diff options
| author | Elif T. Kus <elifkus@gmail.com> | 2016-01-03 12:56:22 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-01-22 12:12:17 -0500 |
| commit | bca9faae95db2a92e540fbd08505c134639916fe (patch) | |
| tree | 92b34dd8ecf8cf5432c25d43292ebc83b7919350 /docs/releases | |
| parent | 79d0a4fdb0d13ba6a843dace2b90ab44e856bd85 (diff) | |
Fixed #26020 -- Normalized header stylings in docs.
Diffstat (limited to 'docs/releases')
29 files changed, 666 insertions, 668 deletions
diff --git a/docs/releases/1.1.3.txt b/docs/releases/1.1.3.txt index ffc0395199..270f495813 100644 --- a/docs/releases/1.1.3.txt +++ b/docs/releases/1.1.3.txt @@ -19,7 +19,7 @@ Backwards incompatible changes ============================== Restricted filters in admin interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- The Django administrative interface, django.contrib.admin, supports filtering of displayed lists of objects by fields on the corresponding diff --git a/docs/releases/1.1.4.txt b/docs/releases/1.1.4.txt index 1d16a8cb1c..4d3544cc35 100644 --- a/docs/releases/1.1.4.txt +++ b/docs/releases/1.1.4.txt @@ -19,7 +19,7 @@ Backwards incompatible changes ============================== CSRF exception for AJAX requests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Django includes a CSRF-protection mechanism, which makes use of a token inserted into outgoing forms. Middleware then checks for the diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt index 57478ee285..d0a7ba3b41 100644 --- a/docs/releases/1.10.txt +++ b/docs/releases/1.10.txt @@ -27,10 +27,10 @@ What's new in Django 1.10 ... Minor features -~~~~~~~~~~~~~~ +-------------- :mod:`django.contrib.admin` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * For sites running on a subpath, the default :attr:`URL for the "View site" link <django.contrib.admin.AdminSite.site_url>` at the top of each admin page @@ -57,12 +57,12 @@ Minor features method is now the preferred way of retrieving the change message. :mod:`django.contrib.admindocs` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.auth` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default iteration count for the PBKDF2 password hasher has been increased by 25%. This backwards compatible change will not affect users who have @@ -77,12 +77,12 @@ Minor features to allow using it without credentials. :mod:`django.contrib.contenttypes` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.gis` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~ * :ref:`Distance lookups <distance-lookups>` now accept expressions as the distance value parameter. @@ -122,39 +122,39 @@ Minor features <django.contrib.gis.geos.MultiLineString.closed>` properties. :mod:`django.contrib.messages` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.postgres` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.redirects` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.sessions` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :djadmin:`clearsessions` management command now removes file-based sessions. :mod:`django.contrib.sitemaps` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... :mod:`django.contrib.sites` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :class:`~django.contrib.sites.models.Site` model now supports :ref:`natural keys <topics-serialization-natural-keys>`. :mod:`django.contrib.staticfiles` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :ttag:`static` template tag now uses ``django.contrib.staticfiles`` if it's in ``INSTALLED_APPS``. This is especially useful for third-party apps @@ -163,61 +163,61 @@ Minor features not worry about whether or not the ``staticfiles`` app is installed. :mod:`django.contrib.syndication` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * ... Cache -^^^^^ +~~~~~ * The file-based cache backend now uses the highest pickling protocol. CSRF -^^^^ +~~~~ * The default :setting:`CSRF_FAILURE_VIEW`, ``views.csrf.csrf_failure()`` now accepts an optional ``template_name`` parameter, defaulting to ``'403_csrf.html'``, to control the template used to render the page. Database backends -^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~ * ... Email -^^^^^ +~~~~~ * ... File Storage -^^^^^^^^^^^^ +~~~~~~~~~~~~ * ... File Uploads -^^^^^^^^^^^^ +~~~~~~~~~~~~ * ... Forms -^^^^^ +~~~~~ * Form and widget ``Media`` is now served using :mod:`django.contrib.staticfiles` if installed. Generic Views -^^^^^^^^^^^^^ +~~~~~~~~~~~~~ * The :class:`~django.views.generic.base.View` class can now be imported from ``django.views``. Internationalization -^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~ * ... Management Commands -^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~ * The new :option:`check --fail-level` option allows specifying the message level that will cause the command to exit with a non-zero status. @@ -235,12 +235,12 @@ Management Commands exit, instead of opening the interactive shell. Migrations -^^^^^^^^^^ +~~~~~~~~~~ * Added support for serialization of ``enum.Enum`` objects. Models -^^^^^^ +~~~~~~ * Reverse foreign keys from proxy models are now propagated to their concrete class. The reverse relation attached by a @@ -264,7 +264,7 @@ Models may be called without any arguments to return all objects in the queryset. Requests and Responses -^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~ * Added ``request.user`` to the debug view. @@ -274,30 +274,30 @@ Requests and Responses stream-like object and allow wrapping it with :py:class:`io.TextIOWrapper`. Serialization -^^^^^^^^^^^^^ +~~~~~~~~~~~~~ * The ``django.core.serializers.json.DjangoJSONEncoder`` now knows how to serialize lazy strings, typically used for translatable content. Signals -^^^^^^^ +~~~~~~~ * ... Templates -^^^^^^^^^ +~~~~~~~~~ * Added the ``autoescape`` option to the :class:`~django.template.backends.django.DjangoTemplates` backend and the :class:`~django.template.Engine` class. Tests -^^^^^ +~~~~~ * ... URLs -^^^^ +~~~~ * An addition in :func:`django.setup()` allows URL resolving that happens outside of the request/response cycle (e.g. in management commands and @@ -305,7 +305,7 @@ URLs is set. Validators -^^^^^^^^^^ +~~~~~~~~~~ * :class:`~django.core.validators.URLValidator` now limits the length of domain name labels to 63 characters and the total length of domain @@ -323,7 +323,7 @@ Backwards incompatible changes in 1.10 may appear as a backwards incompatible change. Database backend API -~~~~~~~~~~~~~~~~~~~~ +-------------------- * ... @@ -471,7 +471,7 @@ Features deprecated in 1.10 =========================== Direct assignment to a reverse foreign key or many-to-many relation -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------- Instead of assigning related objects using direct assignment:: @@ -486,7 +486,7 @@ added in Django 1.9:: This prevents confusion about an assignment resulting in an implicit save. :mod:`django.contrib.gis` -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- * The ``get_srid()`` and ``set_srid()`` methods of :class:`~django.contrib.gis.geos.GEOSGeometry` are deprecated in favor @@ -505,7 +505,7 @@ This prevents confusion about an assignment resulting in an implicit save. :attr:`~django.contrib.gis.geos.GEOSGeometry.unary_union` property. Miscellaneous -~~~~~~~~~~~~~ +------------- * The ``makemigrations --exit`` option is deprecated in favor of the :option:`makemigrations --check` option. diff --git a/docs/releases/1.2.4.txt b/docs/releases/1.2.4.txt index ae15ea6f7c..86a018a55f 100644 --- a/docs/releases/1.2.4.txt +++ b/docs/releases/1.2.4.txt @@ -19,7 +19,7 @@ Backwards incompatible changes ============================== Restricted filters in admin interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- The Django administrative interface, django.contrib.admin, supports filtering of displayed lists of objects by fields on the corresponding diff --git a/docs/releases/1.2.5.txt b/docs/releases/1.2.5.txt index 5d3050a993..f5d452942d 100644 --- a/docs/releases/1.2.5.txt +++ b/docs/releases/1.2.5.txt @@ -19,7 +19,7 @@ Backwards incompatible changes ============================== CSRF exception for AJAX requests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Django includes a CSRF-protection mechanism, which makes use of a token inserted into outgoing forms. Middleware then checks for the @@ -68,7 +68,7 @@ documentation for your version of Django, as the exact code necessary is different for some older versions of Django. FileField no longer deletes files -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- In earlier Django versions, when a model instance containing a :class:`~django.db.models.FileField` was deleted, @@ -82,7 +82,7 @@ yourself (for instance, with a custom management command that can be run manually or scheduled to run periodically via e.g. cron). Use of custom SQL to load initial data in tests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- Django provides a custom SQL hooks as a way to inject hand-crafted SQL into the database synchronization process. One of the possible uses @@ -112,7 +112,7 @@ should either insert it using :ref:`test fixtures test case. ModelAdmin.lookup_allowed signature changed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- Django 1.2.4 introduced a method ``lookup_allowed`` on ``ModelAdmin``, to cope with a security issue (changeset `[15033] diff --git a/docs/releases/1.2.txt b/docs/releases/1.2.txt index 065764c3a3..d680c1e72b 100644 --- a/docs/releases/1.2.txt +++ b/docs/releases/1.2.txt @@ -309,7 +309,7 @@ Django's :doc:`internationalization framework </topics/i18n/index>` has been exp with locale-aware formatting and form processing. That means, if enabled, dates and numbers on templates will be displayed using the format specified for the current locale. Django will also use localized formats when parsing data in -forms. See :ref:`Format localization <format-localization>` for more details. +forms. See :doc:`/topics/i18n/formatting` for more details. ``readonly_fields`` in ``ModelAdmin`` ------------------------------------- @@ -1072,10 +1072,10 @@ to provide localizers the possibility to translate date and time formats. They were translatable :term:`translation strings <translation string>` that could be recognized because they were all upper case (for example :setting:`DATETIME_FORMAT`, :setting:`DATE_FORMAT`, :setting:`TIME_FORMAT`). -They have been deprecated in favor of the new :ref:`Format localization -<format-localization>` infrastructure that allows localizers to specify that -information in a ``formats.py`` file in the corresponding -``django/conf/locale/<locale name>/`` directory. +They have been deprecated in favor of the new :doc:`/topics/i18n/formatting` +infrastructure that allows localizers to specify that information in a +``formats.py`` file in the corresponding ``django/conf/locale/<locale name>/`` +directory. GeoDjango --------- @@ -1089,7 +1089,7 @@ following sections provide information on the most-popular APIs that were affected by these changes. ``SpatialBackend`` -^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~ Prior to the creation of the separate spatial backends, the ``django.contrib.gis.db.backend.SpatialBackend`` object was @@ -1117,7 +1117,7 @@ Would need to be changed:: PostGISAdaptor = connection.ops.Adapter ``SpatialRefSys`` and ``GeometryColumns`` models -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In previous versions of GeoDjango, :mod:`django.contrib.gis.db.models` had ``SpatialRefSys`` and ``GeometryColumns`` models for querying diff --git a/docs/releases/1.3.4.txt b/docs/releases/1.3.4.txt index 3a174b3d44..54ca809ffc 100644 --- a/docs/releases/1.3.4.txt +++ b/docs/releases/1.3.4.txt @@ -7,7 +7,7 @@ Django 1.3.4 release notes This is the fourth release in the Django 1.3 series. Host header poisoning ---------------------- +===================== Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host diff --git a/docs/releases/1.3.5.txt b/docs/releases/1.3.5.txt index f71758b0a4..7e40fa3c19 100644 --- a/docs/releases/1.3.5.txt +++ b/docs/releases/1.3.5.txt @@ -14,7 +14,7 @@ the other we've chosen to take further steps to tighten up Django's code in response to independent discovery of potential problems from multiple sources. Host header poisoning ---------------------- +===================== Several earlier Django security releases focused on the issue of poisoning the HTTP Host header, causing Django to generate URLs pointing to arbitrary, @@ -35,7 +35,7 @@ Any deviation from this will now be rejected, raising the exception :exc:`django.core.exceptions.SuspiciousOperation`. Redirect poisoning ------------------- +================== Also following up on a previous issue: in July of this year, we made changes to Django's HTTP redirect classes, performing additional validation of the scheme diff --git a/docs/releases/1.3.6.txt b/docs/releases/1.3.6.txt index d55199a882..9ed92bd6c2 100644 --- a/docs/releases/1.3.6.txt +++ b/docs/releases/1.3.6.txt @@ -11,7 +11,7 @@ This is the sixth bugfix/security release in the Django 1.3 series. Host header poisoning ---------------------- +===================== Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host @@ -36,7 +36,7 @@ This host validation is disabled when ``DEBUG`` is ``True`` or when running test XML deserialization -------------------- +=================== The XML parser in the Python standard library is vulnerable to a number of attacks via external entities and entity expansion. Django uses this parser for @@ -57,7 +57,7 @@ management command, you will need to ensure they do not contain a DTD. Formset memory exhaustion -------------------------- +========================= Previous versions of Django did not validate or limit the form-count data provided by the client in a formset's management form, making it possible to @@ -70,7 +70,7 @@ factory argument). Admin history view information leakage --------------------------------------- +====================================== In previous