksums``
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------
The ``django.utils.checksums`` module has been deprecated and will be removed
in Django 1.10. The functionality it provided (validating checksum using the
@@ -1486,7 +1486,7 @@ moved to the `django-localflavor`_ package (version 1.1+).
.. _django-localflavor: https://pypi.python.org/pypi/django-localflavor
``InlineAdminForm.original_content_type_id``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
The ``original_content_type_id`` attribute on ``InlineAdminForm`` has been
deprecated and will be removed in Django 1.10. Historically, it was used
@@ -1494,14 +1494,14 @@ to construct the "view on site" URL. This URL is now accessible using the
``absolute_url`` attribute of the form.
``django.views.generic.edit.FormMixin.get_form()``’s ``form_class`` argument
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------------------
``FormMixin`` subclasses that override the ``get_form()`` method should make
sure to provide a default value for the ``form_class`` argument since it's
now optional.
Rendering templates loaded by :func:`~django.template.loader.get_template()` with a :class:`~django.template.Context`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------------------------------------------------
The return type of :func:`~django.template.loader.get_template()` has changed
in Django 1.8: instead of a :class:`django.template.Template`, it returns a
@@ -1518,7 +1518,7 @@ Since it's easier to understand with examples, the :ref:`upgrade guide
All this also applies to :func:`~django.template.loader.select_template()`.
:class:`~django.template.Template` and :class:`~django.template.Context` classes in template responses
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------------------------------------------
Some methods of :class:`~django.template.response.SimpleTemplateResponse` and
:class:`~django.template.response.TemplateResponse` accepted
@@ -1533,7 +1533,7 @@ Check the :doc:`template response API documentation </ref/template-response>`
for details.
``current_app`` argument of template-related APIs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
The following functions and classes will no longer accept a ``current_app``
parameter to set an URL namespace in Django 1.10:
@@ -1548,7 +1548,7 @@ to these functions or classes. If you're using a plain ``Context``, use a
``RequestContext`` instead.
``dictionary`` and ``context_instance`` arguments of rendering functions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------------
The following functions will no longer accept the ``dictionary`` and
``context_instance`` parameters in Django 1.10:
@@ -1566,7 +1566,7 @@ pass a :class:`dict` in the ``context`` parameter instead. If you're passing a
``request`` parameter.
``dirs`` argument of template-finding functions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
The following functions will no longer accept a ``dirs`` parameter to override
``TEMPLATE_DIRS`` in Django 1.10:
@@ -1580,14 +1580,14 @@ The parameter didn't work consistently across different template loaders and
didn't work for included templates.
``django.template.loader.BaseLoader``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------
``django.template.loader.BaseLoader`` was renamed to
``django.template.loaders.base.Loader``. If you've written a custom template
loader that inherits ``BaseLoader``, you must inherit ``Loader`` instead.
``django.test.utils.TestTemplateLoader``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------
Private API ``django.test.utils.TestTemplateLoader`` is deprecated in favor of
``django.template.loaders.locmem.Loader`` and will be removed in Django 1.9.
@@ -1595,7 +1595,7 @@ Private API ``django.test.utils.TestTemplateLoader`` is deprecated in favor of
.. _storage-max-length-update:
Support for the ``max_length`` argument on custom ``Storage`` classes
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------
``Storage`` subclasses should add ``max_length=None`` as a parameter to
:meth:`~django.core.files.storage.Storage.get_available_name` and/or
@@ -1604,7 +1604,7 @@ Support for storages that do not accept this argument will be removed in
Django 1.10.
``qn`` replaced by ``compiler``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
In previous Django versions, various internal ORM methods (mostly ``as_sql``
methods) accepted a ``qn`` (for "quote name") argument, which was a reference
@@ -1618,14 +1618,14 @@ deprecated: you should rename your ``qn`` arguments to ``compiler``, and call
``qn(...)``.
Default value of ``RedirectView.permanent``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
The default value of the
:attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>`
attribute will change from ``True`` to ``False`` in Django 1.9.
Using ``AuthenticationMiddleware`` without ``SessionAuthenticationMiddleware``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------------------------------
``django.contrib.auth.middleware.SessionAuthenticationMiddleware`` was
added in Django 1.7. In Django 1.7.2, its functionality was moved to
@@ -1640,14 +1640,14 @@ to your ``MIDDLEWARE_CLASSES`` sometime before then to opt-in. Please read the
:ref:`upgrade considerations <session-invalidation-on-password-change>` first.