versions of Django, an admin user without change permission on a model could still view the unicode representation of instances via their admin diff --git a/docs/releases/1.3.txt b/docs/releases/1.3.txt index 9b1194820d..737bee4acb 100644 --- a/docs/releases/1.3.txt +++ b/docs/releases/1.3.txt @@ -68,7 +68,7 @@ What's new in Django 1.3 ======================== Class-based views -~~~~~~~~~~~~~~~~~ +----------------- Django 1.3 adds a framework that allows you to use a class as a view. This means you can compose a view out of a collection of methods that @@ -86,7 +86,7 @@ your function-based generic views to class-based views <https://docs.djangoproject.com/en/1.4/topics/generic-views-migration/>`_. Logging -~~~~~~~ +------- Django 1.3 adds framework-level support for Python's ``logging`` module. This means you can now easily configure and control logging @@ -97,7 +97,7 @@ handled as a logging activity. See :doc:`the documentation on Django's logging interface </topics/logging>` for more details. Extended static files handling -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ Django 1.3 ships with a new contrib app -- ``django.contrib.staticfiles`` -- to help developers handle the static @@ -118,7 +118,7 @@ for more details or learn how to :doc:`manage static files </howto/static-files/index>`. unittest2 support -~~~~~~~~~~~~~~~~~ +----------------- Python 2.7 introduced some major changes to the ``unittest`` library, adding some extremely useful features. To ensure that every Django @@ -146,7 +146,7 @@ you just won't get any of the nice new unittest2 features. .. _unittest2: https://pypi.python.org/pypi/unittest2 Transaction context managers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- Users of Python 2.5 and above may now use transaction management functions as `context managers`_. For example:: @@ -157,7 +157,7 @@ Users of Python 2.5 and above may now use transaction management functions as .. _context managers: https://docs.python.org/glossary.html#term-context-manager Configurable delete-cascade -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- :class:`~django.db.models.ForeignKey` and :class:`~django.db.models.OneToOneField` now accept an @@ -170,7 +170,7 @@ For more information, see the :attr:`~django.db.models.ForeignKey.on_delete` documentation. Contextual markers and comments for translatable strings -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- For translation strings with ambiguous meaning, you can now use the ``pgettext`` function to specify the context of the string. @@ -182,7 +182,7 @@ For more information, see :ref:`contextual-markers` and :ref:`translator-comments`. Improvements to built-in template tags -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- A number of improvements have been made to Django's built-in template tags: @@ -199,7 +199,7 @@ A number of improvements have been made to Django's built-in template tags: you to load a single tag or filter from a library. TemplateResponse -~~~~~~~~~~~~~~~~ +---------------- It can sometimes be beneficial to allow decorators or middleware to modify a response *after* it has been constructed by the view. For @@ -220,7 +220,7 @@ For more details, see the :doc:`documentation </ref/template-response>` on the :class:`~django.template.response.TemplateResponse` class. Caching changes -~~~~~~~~~~~~~~~ +--------------- Django 1.3 sees the introduction of several improvements to the Django's caching infrastructure. @@ -247,7 +247,7 @@ caching in Django</topics/cache>`. .. _pylibmc: http://sendapatch.se/projects/pylibmc/ Permissions for inactive users -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ If you provide a custom auth backend with ``supports_inactive_user`` set to ``True``, an inactive ``User`` instance will check the backend @@ -256,14 +256,14 @@ permission handling. See the :doc:`authentication docs </topics/auth/index>` for more details. GeoDjango -~~~~~~~~~ +--------- The GeoDjango test suite is now included when :ref:`running the Django test suite <running-unit-tests>` with ``runtests.py`` when using :ref:`spatial database backends <spatial-backends>`. :setting:`MEDIA_URL` and :setting:`STATIC_URL` must end in a slash -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------ Previously, the :setting:`MEDIA_URL` setting only required a trailing slash if it contained a suffix beyond the domain name. @@ -279,7 +279,7 @@ In Django 1.4 this same condition will raise ``DeprecationWarning``, and in Django 1.5 will raise an ``ImproperlyConfigured`` exception. Everything else -~~~~~~~~~~~~~~~ +--------------- Django :doc:`1.1 <1.1>` and :doc:`1.2 <1.2>` added lots of big ticket items to Django, like multiple-database support, @@ -335,7 +335,7 @@ Backwards-incompatible changes in 1.3 ===================================== CSRF validation now applies to AJAX requests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- Prior to Django 1.2.5, Django's CSRF-prevention system exempted AJAX requests from CSRF verification; due to `security issues`_ reported to @@ -347,7 +347,7 @@ AJAX requests. .. _security issues: https://www.djangoproject.com/weblog/2011/feb/08/security/ Restricted filters in admin interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- Prior to Django 1.2.5, the Django administrative interface allowed filtering on any model field or relation -- not just those specified @@ -357,7 +357,7 @@ admin must be for fields or relations specified in ``list_filter`` or ``date_hierarchy``. Deleting a model doesn't delete associated files -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ In earlier Django versions, when a model instance containing a :class:`~django.db.models.FileField` was deleted, @@ -371,7 +371,7 @@ instance, with a custom management command that can be run manually or scheduled to run periodically via e.g. cron). PasswordInput default rendering behavior -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- The :class:`~django.forms.PasswordInput` form widget, intended for use with form fields which represent passwords, accepts a boolean keyword @@ -394,7 +394,7 @@ explicitly indicate this. For example:: password = forms.CharField(widget=forms.PasswordInput(render_value=True)) Clearable default widget for FileField -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- Django 1.3 now includes a :class:`~django.forms.ClearableFileInput` form widget in addition to :class:`~django.forms.FileInput`. ``ClearableFileInput`` renders @@ -420,7 +420,7 @@ To return to the previous rendering (without the ability to clear the widgets = {'document': forms.FileInput} New index on database session table -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------- Prior to Django 1.3, the database table used by the database backend for the :doc:`sessions </topics/http/sessions>` app had no index on @@ -437,7 +437,7 @@ index can be found by running the ``sqlindexes`` admin command:: python manage.py sqlindexes sessions No more naughty words -~~~~~~~~~~~~~~~~~~~~~ +--------------------- Django has historically provided (and enforced) a list of profanities. The comments app has enforced this list of profanities, preventing people from @@ -462,7 +462,7 @@ problem. .. _commit that implemented this change: https://code.djangoproject.com/changeset/13996 Localflavor changes -~~~~~~~~~~~~~~~~~~~ +------------------- Django 1.3 introduces the following backwards-incompatible changes to local flavors: @@ -482,7 +482,7 @@ local flavors: ``USStateField`` not including them. FormSet updates -~~~~~~~~~~~~~~~ +--------------- In Django 1.3 ``FormSet`` creation behavior is modified slightly. Historically the class didn't make a distinction between not being passed data and being @@ -511,7 +511,7 @@ if you need to instantiate an empty ``FormSet``, don't pass in the data or use >>> formset = ArticleFormSet(data=None) Callables in templates -~~~~~~~~~~~~~~~~~~~~~~ +---------------------- Previously, a callable in a template would only be called automatically as part of the variable resolution process if it was retrieved via attribute @@ -529,7 +529,7 @@ designed for web designers, and was never deliberately supported, it is possible that some templates may be broken by this change. Use of custom SQL to load initial data in tests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- Django provides a custom SQL hooks as a way to inject hand-crafted SQL into the database synchronization process. One of the possible uses @@ -559,7 +559,7 @@ should either insert it using :ref:`test fixtures test case. Changed priority of translation loading -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- Work has been done to simplify, rationalize and properly document the algorithm used by Django at runtime to build translations from the different translations @@ -605,7 +605,7 @@ domain): .. _corresponding deprecated features section: loading_of_project_level_translations_ Transaction management -~~~~~~~~~~~~~~~~~~~~~~ +---------------------- When using managed transactions -- that is, anything but the default autocommit mode -- it is important when a transaction is marked as @@ -639,14 +639,14 @@ the read operation that retrieves the ``MyObject`` instance leaves the transaction in a dirty state. No password reset for inactive users -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------ Prior to Django 1.3, inactive users were able to request a password reset email and reset their password. In Django 1.3 inactive users will receive the same message as a nonexistent account. Password reset view now accepts ``from_email`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- The :func:`django.contrib.auth.views.password_reset` view now accepts a ``from_email`` parameter, which is passed to the ``password_reset_form``’s @@ -679,7 +679,7 @@ be removed entirely. </internals/deprecation>`. ``mod_python`` support -~~~~~~~~~~~~~~~~~~~~~~ +---------------------- The ``mod_python`` library has not had a release since 2007 or a commit since 2008. The Apache Foundation board voted to remove ``mod_python`` from the set @@ -694,7 +694,7 @@ recommended by the Django project, but FastCGI is also supported. Support for ``mod_python`` deployment will be removed in Django 1.5. Function-based generic views -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- As a result of the introduction of class-based generic views, the function-based generic views provided by Django have been deprecated. @@ -706,7 +706,7 @@ The following modules and the views they contain have been deprecated: * ``django.views.generic.simple`` Test client response ``template`` attribute -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- Django's :ref:`test client <test-client>` returns :class:`~django.test.Response` objects annotated with extra testing @@ -722,7 +722,7 @@ In Django 1.3 the ``template`` attribute is deprecated in favor of a new list, even if it has only a single element or no elements. ``DjangoTestRunner`` -~~~~~~~~~~~~~~~~~~~~ +-------------------- As a result of the introduction of support for unittest2, the features of ``django.test.simple.DjangoTestRunner`` (including fail-fast @@ -731,7 +731,7 @@ redundancy, ``DjangoTestRunner`` has been turned into an empty placeholder class, and will be removed entirely in Django 1.5. Changes to ``url`` and ``ssi`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ Most template tags will allow you to pass in either constants or variables as arguments -- for example:: @@ -771,7 +771,7 @@ templates should be modified to use the new ``future`` libraries and syntax. Changes to the login methods of the admin -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------- In previous version the admin app defined login methods in multiple locations and ignored the almost identical implementation in the already used auth app. @@ -788,7 +788,7 @@ attribute. .. _r12634: https://code.djangoproject.com/changeset/12634 ``reset`` and ``sqlreset`` management commands -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- Those commands have been deprecated. The ``flush`` and ``sqlflush`` commands can be used to delete everything. You can also use ALTER TABLE or DROP TABLE @@ -796,7 +796,7 @@ statements manually. GeoDjango -~~~~~~~~~ +--------- * The function-based :setting:`TEST_RUNNER` previously used to execute the GeoDjango test suite, ``django.contrib.gis.tests.run_gis_tests``, was @@ -812,7 +812,7 @@ GeoDjango called when the SRID of the geometry is less than 0 or ``None``. ``CZBirthNumberField.clean`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- Previously this field's ``clean()`` method accepted a second, gender, argument which allowed stronger validation checks to be made, however since this @@ -820,7 +820,7 @@ argument could never actually be passed from the Django form machinery it is now pending deprecation. ``CompatCookie`` -~~~~~~~~~~~~~~~~ +---------------- Previously, ``django.http`` exposed an undocumented ``CompatCookie`` class, which was a bugfix wrapper around the standard library ``SimpleCookie``. As the @@ -830,7 +830,7 @@ django.http import SimpleCookie`` instead. .. _loading_of_project_level_translations: Loading of *project-level* translations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- This release of Django starts the deprecation process for inclusion of translations located under the so-called *project path* in the translation @@ -865,7 +865,7 @@ Rationale for this decision: inconsistency. ``PermWrapper`` moved to ``django.contrib.auth.context_processors`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------- In Django 1.2, we began the process of changing the location of the ``auth`` context processor from ``django.core.context_processors`` to @@ -877,7 +877,7 @@ moved to ``django.contrib.auth.context_processors``, along with the identical to their old versions; only the module location has changed. Removal of ``XMLField`` -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- When Django was