``django.contrib.sitemaps.FlatPageSitemap``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------
``django.contrib.sitemaps.FlatPageSitemap`` has moved to
``django.contrib.flatpages.sitemaps.FlatPageSitemap``. The old import location
is deprecated and will be removed in Django 1.9.
Model ``Field.related``
-~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------
Private attribute ``django.db.models.Field.related`` is deprecated in favor
of ``Field.rel``. The latter is an instance of
@@ -1657,7 +1657,7 @@ module has been removed and the ``Field.related`` attribute will be removed in
Django 1.10.
``ssi`` template tag
-~~~~~~~~~~~~~~~~~~~~
+--------------------
The ``ssi`` template tag allows files to be included in a template by
absolute path. This is of limited use in most deployment situations, and
@@ -1665,20 +1665,20 @@ the :ttag:`include` tag often makes more sense. This tag is now deprecated and
will be removed in Django 1.10.
``=`` as comparison operator in ``if`` template tag
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
Using a single equals sign with the ``{% if %}`` template tag for equality
testing was undocumented and untested. It's now deprecated in favor of ``==``.
``%(<foo>)s`` syntax in ``ModelFormMixin.success_url``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------
The legacy ``%(<foo>)s`` syntax in :attr:`ModelFormMixin.success_url
<django.views.generic.edit.ModelFormMixin.success_url>` is deprecated and
will be removed in Django 1.10.
``GeoQuerySet`` aggregate methods
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
The ``collect()``, ``extent()``, ``extent3d()``, ``make_line()``, and
``unionagg()`` aggregate methods are deprecated and should be replaced by their
@@ -1688,7 +1688,7 @@ function-based aggregate equivalents (``Collect``, ``Extent``, ``Extent3D``,
.. _deprecated-signature-of-allow-migrate:
Signature of the ``allow_migrate`` router method
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
The signature of the :meth:`allow_migrate` method of database routers has
changed from ``allow_migrate(db, model)`` to
diff --git a/docs/releases/1.9.txt b/docs/releases/1.9.txt
index a74798b928..dc43dce873 100644
--- a/docs/releases/1.9.txt
+++ b/docs/releases/1.9.txt
@@ -29,7 +29,7 @@ What's new in Django 1.9
========================
Performing actions after a transaction commit
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------
The new :func:`~django.db.transaction.on_commit` hook allows performing actions
after a database transaction is successfully committed. This is useful for
@@ -42,7 +42,7 @@ integrated into Django.
.. _django-transaction-hooks: https://pypi.python.org/pypi/django-transaction-hooks
Password validation
-~~~~~~~~~~~~~~~~~~~
+-------------------
Django now offers password validation to help prevent the usage of weak
passwords by users. The validation is integrated in the included password
@@ -82,7 +82,7 @@ the included auth forms for your project, you could set, for example::
See :ref:`password-validation` for more details.
Permission mixins for class-based views
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------
Django now ships with the mixins
:class:`~django.contrib.auth.mixins.AccessMixin`,
@@ -119,7 +119,7 @@ though:
.. _django-braces: http://django-braces.readthedocs.org/en/latest/index.html
New styling for ``contrib.admin``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
The admin sports a modern, flat design with new SVG icons which look perfect
on HiDPI screens. It still provides a fully-functional experience to `YUI's
@@ -129,7 +129,7 @@ degradation.
.. _YUI's A-grade: https://github.com/yui/yui3/wiki/Graded-Browser-Support
Running tests in parallel
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
The :djadmin:`test` command now supports a :option:`--parallel <test
--parallel>` option to run a project's tests in multiple processes in parallel.
@@ -144,10 +144,10 @@ This option is enabled by default for Django's own test suite provided:
- the database backend supports it (all the built-in backends but Oracle)
Minor features
-~~~~~~~~~~~~~~
+--------------
:mod:`django.contrib.admin`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Admin views now have ``model_admin`` or ``admin_site`` attributes.
@@ -185,13 +185,13 @@ Minor features
* JavaScript slug generation now supports Romanian characters.
:mod:`django.contrib.admindocs`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The model section of the ``admindocs`` now also describes methods that take
arguments, rather than ignoring them.
:mod:`django.contrib.auth`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~
* The default iteration count for the PBKDF2 password hasher has been increased
by 20%. This backwards compatible change will not affect users who have
@@ -219,14 +219,14 @@ Minor features
``extra_email_context`` parameter.
:mod:`django.contrib.contenttypes`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* It's now possible to use
:attr:`~django.db.models.Options.order_with_respect_to` with a
``GenericForeignKey``.
:mod:`django.contrib.gis`
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~
* All ``GeoQuerySet`` methods have been deprecated and replaced by
:doc:`equivalent database functions </ref/contrib/gis/functions>`. As soon
@@ -259,7 +259,7 @@ Minor features
from 2.13 to 2.13.1.
:mod:`django.contrib.postgres`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Added support for the :lookup:`rangefield.contained_by` lookup for some built
in fields which correspond to the range fields.
@@ -272,7 +272,7 @@ Minor features
function.
:mod:`django.contrib.sessions`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* The session model and ``SessionStore`` classes for the ``db`` and
``cached_db`` backends are refactored to allow a custom database session
@@ -280,7 +280,7 @@ Minor features
:ref:`extending-database-backed-session-engines` for more details.
:mod:`django.contrib.sites`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
* :func:`~django.contrib.sites.shortcuts.get_current_site` now handles the case
where ``request.get_host()`` returns ``domain:port``, e.g.
@@ -289,14 +289,14 @@ Minor features
lookup is retried with the domain part only.
:mod:`django.contrib.syndication`
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Support for multiple enclosures per feed item has been added. If multiple
enclosures are defined on a RSS feed, an exception is raised as RSS feeds,
unlike Atom feeds, do not support multiple enclosures per feed item.
Cache
-^^^^^
+~~~~~
* ``django.core.cache.backends.base.BaseCache`` now has a ``get_or_set()``
method.
@@ -306,7 +306,7 @@ Cache
to better prevent caching. This was also added in Django 1.8.8.
CSRF
-^^^^
+~~~~
* The request header's name used for CSRF authentication can be customized
with :setting:`CSRF_HEADER_NAME`.
@@ -319,14 +319,14 @@ CSRF
cross-origin unsafe requests (e.g. ``POST``) over HTTPS.
Database backends
-^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~
* The PostgreSQL backend (``django.db.backends.postgresql_psycopg2``) is also
available as ``django.db.backends.postgresql``. The old name will continue to
be available for backwards compatibility.
File Storage
-^^^^^^^^^^^^
+~~~~~~~~~~~~
* :meth:`Storage.get_valid_name()
<django.core.files.storage.Storage.get_valid_name>` is now called when
@@ -336,7 +336,7 @@ File Storage
Python 3.
Forms
-^^^^^
+~~~~~
* :class:`~django.forms.ModelForm` accepts the new ``Meta`` option
``field_classes`` to customize the type of the fields. See
@@ -368,7 +368,7 @@ Forms
:meth:`~django.forms.Field.get_bound_field()` method.
Generic Views
-^^^^^^^^^^^^^
+~~~~~~~~~~~~~
* Class-based views generated using ``as_view()`` now have ``view_class``
and ``view_initkwargs`` attributes.
@@ -378,7 +378,7 @@ Generic Views
of methods <decorating-class-based-views>`.
Internationalization
-^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~
* The :func:`django.views.i18n.set_language` view now properly redirects to
:ref:`translated URLs <url-internationalization>`, when available.
@@ -414,7 +414,7 @@ Internationalization
* Two new languages are available: Colombian Spanish and Scottish Gaelic.
Management Commands
-^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~
* The new :djadmin:`sendtestemail` command lets you send a test email to
easily confirm that email sending through Django is working.
@@ -447,7 +447,7 @@ Management Commands
``--no-input`` as an alias for that option.
Migrations
-^^^^^^^^^^
+~~~~~~~~~~
* Initial migrations are now marked with an :attr:`initial = True
<django.db.migrations.Migration.initial>` class attribute which allows
@@ -478,7 +478,7 @@ Migrations
migration from which migrations will be squashed.