first released, Django included an ``XMLField`` that performed automatic XML validation for any field input. However, this validation function diff --git a/docs/releases/1.4.10.txt b/docs/releases/1.4.10.txt index 7477ee5e41..323cdea3a7 100644 --- a/docs/releases/1.4.10.txt +++ b/docs/releases/1.4.10.txt @@ -7,7 +7,7 @@ Django 1.4.10 release notes Django 1.4.10 fixes a Python-compatibility bug in the 1.4 series. Python compatibility --------------------- +==================== Django 1.4.9 inadvertently introduced issues with Python 2.5 compatibility. Django 1.4.10 restores Python 2.5 compatibility. This was issue #21362 in diff --git a/docs/releases/1.4.2.txt b/docs/releases/1.4.2.txt index a6150f56c3..0f9d18744d 100644 --- a/docs/releases/1.4.2.txt +++ b/docs/releases/1.4.2.txt @@ -7,7 +7,7 @@ Django 1.4.2 release notes This is the second security release in the Django 1.4 series. Host header poisoning ---------------------- +===================== Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host diff --git a/docs/releases/1.4.3.txt b/docs/releases/1.4.3.txt index f26bbe9214..8bf4b2fa79 100644 --- a/docs/releases/1.4.3.txt +++ b/docs/releases/1.4.3.txt @@ -14,7 +14,7 @@ the other we've chosen to take further steps to tighten up Django's code in response to independent discovery of potential problems from multiple sources. Host header poisoning ---------------------- +===================== Several earlier Django security releases focused on the issue of poisoning the HTTP Host header, causing Django to generate URLs pointing to arbitrary, @@ -35,7 +35,7 @@ Any deviation from this will now be rejected, raising the exception :exc:`django.core.exceptions.SuspiciousOperation`. Redirect poisoning ------------------- +================== Also following up on a previous issue: in July of this year, we made changes to Django's HTTP redirect classes, performing additional validation of the scheme diff --git a/docs/releases/1.4.4.txt b/docs/releases/1.4.4.txt index e501e4479a..c15c0e14c3 100644 --- a/docs/releases/1.4.4.txt +++ b/docs/releases/1.4.4.txt @@ -12,7 +12,7 @@ This is the fourth bugfix/security release in the Django 1.4 series. Host header poisoning ---------------------- +===================== Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host @@ -37,7 +37,7 @@ This host validation is disabled when ``DEBUG`` is ``True`` or when running test XML deserialization -------------------- +=================== The XML parser in the Python standard library is vulnerable to a number of attacks via external entities and entity expansion. Django uses this parser for @@ -58,7 +58,7 @@ management command, you will need to ensure they do not contain a DTD. Formset memory exhaustion -------------------------- +========================= Previous versions of Django did not validate or limit the form-count data provided by the client in a formset's management form, making it possible to @@ -71,7 +71,7 @@ factory argument). Admin history view information leakage --------------------------------------- +====================================== In previous versions of Django, an admin user without change permission on a model could still view the unicode representation of instances via their admin diff --git a/docs/releases/1.4.6.txt b/docs/releases/1.4.6.txt index 9aaecb5241..39dc6f8dca 100644 --- a/docs/releases/1.4.6.txt +++ b/docs/releases/1.4.6.txt @@ -10,7 +10,7 @@ the 1.4 series, as well as one other bug. This is the sixth bugfix/security release in the Django 1.4 series. Mitigated possible XSS attack via user-supplied redirect URLs -------------------------------------------------------------- +============================================================= Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt index c50d938bc4..de5c679c81 100644 --- a/docs/releases/1.4.7.txt +++ b/docs/releases/1.4.7.txt @@ -8,7 +8,7 @@ Django 1.4.7 fixes one security issue present in previous Django releases in the 1.4 series. Directory traversal vulnerability in ``ssi`` template tag ---------------------------------------------------------- +========================================================= In previous versions of Django it was possible to bypass the ``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi`` diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt index 08dca4065e..40103d6086 100644 --- a/docs/releases/1.4.8.txt +++ b/docs/releases/1.4.8.txt @@ -8,7 +8,7 @@ Django 1.4.8 fixes two security issues present in previous Django releases in the 1.4 series. Denial-of-service via password hashers --------------------------------------- +====================================== In previous versions of Django, no limit was imposed on the plaintext length of a password. This allowed a denial-of-service attack through @@ -21,7 +21,7 @@ limit on passwords and will fail authentication with any submitted password of greater length. Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin -------------------------------------------------------------------------------------------------------------------------- +========================================================================================================================= The decoration of the ``add_view`` and ``user_change_password`` user admin views with :func:`~django.views.decorators.debug.sensitive_post_parameters` diff --git a/docs/releases/1.4.9.txt b/docs/releases/1.4.9.txt index 7fc4ecbbca..f582adec5c 100644 --- a/docs/releases/1.4.9.txt +++ b/docs/releases/1.4.9.txt @@ -8,7 +8,7 @@ Django 1.4.9 fixes a security-related bug in the 1.4 series and one other data corruption bug. Readdressed denial-of-service via password hashers --------------------------------------------------- +================================================== Django 1.4.8 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt index 0aedf23ede..4f802d55c6 100644 --- a/docs/releases/1.4.txt +++ b/docs/releases/1.4.txt @@ -81,7 +81,7 @@ What's new in Django 1.4 ======================== Support for time zones -~~~~~~~~~~~~~~~~~~~~~~ +---------------------- In previous versions, Django used "naive" date/times (that is, date/times without an associated time zone), leaving it up to each developer to interpret @@ -108,7 +108,7 @@ project, read the :ref:`migration guide <time-zones-migration-guide>`. If you encounter problems, there's a helpful :ref:`FAQ <time-zones-faq>`. Support for in-browser testing frameworks -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------- Django 1.4 supports integration with in-browser testing frameworks like Selenium_. The new :class:`django.test.LiveServerTestCase` base class lets you @@ -120,7 +120,7 @@ concrete examples. .. _Selenium: http://seleniumhq.org/ Updated default project layout and ``manage.py`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ Django 1.4 ships with an updated default project layout and ``manage.py`` file for the :djadmin:`startproject` management command. These fix some issues with @@ -186,7 +186,7 @@ prefix, some places without it), the imports will need to be cleaned up when switching to the new ``manage.py``. Custom project and app templates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- The :djadmin:`startapp` and :djadmin:`startproject` management commands now have a ``--template`` option for specifying a path or URL to a custom app @@ -207,7 +207,7 @@ For more information, see the :djadmin:`startapp` and :djadmin:`startproject` documentation. Improved WSGI support -~~~~~~~~~~~~~~~~~~~~~ +--------------------- The :djadmin:`startproject` management command now adds a :file:`wsgi.py` module to the initial project layout, containing a simple WSGI application that @@ -224,7 +224,7 @@ with the same WSGI configuration that is used for deployment. The new callable configured via :setting:`WSGI_APPLICATION`.) ``SELECT FOR UPDATE`` support -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- Django 1.4 includes a :meth:`QuerySet.select_for_update() <django.db.models.query.QuerySet.select_for_update>` method, which generates a @@ -236,7 +236,7 @@ For more details, see the documentation for :meth:`~django.db.models.query.QuerySet.select_for_update`. ``Model.objects.bulk_create`` in the ORM -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- This method lets you create multiple objects more efficiently. It can result in significant performance increases if you have many objects. @@ -248,7 +248,7 @@ See the :meth:`~django.db.models.query.QuerySet.bulk_create` docs for more information. ``QuerySet.prefetch_related`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- Similar to :meth:`~django.db.models.query.QuerySet.select_related` but with a different strategy and broader scope, @@ -263,7 +263,7 @@ doing O(n) database queries (or worse) if objects on your primary ``QuerySet`` each have many related objects that you also need to fetch. Improved password hashing -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- Django's auth system (``django.contrib.auth``) stores passwords using a one-way algorithm. Django 1.3 uses the SHA1_ algorithm, but increasing processor speeds @@ -279,7 +279,7 @@ details, see :ref:`auth_password_storage`. .. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt HTML5 doctype -~~~~~~~~~~~~~ +------------- We've switched the admin and other bundled templates to use the HTML5 doctype. While Django will be careful to maintain compatibility with older @@ -288,7 +288,7 @@ admin pages without having to lose HTML validity or override the provided templates to change the doctype. List filters in admin interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- Prior to Django 1.4, the :mod:`~django.contrib.admin` app let you specify change list filters by specifying a field lookup, but it didn't allow you to @@ -297,7 +297,7 @@ used internally and known as "FilterSpec"). For more details, see the documentation for :attr:`~django.contrib.admin.ModelAdmin.list_filter`. Multiple sort in admin interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- The admin change list now supports sorting on multiple columns. It respects all elements of the :attr:`~django.contrib.admin.ModelAdmin.ordering` attribute, and @@ -307,7 +307,7 @@ behavior of desktop GUIs. We also added a ordering dynamically (i.e., depending on the request). New ``ModelAdmin`` methods -~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------- We added a :meth:`~django.contrib.admin.ModelAdmin.save_related` method to :mod:`~django.contrib.admin.ModelAdmin` to ease customization of how @@ -320,7 +320,7 @@ enable dynamic customization of fields and links displayed on the admin change list. Admin inlines respect user permissions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- Admin inlines now only allow those actions for which the user has permission. For ``ManyToMany`` relationships with an auto-created intermediate @@ -329,7 +329,7 @@ related model determines if the user has the permission to add, change or delete relationships. Tools for cryptographic signing -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- Django 1.4 adds both a low-level API for signing values and a high-level API for setting and reading signed cookies, one of the most common uses of @@ -339,7 +339,7 @@ See the :doc:`cryptographic signing </topics/signing>` docs for more information. Cookie-based session backend -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- Django 1.4 introduces a cookie-based session backend that uses the tools for :doc:`cryptographic signing </topics/signing>` to store the session data in @@ -356,7 +356,7 @@ See the :ref:`cookie-based session backend <cookie-session-backend>` docs for more information. New form wizard -~~~~~~~~~~~~~~~ +--------------- The previous ``FormWizard`` from ``django.contrib.formtools`` has been replaced with a new implementation based on the class-based views @@ -369,13 +369,13 @@ storage backend. The latter uses the tools for Django 1.4 to store the wizard's state in the user's cookies. ``reverse_lazy`` -~~~~~~~~~~~~~~~~ +---------------- A lazily evaluated version of ``reverse()`` was added to allow using URL reversals before the project's URLconf gets loaded. Translating URL patterns -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ Django can now look for a language prefix in the URLpattern when using the new :func:`~django.conf.urls.i18n.i18n_patterns` helper function. @@ -385,7 +385,7 @@ It's also now possible to define translatable URL patterns using and how to internationalize URL patterns. Contextual translation support for ``{% trans %}`` and ``{% blocktrans %}`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------- The :ref:`contextual translation<contextual-markers>` support introduced in Django 1.3 via the ``pgettext`` function has been extended to the @@ -393,7 +393,7 @@ Django 1.3 via the ``pgettext`` function has been extended to the keyword. Customizable ``SingleObjectMixin`` URLConf kwargs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- Two new attributes, :attr:`pk_url_kwarg<django.views.generic.detail.SingleObjectMixin.pk_url_kwarg>` @@ -404,14 +404,14 @@ enable the customization of URLconf keyword arguments used for single object generic views. Assignment template tags -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ A new ``assignment_tag`` helper function was added to ``template.Library`` to ease the creation of template tags that store data in a specified context variable. ``*args`` and ``**kwargs`` support for template tag helper functions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------------------- The :ref:`simple_tag<howto-custom-template-tags-simple-tags>`, :ref:`inclusion_tag <howto-custom-template-tags-inclusion-tags>` and newly @@ -433,7 +433,7 @@ For example: {% my_tag 123 "abcd" book.title warning=message|lower profile=user.profile %} No wrapping of exceptions in ``TEMPLATE_DEBUG`` mode -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------- In previous