Models
-^^^^^^
+~~~~~~
* :meth:`QuerySet.bulk_create() <django.db.models.query.QuerySet.bulk_create>`
now works on proxy models.
@@ -550,7 +550,7 @@ Models
``bulk_create()``.
Requests and Responses
-^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~
* Unless :attr:`HttpResponse.reason_phrase
<django.http.HttpResponse.reason_phrase>` is explicitly set, it now is
@@ -594,7 +594,7 @@ Requests and Responses
the requested URL.
Templates
-^^^^^^^^^
+~~~~~~~~~
* Template tags created with the :meth:`~django.template.Library.simple_tag`
helper can now store results in a template variable by using the ``as``
@@ -638,7 +638,7 @@ Templates
rendering, speeding up reuse in places such as for loops.
Tests
-^^^^^
+~~~~~
* Added the :meth:`json() <django.test.Response.json>` method to test client
responses to give access to the response body as JSON.
@@ -649,7 +649,7 @@ Tests
:meth:`~django.test.Client.login()`.
URLs
-^^^^
+~~~~
* Regular expression lookaround assertions are now allowed in URL patterns.
@@ -661,7 +661,7 @@ URLs
* System checks have been added for common URL pattern mistakes.
Validators
-^^^^^^^^^^
+~~~~~~~~~~
* Added :func:`django.core.validators.int_list_validator` to generate
validators of strings containing integers separated with a custom character.
@@ -684,7 +684,7 @@ Backwards incompatible changes in 1.9
may appear as a backwards incompatible change.
Database backend API
-~~~~~~~~~~~~~~~~~~~~
+--------------------
* A couple of new tests rely on the ability of the backend to introspect column
defaults (returning the result as ``Field.default``). You can set the
@@ -729,13 +729,13 @@ Database backend API
``DatabaseCreation.get_test_db_clone_settings()``.
Default settings that were tuples are now lists
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------
The default settings in ``django.conf.global_settings`` were a combination of
lists and tuples. All settings that were formerly tuples are now lists.
``is_usable`` attribute on template loaders is removed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------------
Django template loaders previously required an ``is_usable`` attribute to be
defined. If a loader was configured in the template settings and this attribute
@@ -745,7 +745,7 @@ attribute is now removed and the egg loader instead fails at runtime if
setuptools is not installed.
Related set direct assignment
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
Direct assignment of related objects in the ORM used to perform a ``clear()``
followed by a call to ``add()``. This caused needlessly large data changes and
@@ -764,7 +764,7 @@ assignment for many-to-many relations and as a consequence now use the new
behavior.
Filesystem-based template loaders catch more specific exceptions
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------------
When using the :class:`filesystem.Loader <django.template.loaders.filesystem.Loader>`
or :class:`app_directories.Loader <django.template.loaders.app_directories.Loader>`
@@ -777,7 +777,7 @@ does not exist. All other situations result in the original ``IOError`` being
raised.
HTTP redirects no longer forced to absolute URIs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------------
Relative redirects are no longer converted to absolute URIs. :rfc:`2616`
required the ``Location`` header in redirect responses to be an absolute URI,
@@ -792,19 +792,19 @@ replaced by ``self.assertRedirects(response, '/some-url/')`` (unless the
redirection specifically contained an absolute URL, of course).
Dropped support for PostgreSQL 9.0
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
Upstream support for PostgreSQL 9.0 ended in September 2015. As a consequence,
Django 1.9 sets 9.1 as the minimum PostgreSQL version it officially supports.
Dropped support for Oracle 11.1
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
Upstream support for Oracle 11.1 ended in August 2015. As a consequence, Django
1.9 sets 11.2 as the minimum Oracle version it officially supports.
Bulk behavior of ``add()`` method of related managers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------
To improve performance, the ``add()`` methods of the related managers created
by ``ForeignKey`` and ``GenericForeignKey`` changed from a series of
@@ -813,7 +813,7 @@ that ``pre_save`` and ``post_save`` signals aren't sent anymore. You can use
the ``bulk=False`` keyword argument to revert to the previous behavior.
Template ``LoaderOrigin`` and ``StringOrigin`` are removed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------
In previous versions of Django, when a template engine was initialized with
debug as ``True``, an instance of ``django.template.loader.LoaderOrigin`` or
@@ -827,7 +827,7 @@ Django 2.0.
.. _default-logging-changes-19:
Changes to the default logging configuration
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------------
To make it easier to write custom logging configurations, Django's default
logging configuration no longer defines 'django.request' and 'django.security'
@@ -846,7 +846,7 @@ If you are overriding Django's default logging, you should check to see how
your configuration merges with the new defaults.
``HttpRequest`` details in error reporting
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------------------
It was redundant to display the full details of the
:class:`~django.http.HttpRequest` each time it appeared as a stack frame
@@ -861,7 +861,7 @@ traceback of the same structure as in the case of AJAX requests. The traceback
details are rendered by the ``ExceptionReporter.get_traceback_text()`` method.
Removal of time zone aware global adapters and converters for datetimes
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------------------
Django no longer registers global adapters and converters for managing time
zone information on :class:`~datetime.datetime` values sent to the database as
@@ -896,7 +896,7 @@ even if you're using :meth:`raw() <django.db.models.query.QuerySet.raw>`
queries. The ORM takes care of managing time zone information.
Template tag modules are imported when templates are configured
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------
The :class:`~django.template.backends.django.DjangoTemplates` backend now
performs discovery on installed template tag modules when instantiated. This
@@ -908,7 +908,7 @@ rather than when a template with a :ttag:`{% load %}<load>` tag is first
compiled.
``django.template.base.add_to_builtins()`` is removed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------
Although it was a private API, projects commonly used ``add_to_builtins()`` to
make template tags and filters available without using the
@@ -920,7 +920,7 @@ define built-in libraries via the ``'builtins'`` key of :setting:`OPTIONS
.. _simple-tag-conditional-escape-fix:
``simple_tag`` now wraps tag output in ``conditional_escape``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------
In general, template tags do not autoescape their contents, and this behavior is
:ref:`documented <tags-auto-escaping>`. For tags like
@@ -961,7 +961,7 @@ Tags that follow these rules will be correct and safe whether they are run on
Django 1.9+ or earlier.
``Paginator.page_range``
-~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------
:attr:`Paginator.page_range <django.core.paginator.Paginator.page_range>` is
now an iterator instead of a list.
@@ -974,7 +974,7 @@ Existing code that depends on ``list`` specific features, such as indexing,
can be ported by converting the iterator into a ``list`` using ``list()``.
Implicit ``QuerySet`` ``__in`` lookup removed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------
In earlier versions, queries such as::
@@ -992,7 +992,7 @@ subquery returns multiple results, at least some databases will throw an error.
.. _admin-browser-support-19:
``contrib.admin`` browser support
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
The admin no longer supports Internet Explorer 8 and below, as these browsers
have reached end-of-life.
@@ -1015,7 +1015,7 @@ a Django application with this structure::
.. _syntax-error-old-setuptools-django-19:
``SyntaxError`` when installing Django setuptools 5.5.x
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------
When installing Django 1.9+ with setuptools 5.5.x, you'll see::
@@ -1037,7 +1037,7 @@ using pip, you can upgrade pip using ``pip install -U pip`` which will also
upgrade setuptools.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* The jQuery static files in ``contrib.admin`` have been moved into a
``vendor/jquery`` subdirectory.
@@ -1158,7 +1158,7 @@ Features deprecated in 1.9
==========================
``assignment_tag()``
-~~~~~~~~~~~~~~~~~~~~
+--------------------
Django 1.4 added the ``assignment_tag`` helper to ease the creation of
template tags that store results in a template variable. The
@@ -1167,7 +1167,7 @@ ability, making the ``assignment_tag`` obsolete. Tags that use
``assignment_tag`` should be updated to use ``simple_tag``.
``{% cycle %}`` syntax with comma-separated arguments
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------
The :ttag:`cycle` tag supports an inferior old syntax from previous Django
versions:
@@ -1180,7 +1180,7 @@ Its parsing caused bugs with the current syntax, so support for the old syntax
will be removed in Django 1.10 following an accelerated deprecation.
``ForeignKey`` and ``OneToOneField`` ``on_delete`` argument
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------------------------------------
In order to increase awareness about cascading model deletion, the
``on_delete`` argument of ``ForeignKey`` and ``OneToOneField`` will be required
@@ -1193,7 +1193,7 @@ can also pass it as the second positional argument if you don't care about
compatibility with older versions of Django.