versions of Django, whenever the ``TEMPLATE_DEBUG`` setting was ``True``, any exception raised during template rendering (even exceptions @@ -448,7 +448,7 @@ exceptions from template rendering is now consistent regardless of the value of ``TemplateSyntaxError`` in order to catch other errors. ``truncatechars`` template filter -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- This new filter truncates a string to be no longer than the specified number of characters. Truncated strings end with a translatable ellipsis @@ -456,7 +456,7 @@ sequence ("..."). See the documentation for :tfilter:`truncatechars` for more details. ``static`` template tag -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- The :mod:`staticfiles<django.contrib.staticfiles>` contrib app has a new ``static`` template tag to refer to files saved with the @@ -465,7 +465,7 @@ The :mod:`staticfiles<django.contrib.staticfiles>` contrib app has a new files from a cloud service<staticfiles-from-cdn>`. ``CachedStaticFilesStorage`` storage backend -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- The :mod:`staticfiles<django.contrib.staticfiles>` contrib app now has a :class:`~django.contrib.staticfiles.storage.CachedStaticFilesStorage` backend @@ -478,7 +478,7 @@ See the :class:`~django.contrib.staticfiles.storage.CachedStaticFilesStorage` docs for more information. Simple clickjacking protection -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ We've added a middleware to provide easy protection against `clickjacking <https://en.wikipedia.org/wiki/Clickjacking>`_ using the ``X-Frame-Options`` @@ -487,7 +487,7 @@ you'll almost certainly want to :doc:`enable it </ref/clickjacking/>` to help plug that security hole for browsers that support the header. CSRF improvements -~~~~~~~~~~~~~~~~~ +----------------- We've made various improvements to our CSRF features, including the :func:`~django.views.decorators.csrf.ensure_csrf_cookie` decorator, which can @@ -497,7 +497,7 @@ improve the security and usefulness of CSRF protection. See the :doc:`CSRF docs </ref/csrf>` for more information. Error report filtering -~~~~~~~~~~~~~~~~~~~~~~ +---------------------- We added two function decorators, :func:`~django.views.decorators.debug.sensitive_variables` and @@ -516,7 +516,7 @@ filter<custom-error-reports>`. For more information see the docs on :ref:`Filtering error reports<filtering-error-reports>`. Extended IPv6 support -~~~~~~~~~~~~~~~~~~~~~ +--------------------- Django 1.4 can now better handle IPv6 addresses with the new :class:`~django.db.models.GenericIPAddressField` model field, @@ -525,7 +525,7 @@ the validators :data:`~django.core.validators.validate_ipv46_address` and :data:`~django.core.validators.validate_ipv6_address`. HTML comparisons in tests -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- The base classes in :mod:`django.test` now have some helpers to compare HTML without tripping over irrelevant differences in whitespace, @@ -540,10 +540,10 @@ client's response contains a given HTML fragment. See the :ref:`assertions documentation <assertions>` for more. Two new date format strings -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Two new :tfilter:`date` formats were added for use in template filters, -template tags and :ref:`format-localization`: +template tags and :doc:`/topics/i18n/formatting`: - ``e`` -- the name of the timezone of the given datetime object - ``o`` -- the ISO 8601 year number @@ -562,7 +562,7 @@ But now it needs to also escape ``e`` and ``o``:: For more information, see the :tfilter:`date` documentation. Minor features -~~~~~~~~~~~~~~ +-------------- Django 1.4 also includes several smaller improvements worth noting: @@ -666,7 +666,7 @@ Backwards incompatible changes in 1.4 ===================================== SECRET_KEY setting is required -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ Running Django with an empty or known :setting:`SECRET_KEY` disables many of Django's security protections and can lead to remote-code-execution @@ -680,7 +680,7 @@ due to the severity of the consequences of running Django with no :setting:`SECRET_KEY`. django.contrib.admin -~~~~~~~~~~~~~~~~~~~~ +-------------------- The included administration app ``django.contrib.admin`` has for a long time shipped with a default set of static files such as JavaScript, images and @@ -715,7 +715,7 @@ If your ``ADMIN_MEDIA_PREFIX`` is set to an specific domain (e.g. :file:`django/contrib/admin/static/admin/`. Supported browsers for the admin -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Django hasn't had a clear policy on which browsers are supported by the admin app. Our new policy formalizes existing practices: `YUI's A-grade`_ @@ -733,7 +733,7 @@ any range of browsers. .. _YUI's A-grade: http://yuilibrary.com/yui/docs/tutorials/gbs/ Removed admin icons -~~~~~~~~~~~~~~~~~~~ +------------------- As part of an effort to improve the performance and usability of the admin's change-list sorting interface and :attr:`horizontal @@ -751,7 +751,7 @@ If you used those icons to customize the admin, then you'll need to replace them with your own icons or get the files from a previous release. CSS class names in admin forms -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ To avoid conflicts with other common CSS class names (e.g. "button"), we added a prefix ("field-") to all CSS class names automatically generated from the @@ -761,7 +761,7 @@ style sheets or JavaScript files if you previously used plain field names as selectors for custom styles or JavaScript transformations. Compatibility with old signed data -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Django 1.3 changed the cryptographic signing mechanisms used in a number of places in Django. While Django 1.3 kept fallbacks that would accept hashes @@ -831,7 +831,7 @@ instance: password hashes. django.contrib.flatpages -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ Starting in 1.4, the :class:`~django.contrib.flatpages.middleware.FlatpageFallbackMiddleware` only @@ -845,7 +845,7 @@ Also, redirects returned by flatpages are now permanent (with 301 status code), to match the behavior of :class:`~django.middleware.common.CommonMiddleware`. Serialization of :class:`~datetime.datetime` and :class:`~datetime.time` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------------ As a consequence of time-zone support, and according to the ECMA-262 specification, we made changes to the JSON serializer: @@ -865,7 +865,7 @@ Though the serializers now use these new formats when creating fixtures, they can still load fixtures that use the old format. ``supports_timezone`` changed to ``False`` for SQLite -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------- The database feature ``supports_timezone`` used to be ``True`` for SQLite. Indeed, if you saved an aware datetime object, SQLite stored a string that @@ -878,7 +878,7 @@ datetimes are now stored without time-zone information in SQLite. When object, Django raises an exception. ``MySQLdb``-specific exceptions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- The MySQL backend historically has raised ``MySQLdb.OperationalError`` when a query triggered an exception. We've fixed this bug, and we now raise @@ -887,7 +887,7 @@ when a query triggered an exception. We've fixed this bug, and we now raise clauses. Database connection's thread-locality -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- ``DatabaseWrapper`` objects (i.e. the connection objects referenced by ``django.db.connection`` and ``django.db.connections["some_alias"]``) used to @@ -913,7 +913,7 @@ Concurrency behavior is defined by the underlying backend implementation. Check their documentation for details. `COMMENTS_BANNED_USERS_GROUP` setting -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- Django's comments has historically supported excluding the comments of a special user group, but we've never @@ -950,7 +950,7 @@ Save this model manager in your custom comment app (e.g., in objects = BanningCommentManager() `IGNORABLE_404_STARTS` and `IGNORABLE_404_ENDS` settings -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- Until Django 1.3, it was possible to exclude some URLs from Django's :doc:`404 error reporting</howto/error-reporting>` by adding prefixes to @@ -988,7 +988,7 @@ Don't forget to escape characters that have a special meaning in a regular expression, such as periods. CSRF protection extended to PUT and DELETE -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ Previously, Django's :doc:`CSRF protection </ref/csrf/>` provided protection only against POST requests. Since use of PUT and DELETE methods in @@ -1000,7 +1000,7 @@ If you're using PUT or DELETE methods in AJAX applications, please see the :ref:`instructions about using AJAX and CSRF <csrf-ajax>`. Password reset view now accepts ``subject_template_name`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------- The ``password_reset`` view in ``django.contrib.auth`` now accepts a ``subject_template_name`` parameter, which is passed to the password save form @@ -1009,21 +1009,21 @@ form, then you will need to ensure your form's ``save()`` method accepts this keyword argument. ``django.core.template_loaders`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- This was an alias to ``django.template.loader`` since 2005, and we've removed it without emitting a warning due to the length of the deprecation. If your code still referenced this, please use ``django.template.loader`` instead. ``django.db.models.fields.URLField.verify_exists`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------- This functionality has been removed due to intractable performance and security issues. Any existing usage of ``verify_exists`` should be removed. ``django.core.files.storage.Storage.open`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ The ``open`` method of the base Storage class used to take an obscure parameter ``mixin`` that allowed you to dynamically change the base classes of the @@ -1049,7 +1049,7 @@ method, like this:: return Spam(open(self.path(name), mode)) YAML deserializer now uses ``yaml.safe_load`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------- ``yaml.load`` is able to construct any Python object, which may trigger arbitrary code execution if you process a YAML document that comes from an @@ -1059,7 +1059,7 @@ fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load`` for additional security. Session cookies now have the ``httponly`` flag by default -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------- Session cookies now include the ``httponly`` attribute by default to help reduce the impact of potential XSS attacks. As a consequence of @@ -1069,7 +1069,7 @@ compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. The :tfilter:`urlize` filter no longer escapes every URL -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- When a URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal digits, :tfilter:`urlize` now assumes that the URL is already escaped and @@ -1078,7 +1078,7 @@ contains a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, because they would confuse browsers too. ``assertTemplateUsed`` and ``assertTemplateNotUsed`` as context manager -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------------- It's now possible to check whether a template was used within a block of code with :meth:`~django.test.SimpleTestCase.assertTemplateUsed` and @@ -1093,7 +1093,7 @@ can be used as a context manager:: See the :ref:`assertion documentation<assertions>` for more. Database connections after running the test suite -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- The default test runner no longer restores the database connections after tests' execution. This prevents the production database from being exposed to @@ -1106,7 +1106,7 @@ subclassing ``DjangoTestRunner`` and overriding its ``teardown_databases()`` method. Output of :djadmin:`manage.py help <help>` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ :djadmin:`manage.py help <help>` now groups available commands by application. If you depended on the output of this command -- if you parsed it, for example @@ -1115,7 +1115,7 @@ management commands in a script, use :djadmin:`manage.py help --commands <help>` instead. ``extends`` template tag -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ Previously, the :ttag:`extends` tag used a buggy method of parsing arguments, which could lead to it erroneously considering an argument as a string literal @@ -1126,7 +1126,7 @@ interests of full disclosure, the ``ExtendsNode.