``Field.rel`` changes
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
``Field.rel`` and its methods and attributes have changed to match the related
fields API. The ``Field.rel`` attribute is renamed to ``remote_field`` and many
@@ -1202,7 +1202,7 @@ of its methods and attributes are either changed or renamed.
The aim of these changes is to provide a documented API for relation fields.
``GeoManager`` and ``GeoQuerySet`` custom methods
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------
All custom ``GeoQuerySet`` methods (``area()``, ``distance()``, ``gml()``, ...)
have been replaced by equivalent geographic expressions in annotations (see in
@@ -1212,7 +1212,7 @@ methods, you can simply remove the ``objects = GeoManager()`` lines from your
models.
Template loader APIs have changed
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
Django template loaders have been updated to allow recursive template
extending. This change necessitated a new template loader API. The old
@@ -1221,7 +1221,7 @@ Details about the new API can be found :ref:`in the template loader
documentation <custom-template-loaders>`.
Passing a 3-tuple or an ``app_name`` to :func:`~django.conf.urls.include()`
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------------------------------
The instance namespace part of passing a tuple as an argument to ``include()``
has been replaced by passing the ``namespace`` argument to ``include()``. For
@@ -1290,7 +1290,7 @@ is deprecated. Instead, pass ``admin.site.urls`` directly to
]
URL application namespace required if setting an instance namespace
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------------------------------------------
In the past, an instance namespace without an application namespace
would serve the same purpose as the application namespace, but it was
@@ -1299,7 +1299,7 @@ with the same name. Includes that specify an instance namespace require that
the included URLconf sets an application namespace.
``current_app`` parameter to ``contrib.auth`` views
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------------
All views in ``django.contrib.auth.views`` have the following structure::
@@ -1317,14 +1317,14 @@ consistency, these views will require the caller to set ``current_app`` on the
``request`` instead of passing it in a separate argument.
``django.contrib.gis.geoip``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
The :mod:`django.contrib.gis.geoip2` module supersedes
``django.contrib.gis.geoip``. The new module provides a similar API except that
it doesn't provide the legacy GeoIP-Python API compatibility methods.
Miscellaneous
-~~~~~~~~~~~~~
+-------------
* The ``weak`` argument to ``django.dispatch.signals.Signal.disconnect()`` has
been deprecated as it has no effect.
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index f6f2534baa..cbd5585244 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -1,5 +1,3 @@
-.. _security-releases:
-
==========================
Archive of security issues
==========================
@@ -40,24 +38,24 @@ security process in use. For these, new releases may not have been
issued at the time and CVEs may not have been assigned.
August 16, 2006 - CVE-2007-0404
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2007-0404 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007)
January 21, 2007 - CVE-2007-0405
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2007-0405 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__
@@ -68,179 +66,179 @@ All other security issues have been handled under versions of Django's
security process. These are listed below.
October 26, 2007 - CVE-2007-5712
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2007-5712 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__
* Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__
May 14, 2008 - CVE-2008-2302
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2008-2302 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__
September 2, 2008 - CVE-2008-3909
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2008-3909 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__
* Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__
July 28, 2009 - CVE-2009-2659
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
`CVE-2009-2659 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__
* Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__
October 9, 2009 - CVE-2009-3965
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2009-3965 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__
* Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__
September 8, 2010 - CVE-2010-3082
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2010-3082 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__
December 22, 2010 - CVE-2010-4534
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2010-4534 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__
December 22, 2010 - CVE-2010-4535
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2010-4535 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__
February 8, 2011 - CVE-2011-0696
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2011-0696 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__
February 8, 2011 - CVE-2011-0697
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2011-0697 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__
February 8, 2011 - CVE-2011-0698
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2011-0698 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__
September 9, 2011 - CVE-2011-4136
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2011-4136 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__
* Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__
September 9, 2011 - CVE-2011-4137
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2011-4137 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__
* Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
September 9, 2011 - CVE-2011-4138
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2011-4138 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__
* Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
September 9, 2011 - CVE-2011-4139
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2011-4139 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__
* Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__
September 9, 2011 - CVE-2011-4140
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2011-4140 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
This notification was an advisory only, so no patches were issued.