__init__`` definition has changed, which may break any custom tags that use this class. Loading some incomplete fixtures no longer works -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ Prior to 1.4, a default value was inserted for fixture objects that were missing a specific date or datetime value when auto_now or auto_now_add was set for the @@ -1135,7 +1135,7 @@ incomplete fixtures will fail. Because fixtures are a raw import, they should explicitly specify all field values, regardless of field options on the model. Development Server Multithreading -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- The development server is now is multithreaded by default. Use the :option:`runserver --nothreading` option to disable the use of threading in the @@ -1144,7 +1144,7 @@ development server:: django-admin.py runserver --nothreading Attributes disabled in markdown when safe mode set -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------- Prior to Django 1.4, attributes were included in any markdown output regardless of safe mode setting of the filter. With version > 2.1 of the Python-Markdown @@ -1155,7 +1155,7 @@ Python-Markdown library less than 2.1, a warning is issued that the output is insecure. FormMixin get_initial returns an instance-specific dictionary -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------- In Django 1.3, the ``get_initial`` method of the :class:`django.views.generic.edit.FormMixin` class was returning the @@ -1169,14 +1169,14 @@ Features deprecated in 1.4 ========================== Old styles of calling ``cache_page`` decorator -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- Some legacy ways of calling :func:`~django.views.decorators.cache.cache_page` have been deprecated. Please see the documentation for the correct way to use this decorator. Support for PostgreSQL versions older than 8.2 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- Django 1.3 dropped support for PostgreSQL versions older than 8.0, and we suggested using a more recent version because of performance improvements @@ -1187,7 +1187,7 @@ Django 1.4 takes that policy further and sets 8.2 as the minimum PostgreSQL version it officially supports. Request exceptions are now always logged -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- When we added :doc:`logging support </topics/logging/>` in Django in 1.3, the admin error email support was moved into the @@ -1227,7 +1227,7 @@ The existence of any ``'filters'`` key under the ``'mail_admins'`` handler will disable this backward-compatibility shim and deprecation warning. ``django.conf.urls.defaults`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- Until Django 1.3, the functions :func:`~django.conf.urls.include`, ``patterns()`` and :func:`~django.conf.urls.url` plus @@ -1237,7 +1237,7 @@ were located in a ``django.conf.urls.defaults`` module. In Django 1.4, they live in :mod:`django.conf.urls`. ``django.contrib.databrowse`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- Databrowse has not seen active development for some time, and this does not show any sign of changing. There had been a suggestion for a `GSOC project`_ to @@ -1252,7 +1252,7 @@ itself, so it's available to be adopted by an individual or group as a third-party project. ``django.core.management.setup_environ`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- This function temporarily modified ``sys.path`` in order to make the parent "project" directory importable under the old flat :djadmin:`startproject` @@ -1265,7 +1265,7 @@ These uses should be replaced by setting the ``DJANGO_SETTINGS_MODULE`` environment variable or using :func:`django.conf.settings.configure`. ``django.core.management.execute_manager`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ This function was previously used by ``manage.py`` to execute a management command. It is identical to @@ -1276,7 +1276,7 @@ of these functions is documented as part of the public API, but a deprecation path is needed due to use in existing ``manage.py`` files. ``is_safe`` and ``needs_autoescape`` attributes of template filters -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------- Two flags, ``is_safe`` and ``needs_autoescape``, define how each template filter interacts with Django's auto-escaping behavior. They used to be attributes of @@ -1299,7 +1299,7 @@ Now, the flags are keyword arguments of :meth:`@register.filter See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information. Wildcard expansion of application names in `INSTALLED_APPS` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------- Until Django 1.3, :setting:`INSTALLED_APPS` accepted wildcards in application names, like ``django.contrib.*``. The expansion was performed by a @@ -1313,14 +1313,14 @@ settings file to list all your applications explicitly. .. _this can't be done reliably: https://docs.python.org/tutorial/modules.html#importing-from-a-package ``HttpRequest.raw_post_data`` renamed to ``HttpRequest.body`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------- This attribute was confusingly named ``HttpRequest.raw_post_data``, but it actually provided the body of the HTTP request. It's been renamed to ``HttpRequest.body``, and ``HttpRequest.raw_post_data`` has been deprecated. ``django.contrib.sitemaps`` bug fix with potential performance implications -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------- In previous versions, ``Paginator`` objects used in sitemap classes were cached, which could result in stale site maps. We've removed the caching, so @@ -1332,7 +1332,7 @@ To mitigate the performance impact, consider using the :doc:`caching framework </topics/cache>` within your ``Sitemap`` subclass. Versions of Python-Markdown earlier than 2.1 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- Versions of Python-Markdown earlier than 2.1 do not support the option to disable attributes. As a security issue, earlier versions of this library will diff --git a/docs/releases/1.5.2.txt b/docs/releases/1.5.2.txt index 1e6a448948..22a415274a 100644 --- a/docs/releases/1.5.2.txt +++ b/docs/releases/1.5.2.txt @@ -7,7 +7,7 @@ Django 1.5.2 release notes This is Django 1.5.2, a bugfix and security release for Django 1.5. Mitigated possible XSS attack via user-supplied redirect URLs -------------------------------------------------------------- +============================================================= Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and @@ -21,7 +21,7 @@ Django currently, since we only put this URL into the ``Location`` response header and browsers seem to ignore JavaScript there. XSS vulnerability in :mod:`django.contrib.admin` ------------------------------------------------- +================================================ If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the current value of the field and a link to the target on the admin change page. diff --git a/docs/releases/1.5.3.txt b/docs/releases/1.5.3.txt index 3d03eed74a..efb662e989 100644 --- a/docs/releases/1.5.3.txt +++ b/docs/releases/1.5.3.txt @@ -9,7 +9,7 @@ one security issue and also contains an opt-in feature to enhance the security of :mod:`django.contrib.sessions`. Directory traversal vulnerability in ``ssi`` template tag ---------------------------------------------------------- +========================================================= In previous versions of Django it was possible to bypass the ``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi`` @@ -26,7 +26,7 @@ author to put the ``ssi`` file in a user-controlled variable, but it's possible in principle. Mitigating a remote-code execution vulnerability in :mod:`django.contrib.sessions` ----------------------------------------------------------------------------------- +================================================================================== :mod:`django.contrib.sessions` currently uses :mod:`pickle` to serialize session data before storing it in the backend. If you're using the :ref:`signed diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt index 68deeb5de0..48b27b25a7 100644 --- a/docs/releases/1.5.4.txt +++ b/docs/releases/1.5.4.txt @@ -8,7 +8,7 @@ This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses two security issues and one bug. Denial-of-service via password hashers --------------------------------------- +====================================== In previous versions of Django, no limit was imposed on the plaintext length of a password. This allowed a denial-of-service attack through @@ -21,7 +21,7 @@ limit on passwords, and will fail authentication with any submitted password of greater length. Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin -------------------------------------------------------------------------------------------------------------------------- +========================================================================================================================= The decoration of the ``add_view`` and ``user_change_password`` user admin views with :func:`~django.views.decorators.debug.sensitive_post_parameters` diff --git a/docs/releases/1.5.5.txt b/docs/releases/1.5.5.txt index a1f5ca45de..8dfd3d3834 100644 --- a/docs/releases/1.5.5.txt +++ b/docs/releases/1.5.5.txt @@ -8,7 +8,7 @@ Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series. Readdressed denial-of-service via password hashers --------------------------------------------------- +================================================== Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large @@ -16,7 +16,7 @@ passwords. In Django 1.5.5, we've reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration. Properly rotate CSRF token on login ------------------------------------ +=================================== This behavior introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed. diff --git a/docs/releases/1.5.txt b/docs/releases/1.5.txt index 44f96d248c..3ecdcca12e 100644 --- a/docs/releases/1.5.txt +++ b/docs/releases/1.5.txt @@ -85,7 +85,7 @@ offer an alpha release featuring 2.7 support, and Django 1.5 supports that alpha release. Python 3 support -~~~~~~~~~~~~~~~~ +---------------- Django 1.5 introduces support for Python 3 - specifically, Python 3.2 and above. This comes in the form of a **single** codebase; you don't @@ -122,7 +122,7 @@ What's new in Django 1.5 ======================== Configurable User model -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- In Django 1.5, you can now use your own model as the store for user-related data. If your project needs a username with more than 30 characters, or if @@ -139,7 +139,7 @@ See the :ref:`documentation on custom User models <auth-custom-user>` for more details. Support for saving a subset of model's fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------- The method :meth:`Model.save() <django.db.models.Model.save()>` has a new keyword argument ``update_fields``. By using this argument it is possible to @@ -154,7 +154,7 @@ See the :meth:`Model.save() <django.db.models.Model.save()>` documentation for more details. Caching of related model instances -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- When traversing relations, the ORM will avoid re-fetching objects that were previously loaded. For example, with the tutorial's models:: @@ -174,7 +174,7 @@ is particularly helpful in combination with ``prefetch_related``. .. _explicit-streaming-responses: Explicit support for streaming responses -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- Before Django 1.5, it was possible to create a streaming response by passing an iterator to :class:`~django.http.HttpResponse`. But this was unreliable: @@ -192,14 +192,14 @@ streaming responses and behave accordingly. See :ref:`response-middleware` for more information. ``{% verbatim %}`` template tag -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- To make it easier to deal with JavaScript templates which collide with Django's syntax, you can now use the :ttag:`verbatim` block tag to avoid parsing the tag's content. Retrieval of ``ContentType`` instances associated with proxy models -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------- The methods :meth:`ContentTypeManager.get_for_model() <django.contrib.contenttypes.models.ContentTypeManager.get_for_model()>` and :meth:`ContentTypeManager.get_for_models() <django.contrib.contenttypes.models.ContentTypeManager.get_for_models()>` @@ -209,14 +209,14 @@ By passing ``False`` using this argument it is now possible to retrieve the associated with proxy models. New ``view`` variable in class-based views context -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------- In all :doc:`generic class-based views </topics/class-based-views/index>` (or any class-based view inheriting from ``ContextMixin``), the context dictionary contains a ``view`` variable that points to the ``View`` instance. GeoDjango -~~~~~~~~~ +--------- * :class:`~django.contrib.gis.geos.LineString` and :class:`~django.contrib.gis.geos.MultiLineString` GEOS objects now support the @@ -232,7 +232,7 @@ GeoDjango dropped. New tutorials -~~~~~~~~~~~~~ +------------- Additions to the docs include a revamped :doc:`Tutorial 3</intro/tutorial03>` and a new :doc:`tutorial on testing</intro/tutorial05>`. A new section, @@ -241,7 +241,7 @@ and a new :doc:`tutorial on testing</intro/tutorial05>`. A new section, :doc:`Writing your first patch for Django </intro/contributing>`. Minor features -~~~~~~~~~~~~~~ +-------------- Django 1.5 also includes several smaller improvements worth noting: @@ -360,7 +360,7 @@ Backwards incompatible changes in 1.5 backwards incompatible change. ``ALLOWED_HOSTS`` required in production -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- The new :setting:`ALLOWED_HOSTS` setting validates the request's ``Host`` header and protects against host-poisoning attacks. This setting is now @@ -370,7 +370,7 @@ required whenever :setting:`DEBUG` is ``False``, or else :setting:`full documentation<ALLOWED_HOSTS>` for the new setting. Managers on abstract models -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Abstract models are able to define a custom manager, and that manager :ref:`will be inherited by any concrete models extending the abstract model @@ -385,7 +385,7 @@ the abstract class, you should migrate that logic to a Python ``staticmethod`` or ``classmethod`` on the abstract class. Context in year archive class-based views -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------- For consistency with the other date-based generic views, :class:`~django.views.generic.dates.YearArchiveView` now passes ``year`` in @@ -397,7 +397,7 @@ year|date:"Y" }}``. calculated according to ``allow_empty`` and ``allow_future``. Context in year and month archive class-based views -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- :class:`~django.views.generic.dates.YearArchiveView` and :class:`~django.views.generic.dates.MonthArchiveView` were documented to @@ -412,7 +412,7 @@ the documented order was restored. You may want to add (or remove) the ``date_list`` in descending order. Context in TemplateView -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- For consistency with the design of the other generic views, :class:`~django.views.generic.base.TemplateView` no longer passes a ``params`` @@ -420,7 +420,7 @@ dictionary into the context, instead passing the variables from the URLconf directly into the context. Non-form data in HTTP requests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ :attr:`request.POST <django.http.HttpRequest.POST>` will no longer include data posted via HTTP requests with non form-specific content-types in the header. @@ -432,7 +432,7 @@ should use the :attr:`request.body <django.http.HttpRequest.body>` attribute instead. :data:`~django.core.signals.request_finished` signal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------- Django used to send the :data:`~django.core.signals.request_finished` signal as soon as the view function returned a response. This interacted badly with @@ -453,7 +453,7 @@ consider using :doc:`middleware </topics/http/middleware>` instead. connections to database and memcache servers. OPTIONS, PUT and DELETE requests in the test client -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- Unlike GET and POST, these HTTP methods aren't implemented by web browsers. Rather, they're used in APIs, which transfer data in various formats such as @@ -475,7 +475,7 @@ client and set the ``content_type`` argument. .. _simplejson-incompatibilities: System version of ``simplejson`` no longer used -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- :ref:`As explained below <simplejson-deprecation>`, Django 1.5 deprecates ``django.utils.simplejson`` in favor of Python 2.6's built-in :mod:`json` @@ -521,7 +521,7 @@ They recommend to use it from now on. .. _ticket #18023: https://code.djangoproject.com/ticket/18023#comment:10 String types of hasher method parameters -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- If you have written a :ref:`custom password hasher <auth_password_storage>`, your ``encode()``, ``verify()`` or ``safe_summary()`` methods should accept @@ -530,7 +530,7 @@ hashing methods need byte strings, you can use the :func:`~django.utils.encoding.force_bytes` utility to encode the strings. Validation of previous_page_number and next_page_number -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------- When using :doc:`object pagination </topics/pagination>`, the ``previous_page_number()`` and ``next_page_number()`` methods of the @@ -540,7 +540,7 @@ It does check it now and raises an :exc:`~django.core.paginator.InvalidPage` exception when the number is either too low or too high. Behavior of autocommit database option on PostgreSQL changed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------ PostgreSQL's autocommit option didn't work as advertised previously. It did work for single transaction block, but after the first block was left the @@ -549,13 +549,13 @@ this is only a bug fix, it is worth checking your applications behavior if you are using PostgreSQL together with the autocommit option. Session not saved on 500 responses -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Django's session middleware will skip saving the session data if the response's status code is 500. Email checks on failed admin login -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Prior to Django 1.5, if you attempted to log into the admin interface and mistakenly used your email address instead of your username, the admin @@ -567,13 +567,13 @@ affects the warning message that is displayed under one particular mode of login failure. Changes in tests execution -~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------- Some changes have been introduced in the execution of tests that might be backward-incompatible for some testing setups: Database flushing in ``django.test.TransactionTestCase`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Previously, the test database was truncated *before* each test run in a :class:`~django.test.TransactionTestCase`. @@ -583,7 +583,7 @@ always isolated from each other, :class:`~django.test.TransactionTestCase` will now reset the database *after* each test run instead. No more implicit DB sequences reset -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :class:`~django.test.TransactionTestCase` tests used to reset primary key sequences automatically together with the database flushing actions described @@ -598,7 +598,7 @@ be used to force the old behavior for :class:`~django.test.TransactionTestCase` that might need it. Ordering of tests -^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~ In order to make sure all ``TestCase`` code starts with a clean database, tests are now executed in the following order: @@ -618,7 +618,7 @@ preserved after the execution of other tests. Such tests are already very fragile, and must now be changed to be able to run independently. `cleaned_data` dictionary kept for invalid forms -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ The :attr:`~django.forms.Form.cleaned_data` dictionary is now always present after form validation. When the form doesn't validate, it contains only the @@ -628,7 +628,7 @@ presence or absence of the :attr:`~django.forms.Form.cleaned_data` attribute on the form. Behavior of ``syncdb`` with multiple databases -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- ``syncdb`` now queries the database routers to determine if content types (when :mod:`~django.contrib.contenttypes` is enabled) and permissions @@ -642,7 +642,7 @@ them. See the docs on the :ref:`behavior of contrib apps with multiple databases <contrib_app_multiple_databases>` for more information. XML deserializer will not parse documents with a DTD -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------- In order to prevent exposure to denial-of-service attacks related to external entity references and entity expansion, the XML model deserializer now refuses @@ -652,7 +652,7 @@ cases where custom-created XML documents are passed to Django's model deserializer. Formsets default ``max_num`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- A (default) value of ``None`` for the ``max_num`` argument to a formset factory no longer defaults to allowing any number of forms in the formset. Instead, in @@ -661,7 +661,7 @@ forms. This limit can be raised by explicitly setting a higher value for ``max_num``. Miscellaneous -~~~~~~~~~~~~~ +------------- * :class:`django.forms.ModelMultipleChoiceField` now returns an empty ``QuerySet`` as the empty value instead of an empty list. @@ -720,7 +720,7 @@ Features deprecated in 1.5 ========================== ``django.contrib.localflavor`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ The localflavor contrib app has been split into separate packages. ``django.contrib.localflavor`` itself will be removed in Django 1.6, @@ -732,7 +732,7 @@ dozen countries at this time; similar to translations, maintenance will be handed over to interested members of the community. ``django.contrib.markup`` -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- The markup contrib module has been deprecated and will follow an accelerated deprecation schedule. Direct use of Python markup libraries or 3rd party tag @@ -740,7 +740,7 @@ libraries is preferred to Django maintaining this functionality in the framework. ``AUTH_PROFILE_MODULE`` -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- With the introduction of :ref:`custom User models <auth-custom-user>`, there is no longer any need for a built-in mechanism to store user profile data. @@ -753,7 +753,7 @@ the ``AUTH_PROFILE_MODULE`` setting, and the the user profile model, should not be used any longer. Streaming behavior of :class:`~django.http.HttpResponse` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- Django 1.5 deprecates the ability to stream a response by passing an iterator to :class:`~django.http.HttpResponse`. If you rely on this behavior, switch to @@ -766,7 +766,7 @@ In Django 1.7 and above, the iterator will be consumed immediately by .. _simplejson-deprecation: ``django.utils.simplejson`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Since Django 1.5 drops support for Python 2.5, we can now rely on the :mod:`json` module being available in Python's standard library, so we've @@ -780,32 +780,32 @@ If you rely on features added to ``simplejson`` after it became Python's :mod:`json`, you should import ``simplejson`` explicitly. ``django.utils.encoding.StrAndUnicode`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- The ``django.utils.encoding.StrAndUnicode`` mix-in has been deprecated. Define a ``__str__`` method and apply the :func:`~django.utils.encoding.python_2_unicode_compatible` decorator instead. ``django.utils.itercompat.product`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------- The ``django.utils.itercompat.product`` function has been deprecated. Use the built-in :func:`itertools.product` instead. ``cleanup`` management command -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ The ``cleanup`` management command has been deprecated and replaced by :djadmin:`clearsessions`. ``daily_cleanup.py`` script -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- The undocumented ``daily_cleanup.py`` script has been deprecated. Use the :djadmin:`clearsessions` management command instead. ``depth`` keyword argument in ``select_related`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ The ``depth`` keyword argument in :meth:`~django.db.models.query.QuerySet.select_related` has been deprecated. diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index bb24f60969..c7cee7e47e 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -50,7 +50,7 @@ What's new in Django 1.6 ======================== Simplified default project and app templates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- The default templates used by :djadmin:`startproject` and :djadmin:`startapp` have been simplified and modernized. The :doc:`admin @@ -63,7 +63,7 @@ If the default templates don't suit your tastes, you can use :ref:`custom project and app templates <custom-app-and-project-templates>`. Improved transaction management -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- Django's transaction management was overhauled. Database-level autocommit is now turned on by default. This makes transaction handling more explicit and @@ -72,7 +72,7 @@ were introduced, as described in the :doc:`transaction management docs </topics/db/transactions>`. Persistent database connections -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- Django now supports reusing the same database connection for several requests. This avoids the overhead of re-establishing a connection at the beginning of @@ -80,7 +80,7 @@ each request. For backwards compatibility, this feature is disabled by default. See :ref:`persistent-database-connections` for details. Discovery of tests in any test module -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- Django 1.6 ships with a new test runner that allows more flexibility in the location of tests. The previous runner @@ -103,7 +103,7 @@ This change is backwards-incompatible; see the :ref:`backwards-incompatibility notes<new-test-runner>`. Time zone aware aggregation -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- The support for :doc:`time zones </topics/i18n/timezones>` introduced in Django 1.4 didn't work well with :meth:`QuerySet.dates() @@ -113,33 +113,33 @@ UTC. This limitation was lifted in Django 1.6. Use :meth:`QuerySet.datetimes() aggregation on a :class:`~django.db.models.DateTimeField`. Support for savepoints in SQLite -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Django 1.6 adds support for savepoints in SQLite, with some :ref:`limitations <savepoints-in-sqlite>`. ``BinaryField`` model field -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- A new :class:`django.db.models.BinaryField` model field allows storage of raw binary data in the database. GeoDjango form widgets -~~~~~~~~~~~~~~~~~~~~~~ +---------------------- GeoDjango now provides :doc:`form fields and widgets </ref/contrib/gis/forms-api>` for its geo-specialized fields. They are OpenLayers-based by default, but they can be customized to use any other JS framework. ``check`` management command added for verifying compatibility -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------------- A :djadmin:`check` management command was added, enabling you to verify if your current configuration (currently oriented at settings) is compatible with the current version of Django. :meth:`Model.save() <django.db.models.Model.save()>` algorithm changed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------------- The :meth:`Model.save() <django.db.models.Model.save()>` method now tries to directly ``UPDATE`` the database if the instance has a primary @@ -155,7 +155,7 @@ trigger which returns ``NULL``. In such cases it is possible to set use the old algorithm. Minor features -~~~~~~~~~~~~~~ +-------------- * Authentication backends can raise ``PermissionDenied`` to immediately fail the authentication chain. @@ -381,17 +381,17 @@ Backwards incompatible changes in 1.6 backwards incompatible change. New transaction management model -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Behavior changes -^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~ Database-level autocommit is enabled by default in Django 1.6. While this doesn't change the general spirit of Django's transaction management, there are a few backwards-incompatibilities. Savepoints and ``assertNumQueries`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The changes in transaction management may result in additional statements to create, release or rollback savepoints. This is more likely to happen with @@ -403,7 +403,7 @@ queries are related to savepoints, and adjust the expected number of queries accordingly. Autocommit option for PostgreSQL -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In previous versions, database-level autocommit was only an option for PostgreSQL, and it was disabled by default. This option is now ignored and can @@ -412,7 +412,7 @@ be removed. .. _new-test-runner: New test runner -~~~~~~~~~~~~~~~ +--------------- In