@@ -248,165 +246,165 @@ This notification was an advisory only, so no patches were issued.
* Django 1.3
July 30, 2012 - CVE-2012-3442
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
`CVE-2012-3442 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__
* Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__
July 30, 2012 - CVE-2012-3443
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
`CVE-2012-3443 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__
* Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__
July 30, 2012 - CVE-2012-3444
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
`CVE-2012-3444 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__
October 17, 2012 - CVE-2012-4520
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2012-4520 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__
December 10, 2012 - No CVE 1
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__
December 10, 2012 - No CVE 2
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__
* Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__
February 19, 2013 - No CVE
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------
Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__
February 19, 2013 - CVE-2013-1664/1665
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------------
`CVE-2013-1664 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__
February 19, 2013 - CVE-2013-0305
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2013-0305 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__
February 19, 2013 - CVE-2013-0306
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2013-0306 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
August 13, 2013 - CVE-2013-4249
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2013-4249 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4249&cid=2>`_: XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
August 13, 2013 - CVE-2013-6044
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2013-6044 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6044&cid=2>`_: Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
September 10, 2013 - CVE-2013-4315
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
`CVE-2013-4315 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
September 14, 2013 - CVE-2013-1443
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------------
CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__
April 21, 2014 - CVE-2014-0472
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
`CVE-2014-0472 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1>`__
@@ -414,12 +412,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/546740544d7f69254a67b06a3fc7fa0c43512958>`__
April 21, 2014 - CVE-2014-0473
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
`CVE-2014-0473 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/1170f285ddd6a94a65f911a27788ba49ca08c0b0>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8>`__
@@ -427,12 +425,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/380545bf85cbf17fc698d136815b7691f8d023ca>`__
April 21, 2014 - CVE-2014-0474
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
`CVE-2014-0474 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f>`__
@@ -440,12 +438,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/34526c2f56b863c2103655a0893ac801667e86ea>`__
May 18, 2014 - CVE-2014-1418
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2014-1418 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&cid=2>`_: Caches may be allowed to store and serve private data. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/28e23306aa53bbbb8fb87db85f99d970b051026c>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/4001ec8698f577b973c5a540801d8a0bbea1205b>`__
@@ -453,12 +451,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a>`__
May 18, 2014 - CVE-2014-3730
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2014-3730 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&cid=2>`_: Malformed URLs from user input incorrectly validated. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d>`__
@@ -466,12 +464,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/e7b0cace455c2da24492660636bfd48c45a19cdf>`__
August 20, 2014 - CVE-2014-0480
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2014-0480 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&cid=2>`_: reverse() can generate URLs pointing to other hosts. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/c2fe73133b62a1d9e8f7a6b43966570b14618d7e>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/45ac9d4fb087d21902469fc22643f5201d41a0cd>`__
@@ -479,12 +477,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/bf650a2ee78c6d1f4544a875dcc777cf27fe93e9>`__
August 20, 2014 - CVE-2014-0481
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2014-0481 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&cid=2>`_: File upload denial of service. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/30042d475bf084c6723c6217a21598d9247a9c41>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/26cd48e166ac4d84317c8ee6d63ac52a87e8da99>`__
@@ -492,12 +490,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/3123f8452cf49071be9110e277eea60ba0032216>`__
August 20, 2014 - CVE-2014-0482
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2014-0482 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&cid=2>`_: RemoteUserMiddleware session hijacking. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/c9e3b9949cd55f090591fbdc4a114fcb8368b6d9>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/dd68f319b365f6cb38c5a6c106faf4f6142d7d88>`__
@@ -505,12 +503,12 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/1a45d059c70385fcd6f4a3955f3b4e4cc96d0150>`__
August 20, 2014 - CVE-2014-0483
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------------
`CVE-2014-0483 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&cid=2>`_: Data leakage via querystring manipulation in admin. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/027bd348642007617518379f8b02546abacaa6e0>`__
* Django 1.5 `(patch) <https://github.com/django/django/commit/2a446c896e7c814661fb9c4f212b071b2a7fa446>`__
@@ -518,94 +516,94 @@ Versions affected
* Django 1.7 `(patch) <https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6>`__
January 13, 2015 - CVE-2015-0219
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2015-0219 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219&cid=2>`_:
WSGI header spoofing via underscore/dash conflation.
`Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/4f6fffc1dc429f1ad428ecf8e6620739e8837450>`__
* Django 1.6 `(patch) <https://github.com/django/django/commit/d7597b31d5c03106eeba4be14a33b32a5e25f4ee>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/41b4bc73ee0da7b2e09f4af47fc1fd21144c710f>`__
January 13, 2015 - CVE-2015-0220
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2015-0220 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758>`__
* Django 1.6 `(patch) <https://github.com/django/django/commit/72e0b033662faa11bb7f516f18a132728aa0ae28>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/de67dedc771ad2edec15c1d00c083a1a084e1e89>`__
January 13, 2015 - CVE-2015-0221
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2015-0221 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221&cid=2>`_:
Denial-of-service attack against ``django.views.static.serve()``.
`Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/d020da6646c5142bc092247d218a3d1ce3e993f7>`__
* Django 1.6 `(patch) <https://github.com/django/django/commit/553779c4055e8742cc832ed525b9ee34b174934f>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/818e59a3f0fbadf6c447754d202d88df025f8f2a>`__
January 13, 2015 - CVE-2015-0222
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+--------------------------------
`CVE-2015-0222 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222&cid=2>`_:
Database denial-of-service with ``ModelMultipleChoiceField``.
`Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.6 `(patch) <https://github.com/django/django/commit/d7a06ee7e571b6dad07c0f5b519b1db02e2a476c>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/bcfb47780ce7caecb409a9e9c1c314266e41d392>`__
March 9, 2015 - CVE-2015-2241
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------------------
`CVE-2015-2241 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2241&cid=2>`_:
XSS attack via properties in ``ModelAdmin.readonly_fields``.
`Full description <https://www.djangoproject.com/weblog/2015/mar/09/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.7 `(patch) <https://github.com/django/django/commit/d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5>`_
March 18, 2015 - CVE-2015-2316
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
`CVE-2015-2316 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2316&cid=2>`_:
Denial-of-service possibility with ``strip_tags()``.
`Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.6 `(patch) <https://github.com/django/django/commit/b6b3cb9899214a23ebb0f4ebf0e0b300b0ee524f>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`__
March 18, 2015 - CVE-2015-2317
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+------------------------------
`CVE-2015-2317 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2317&cid=2>`_:
Mitigated possible XSS attack via user-supplied redirect URLs.
`Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.4 `(patch) <https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b>`__
* Django 1.6 `(patch) <https://github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9>`__
@@ -613,59 +611,59 @@ Versions affected
* Django 1.8 `(patch) <https://github.com/django/django/commit/770427c2896a078925abfca2317486b284d22f04>`__
May 20, 2015 - CVE-2015-3982
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2015-3982 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3982&cid=2>`_:
Fixed session flushing in the cached_db backend.
`Full description <https://www.djangoproject.com/weblog/2015/may/20/security-release/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.8 `(patch) <https://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6>`__
July 8, 2015 - CVE-2015-5143
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2015-5143 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5143&cid=2>`_:
Denial-of-service possibility by filling session store.
`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.8 `(patch) <https://github.com/django/django/commit/66d12d1ababa8f062857ee5eb43276493720bf16>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/1828f4341ec53a8684112d24031b767eba557663>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`__
July 8, 2015 - CVE-2015-5144
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2015-5144 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5144&cid=2>`_:
Header injection possibility since validators accept newlines in input.
`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.8 `(patch) <https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a>`__
July 8, 2015 - CVE-2015-5145
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+----------------------------
`CVE-2015-5145 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5145&cid=2>`_:
Denial-of-service possibility in URL validation.
`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.8 `(patch) <https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`__
August 18, 2015 - CVE-2015-5963/CVE-2015-5964
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------------------
`CVE-2015-5963 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5963&cid=2>`_
and
@@ -674,21 +672,21 @@ Denial-of-service possibility in ``logout()`` view by filling session store.
`Full description <https://www.djangoproject.com/weblog/2015/aug/18/security-releases/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.8 `(patch) <https://github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`__
November 24, 2015 - CVE-2015-8213
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---------------------------------
`CVE-2015-8213 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8213&cid=2>`_:
Settings leak possibility in ``date`` template filter.
`Full description <https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.8 `(patch) <https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`__