order to maintain greater consistency with Python's unittest module, the new test runner (``django.test.runner.DiscoverRunner``) does not automatically @@ -438,7 +438,7 @@ but will not be removed from Django until version 1.8. .. _recommendations in the Python documentation: https://docs.python.org/library/doctest.html#unittest-api Removal of ``django.contrib.gis.tests.GeoDjangoTestSuiteRunner`` GeoDjango custom test runner -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------------------------- This is for developers working on the GeoDjango application itself and related to the item above about changes in the test runners: @@ -449,7 +449,7 @@ supported anymore. To run the GeoDjango tests simply use the new ``DiscoverRunner`` and specify the ``django.contrib.gis`` app. Custom User models in tests -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- The introduction of the new test runner has also slightly changed the way that test models are imported. As a result, any test that overrides ``AUTH_USER_MODEL`` @@ -472,7 +472,7 @@ error reporting:: ImproperlyConfigured: AUTH_USER_MODEL refers to model 'auth.CustomUser' that has not been installed Time zone-aware ``day``, ``month``, and ``week_day`` lookups -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------ Django 1.6 introduces time zone support for :lookup:`day`, :lookup:`month`, and :lookup:`week_day` lookups when :setting:`USE_TZ` is ``True``. These @@ -487,7 +487,7 @@ tables with `mysql_tzinfo_to_sql`_. .. _mysql_tzinfo_to_sql: https://dev.mysql.com/doc/refman/5.6/en/mysql-tzinfo-to-sql.html Addition of ``QuerySet.datetimes()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------ When the :doc:`time zone support </topics/i18n/timezones>` added in Django 1.4 was active, :meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` @@ -497,7 +497,7 @@ UTC. To fix this, Django 1.6 introduces a new API, :meth:`QuerySet.datetimes() your code. ``QuerySet.dates()`` returns ``date`` objects -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` now returns a list of :class:`~datetime.date`. It used to return a list of @@ -507,7 +507,7 @@ list of :class:`~datetime.date`. It used to return a list of returns a list of :class:`~datetime.datetime`. ``QuerySet.dates()`` no longer usable on ``DateTimeField`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` raises an error if it's used on :class:`~django.db.models.DateTimeField` when time @@ -515,7 +515,7 @@ zone support is active. Use :meth:`QuerySet.datetimes() <django.db.models.query.QuerySet.datetimes>` instead. ``date_hierarchy`` requires time zone definitions -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The :attr:`~django.contrib.admin.ModelAdmin.date_hierarchy` feature of the admin now relies on :meth:`QuerySet.datetimes() @@ -526,7 +526,7 @@ This requires time zone definitions in the database when :setting:`USE_TZ` is ``True``. :ref:`Learn more <database-time-zone-definitions>`. ``date_list`` in generic views requires time zone definitions -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For the same reason, accessing ``date_list`` in the context of a date-based generic view requires time zone definitions in the database when the view is @@ -534,7 +534,7 @@ based on a :class:`~django.db.models.DateTimeField` and :setting:`USE_TZ` is ``True``. :ref:`Learn more <database-time-zone-definitions>`. New lookups may clash with model fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- Django 1.6 introduces ``hour``, ``minute``, and ``second`` lookups on :class:`~django.db.models.DateTimeField`. If you had model fields called @@ -542,7 +542,7 @@ Django 1.6 introduces ``hour``, ``minute``, and ``second`` lookups on names. Append an explicit :lookup:`exact` lookup if this is an issue. ``BooleanField`` no longer defaults to ``False`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ When a :class:`~django.db.models.BooleanField` doesn't have an explicit :attr:`~django.db.models.Field.default`, the implicit default value is @@ -556,10 +556,10 @@ either specify ``default=False`` in the field definition, or ensure the field is set to ``True`` or ``False`` before saving the object. Translations and comments in templates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- Extraction of translations after comments -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Extraction of translatable literals from templates with the :djadmin:`makemessages` command now correctly detects i18n constructs when @@ -570,7 +570,7 @@ they are located after a ``{#`` / ``#}``-type comment on the same line. E.g.: {# A comment #}{% trans "This literal was incorrectly ignored. Not anymore" %} Location of translator comments -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :ref:`translator-comments-in-templates` specified using ``{#`` / ``#}`` need to be at the end of a line. If they are not, the comments are ignored and @@ -583,7 +583,7 @@ be at the end of a line. If they are not, the comments are ignored and <h1>{% trans "Welcome" %}</h1> Quoting in ``reverse()`` -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ When reversing URLs, Django didn't apply :func:`~django.utils.http.urlquote` to arguments before interpolating them in URL patterns. This bug is fixed in @@ -595,7 +595,7 @@ replace special characters in URLs used in versions. Storage of IP addresses in the comments app -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- The comments app now uses a ``GenericIPAddressField`` for storing commenters' IP addresses, to support @@ -622,7 +622,7 @@ addresses are silently truncated; on Oracle, an exception is generated. No database change is needed for SQLite or PostgreSQL databases. Percent literals in ``cursor.execute`` queries -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- When you are running raw SQL queries through the :ref:`cursor.execute <executing-custom-sql>` method, the rule about doubling @@ -642,7 +642,7 @@ parameters. For example:: .. _m2m-help_text: Help text of model form fields for ManyToManyField fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------- HTML rendering of model form fields corresponding to :class:`~django.db.models.ManyToManyField` model fields used to get the @@ -676,7 +676,7 @@ and :doc:`widgets </ref/forms/widgets>` aren't affected but need to be aware of what's described in :ref:`m2m-help_text-deprecation` below. QuerySet iteration -~~~~~~~~~~~~~~~~~~ +------------------ The ``QuerySet`` iteration was changed to immediately convert all fetched rows to ``Model`` objects. In Django 1.5 and earlier the fetched rows were @@ -695,7 +695,7 @@ lazily by using the :meth:`~django.db.models.query.QuerySet.iterator()` method. :meth:`BoundField.label_tag<django.forms.BoundField.label_tag>` now includes the form's :attr:`~django.forms.Form.label_suffix` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------------------------------------------------------------------- This is consistent with how methods like :meth:`Form.as_p<django.forms.Form.as_p>` and @@ -728,7 +728,7 @@ customize the ``label_suffix`` on a per-field basis using the new ``label_suffix`` parameter on :meth:`~django.forms.BoundField.label_tag`. Admin views ``_changelist_filters`` GET parameter -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- To achieve preserving and restoring list view filters, admin views now pass around the `_changelist_filters` GET parameter. It's important that you @@ -738,7 +738,7 @@ can set the :attr:`~django.contrib.admin.ModelAdmin.preserve_filters` attribute to ``False``. ``django.contrib.auth`` password reset uses base 64 encoding of ``User`` PK -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------- Past versions of Django used base 36 encoding of the ``User`` primary key in the password reset views and URLs @@ -791,7 +791,7 @@ You can remove this url pattern after your app has been deployed with Django 1.6 for :setting:`PASSWORD_RESET_TIMEOUT_DAYS`. Default session serialization switched to JSON -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- Historically, :mod:`django.contrib.sessions` used :mod:`pickle` to serialize session data before storing it in the backend. If you're using the :ref:`signed @@ -825,7 +825,7 @@ serialization will work for your application: See the :ref:`session_serialization` documentation for more details. Object Relational Mapper changes -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Django 1.6 contains many changes to the ORM. These changes fall mostly in three categories: @@ -850,7 +850,7 @@ neither Django 1.5 nor 1.6 produce correct results. Finally, there have been many changes to the ORM internal APIs. Miscellaneous -~~~~~~~~~~~~~ +------------- * The ``django.db.models.query.EmptyQuerySet`` can't be instantiated any more - it is only usable as a marker class for checking if @@ -964,7 +964,7 @@ Features deprecated in 1.6 ========================== Transaction management APIs -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Transaction management was completely overhauled in Django 1.6, and the current APIs are deprecated: @@ -976,7 +976,7 @@ current APIs are deprecated: - the ``TRANSACTIONS_MANAGED`` setting ``django.contrib.comments`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Django's comment framework has been deprecated and is no longer supported. It will be available in Django 1.6 and 1.7, and removed in Django 1.8. Most users @@ -989,7 +989,7 @@ __ https://disqus.com/ __ https://github.com/django/django-contrib-comments Support for PostgreSQL versions older than 8.4 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- The end of upstream support periods was reached in December 2011 for PostgreSQL 8.2 and in February 2013 for 8.3. As a consequence, Django 1.6 sets @@ -1000,7 +1000,7 @@ available, because of performance improvements and to take advantage of the native streaming replication available in PostgreSQL 9.x. Changes to :ttag:`cycle` and :ttag:`firstof` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- The template system generally escapes all variables to avoid XSS attacks. However, due to an accident of history, the :ttag:`cycle` and :ttag:`firstof` @@ -1028,7 +1028,7 @@ If necessary, you can temporarily disable auto-escaping with <autoescape>`. ``CACHE_MIDDLEWARE_ANONYMOUS_ONLY`` setting -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- ``CacheMiddleware`` and ``UpdateCacheMiddleware`` used to provide a way to cache requests only if they weren't made by a logged-in user. This mechanism @@ -1046,7 +1046,7 @@ This makes the cache effectively work on a per-session basis regardless of the __ https://www.google.com/analytics/ ``SEND_BROKEN_LINK_EMAILS`` setting -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------- :class:`~django.middleware.common.CommonMiddleware` used to provide basic reporting of broken links by email when ``SEND_BROKEN_LINK_EMAILS`` is set to @@ -1064,19 +1064,19 @@ If you're relying on this feature, you should add from your settings. ``_has_changed`` method on widgets -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- If you defined your own form widgets and defined the ``_has_changed`` method on a widget, you should now define this method on the form field itself. ``module_name`` model _meta attribute -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- ``Model._meta.module_name`` was renamed to ``model_name``. Despite being a private API, it will go through a regular deprecation path. ``get_(add|change|delete)_permission`` model _meta methods -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------- ``Model._meta.get_(add|change|delete)_permission`` methods were deprecated. Even if they were not part of the public API they'll also go through @@ -1085,7 +1085,7 @@ a regular deprecation path. You can replace them with ``'action'`` is ``'add'``, ``'change'``, or ``'delete'``. ``get_query_set`` and similar methods renamed to ``get_queryset`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------- Methods that return a ``QuerySet`` such as ``Manager.get_query_set`` or ``ModelAdmin.queryset`` have been renamed to ``get_queryset``. @@ -1139,7 +1139,7 @@ override either ``get_query_set`` or ``get_queryset``. ``shortcut`` view and URLconf -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- The ``shortcut`` view was moved from ``django.views.defaults`` to ``django.contrib.contenttypes.views`` shortly after the 1.0 release, but the @@ -1156,7 +1156,7 @@ with:: (r'^prefix/(?P<content_type_id>\d+)/(?P<object_id>.*)/$', 'django.contrib.contenttypes.views.shortcut'), ``ModelForm`` without ``fields`` or ``exclude`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- Previously, if you wanted a :class:`~django.forms.ModelForm` to use all fields on the model, you could simply omit the ``Meta.fields`` attribute, and all fields @@ -1191,7 +1191,7 @@ functioning ``ModelForm``. This behavior also works for earlier Django versions. ``UpdateView`` and ``CreateView`` without explicit fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------- The generic views :class:`~django.views.generic.edit.CreateView` and :class:`~django.views.generic.edit.UpdateView`, and anything else derived from @@ -1210,7 +1210,7 @@ but without an explicit list of fields is deprecated. .. _m2m-help_text-deprecation: Munging of help text of model form fields for ``ManyToManyField`` fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------------ All special handling of the ``help_text`` attribute of ``ManyToManyField`` model fields performed by standard model or model form fields as described in diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt index 005882afe6..ef14a68632 100644 --- a/docs/releases/1.7.txt +++ b/docs/releases/1.7.txt @@ -37,7 +37,7 @@ What's new in Django 1.7 ======================== Schema migrations -~~~~~~~~~~~~~~~~~ +----------------- Django now has built-in support for schema migrations. It allows models to be updated, changed, and deleted by creating migration files that represent @@ -82,7 +82,7 @@ but a few of the key features are: .. _app-loading-refactor-17-release-note: App-loading refactor -~~~~~~~~~~~~~~~~~~~~ +-------------------- Historically, Django applications were tightly linked to models. A singleton known as the "app cache" dealt with both installed applications and models. @@ -120,7 +120,7 @@ Improvements thus far include: make it easier to diagnose import issues such as import loops. New method on Field subclasses -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ To help power both schema migrations and to enable easier addition of composite keys in future releases of Django, the @@ -154,7 +154,7 @@ classes serializable, read the :ref:`migration serialization documentation <migration-serializing>`. Calling custom ``QuerySet`` methods from the ``Manager`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- Historically, the recommended way to make reusable model queries was to create methods on a custom ``Manager`` class. The problem with this approach was that @@ -192,7 +192,7 @@ class method can now directly :ref:`create Manager with QuerySet methods Food.objects.pizzas().vegetarian() Using a custom manager when traversing reverse relations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- It is now possible to :ref:`specify a custom manager <using-custom-reverse-manager>` when traversing a reverse relationship:: @@ -210,7 +210,7 @@ It is now possible to :ref:`specify a custom manager b.entry_set(manager='entries').all() New system check framework -~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------- We've added a new :doc:`System check framework </ref/checks>` for detecting common problems (like invalid models) and providing hints for @@ -221,7 +221,7 @@ To perform system checks, you use the :djadmin:`check` management command. This command replaces the older ``validate`` management command. New ``Prefetch`` object for advanced ``prefetch_related`` operations. -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------- The new :class:`~django.db.models.Prefetch` object allows customizing prefetch operations. @@ -236,7 +236,7 @@ querysets. See :meth:`~django.db.models.query.QuerySet.prefetch_related()` for more details. Admin shortcuts support time zones -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- The "today" and "now" shortcuts next to date and time input widgets in the admin are now operating in the :ref:`current time zone @@ -249,7 +249,7 @@ server time zone are different, to clarify how the value inserted in the field will be interpreted. Using database cursors as context managers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ Prior to Python 2.7, database cursors could be used as a context manager. The specific backend's cursor defined the behavior of the context manager. The @@ -271,7 +271,7 @@ instead of:: c.close() Custom lookups -~~~~~~~~~~~~~~ +-------------- It is now possible to write custom lookups and transforms for the ORM. Custom lookups work just like Django's built-in lookups (e.g. ``lte``, @@ -292,10 +292,10 @@ For more information about both custom lookups and transforms refer to the :doc:`custom lookups </howto/custom-lookups>` documentation. Improvements to ``Form`` error handling -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- ``Form.add_error()`` -^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~ Previously there were two main patterns for handling errors in forms: @@ -323,7 +323,7 @@ See :ref:`validating-fields-with-clean` for an example using ``Form.add_error()``. Error metadata -^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~ The :exc:`~django.core.exceptions.ValidationError` constructor accepts metadata such as error ``code`` or ``params`` which are then available for interpolating @@ -347,7 +347,7 @@ codes serialized as JSON. ``as_json()`` uses ``as_data()`` and gives an idea of how the new system could be extended. Error containers and backward compatibility -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Heavy changes to the various error containers were necessary in order to support the features above, specifically @@ -360,10 +360,10 @@ using private APIs, some of the changes are backwards incompatible; see :ref:`validation-error-constructor-and-internal-storage` for more details. Minor features -~~~~~~~~~~~~~~ +-------------- :mod:`django.contrib.admin` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * You can now implement :attr:`~django.contrib.admin.AdminSite.site_header`, :attr:`~django.contrib.admin.AdminSite.site_title`, and @@ -410,7 +410,7 @@ Minor features overridden to define custom behavior for setting initial change form data. :mod:`django.contrib.auth` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~ * Any ``**kwargs`` passed to :meth:`~django.contrib.auth.models.User.email_user()` are passed to the @@ -436,14 +436,14 @@ Minor features enabled. See :ref:`session-invalidation-on-password-change` for more details. ``django.contrib.formtools`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Calls to :meth:`WizardView.done() <formtools.wizard.views.WizardView.done>` now include a ``form_dict`` to allow easier access to forms by their step name. :mod:`django.contrib.gis` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~ * The default OpenLayers library version included in widgets has been updated from 2.11 to 2.13. @@ -453,7 +453,7 @@ Minor features installed. :mod:`django.contrib.messages` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The backends for :mod:`django.contrib.messages` that use cookies, will now follow the :setting:`SESSION_COOKIE_SECURE` and @@ -467,7 +467,7 @@ Minor features message level. :mod:`django.contrib.redirects` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :class:`~django.contrib.redirects.middleware.RedirectFallbackMiddleware` has two new attributes @@ -478,14 +478,14 @@ Minor features middleware returns. :mod:`django.contrib.sessions` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The ``"django.contrib.sessions.backends.cached_db"`` session backend now respects :setting:`SESSION_CACHE_ALIAS`. In previous versions, it always used the `default` cache. :mod:`django.contrib.sitemaps` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :mod:`sitemap framework<django.contrib.sitemaps>` now makes use of :attr:`~django.contrib.sitemaps.Sitemap.lastmod` to set a ``Last-Modified`` @@ -494,13 +494,13 @@ Minor features conditional ``GET`` requests for sitemaps which set ``lastmod``. :mod:`django.contrib.sites` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :class:`django.contrib.sites.middleware.CurrentSiteMiddleware` allows setting the current site on each request. :mod:`django.contrib.staticfiles` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :ref:`static files storage classes <staticfiles-storages>` may be subclassed to override the permissions that collected static files and @@ -527,7 +527,7 @@ Minor features :djadmin:`findstatic` for example output. :mod:`django.contrib.syndication` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :class:`~django.utils.feedgenerator.Atom1Feed` syndication feed's ``updated`` element now utilizes ``updateddate`` instead of ``pubdate``, @@ -535,7 +535,7 @@ Minor features relies on ``pubdate``). Cache -^^^^^ +~~~~~ * Access to caches configured in :setting:`CACHES` is now available via :data:`django.core.cache.caches`. This dict-like object provides a different @@ -552,13 +552,13 @@ Cache ``timeout=None`` to the cache backend's ``set()`` method. Cross Site Request Forgery -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~ * The :setting:`CSRF_COOKIE_AGE` setting facilitates the use of session-based CSRF cookies. Email -^^^^^ +~~~~~ * :func:`~django.core.mail.send_mail` now accepts an ``html_message`` parameter for sending a multipart ``text/plain`` and ``text/html`` email. @@ -566,7 +566,7 @@ Email ``timeout`` parameter. File Storage -^^^^^^^^^^^^ +~~~~~~~~~~~~ * File locking on Windows previously depended on the PyWin32 package; if it wasn't installed, file locking failed silently. That dependency has been @@ -574,7 +574,7 @@ File Storage and Unix. File Uploads -^^^^^^^^^^^^ +~~~~~~~~~~~~ * The new :attr:`UploadedFile.content_type_extra <django.core.files.uploadedfile.UploadedFile.content_type_extra>` attribute @@ -601,7 +601,7 @@ File Uploads This change was also made in the 1.6.6, 1.5.9, and 1.4.14 security releases. Forms -^^^^^ +~~~~~ * The ``<label>`` and ``<input>`` tags rendered by :class:`~django.forms.RadioSelect` and @@ -657,7 +657,7 @@ Forms <considerations-regarding-model-errormessages>` for more details. Internationalization -^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~ * The :attr:`django.middleware.locale.LocaleMiddleware.response_redirect_class` attribute allows you to customize the redirects issued by the middleware. @@ -693,10 +693,10 @@ Internationalization :setting:`LANGUAGE_COOKIE_AGE`, :setting:`LANGUAGE_COOKIE_DOMAIN` and :setting:`LANGUAGE_COOKIE_PATH`. -* Added :ref:`format definitions <format-localization>` for Esperanto. +* Added :doc:`/topics/i18n/formatting` for Esperanto. Management Commands -^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~ * The new :option:`--no-color` option for ``django-admin`` disables the colorization of management command output. @@ -743,7 +743,7 @@ Management Commands .. _sqlparse: https://pypi.python.org/pypi/sqlparse Models -^^^^^^ +~~~~~~ * The :meth:`QuerySet.update_or_create() <django.db.models.query.QuerySet.update_or_create>` method was added. @@ -803,7 +803,7 @@ Models a relation ``_id`` field by using its attribute name. Signals -^^^^^^^ +~~~~~~~ * The ``enter`` argument was added to the :data:`~django.test.signals.setting_changed` signal. @@ -813,7 +813,7 @@ Signals reference their senders. Templates -^^^^^^^^^ +~~~~~~~~~ * The :meth:`Context.push() <django.template.Context.push>` method now returns a context manager which automatically calls :meth:`pop() @@ -870,7 +870,7 @@ Templates longer than the specified number of characters, taking HTML into account. Requests and Responses -^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~ * The new :attr:`HttpRequest.scheme <django.http.HttpRequest.scheme>` attribute specifies the scheme of the request (``http`` or ``https`` normally). @@ -883,7 +883,7 @@ Requests and Responses :class:`~django.http.HttpResponse` helps easily create JSON-encoded responses. Tests -^^^^^ +~~~~~ * :class:`~django.test.runner.DiscoverRunner` has two new attributes, :attr:`~django.test.runner.DiscoverRunner.test_suite` and @@ -912,13 +912,13 @@ Tests named :setting:`TEST <DATABASE-TEST>`. Utilities -^^^^^^^^^ +~~~~~~~~~ * Improved :func:`~django.utils.html.strip_tags` accuracy (but it still cannot guarantee an HTML-safe result, as stated in the documentation). Validators -^^^^^^^^^^ +~~~~~~~~~~ * :class:`~django.core.validators.RegexValidator` now accepts the optional :attr:`~django.core.validators.RegexValidator.flags` and @@ -949,7 +949,7 @@ Backwards incompatible changes in 1.7 backwards incompatible change. ``allow_syncdb`` / ``allow_migrate`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------ While Django will still look at ``allow_syncdb`` methods even though they should be renamed to ``allow_migrate``, there is a subtle difference in which @@ -961,7 +961,7 @@ without custom attributes, methods or managers. Make sure your ``allow_migrate`` methods are only referring to fields or other items in ``model._meta``. initial_data -~~~~~~~~~~~~ +------------ Apps with migrations will not load ``initial_data`` fixtures when they have finished migrating. Apps without migrations will continue to load these fixtures @@ -977,7 +977,7 @@ Additionally, like the rest of Django's old ``syncdb`` code, ``initial_data`` has been started down the deprecation path and will be removed in Django 1.9. deconstruct() and serializability -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- Django now requires all Field classes and all of their constructor arguments to be serializable. If you modify the constructor signature in your custom @@ -993,10 +993,10 @@ them as well <custom-deconstruct-method>`, though Django provides a handy class decorator that will work for most applications. App-loading changes -~~~~~~~~~~~~~~~~~~~ +------------------- Start-up sequence -^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~ Django 1.7 loads application configurations and models as soon as it starts. While this behavior is more straightforward and is believed to be more robust, @@ -1004,7 +1004,7 @@ regressions cannot be ruled out. See :ref:`applications-troubleshooting` for solutions to some problems you may encounter. Standalone scripts -^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~ If you're using Django in a plain Python script — rather than a management command — and you rely on the :envvar:`DJANGO_SETTINGS_MODULE` environment @@ -1017,7 +1017,7 @@ script with:: Otherwise, you will hit an ``AppRegistryNotReady`` exception. WSGI scripts -^^^^^^^^^^^^ +~~~~~~~~~~~~ Until Django 1.3, the recommended way to create a WSGI application was:: @@ -1033,7 +1033,7 @@ If you're still using the former style in your WSGI script, you need to upgrade to the latter, or you will hit an ``AppRegistryNotReady`` exception. App registry consistency -^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~ It is no longer possible to have multiple installed applications with the same label. In previous versions of Django, this didn't always work correctly, but @@ -1064,7 +1064,7 @@ Django will enforce these requirements as of version 1.9, after a deprecation period. Subclassing AppCommand -^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~ Subclasses of :class:`~django.core.management.AppCommand` must now implement a :meth:`~django.core.management.AppCommand.handle_app_config` method instead of @@ -1072,7 +1072,7 @@ Subclasses of :class:`~django.core.management.AppCommand` must now implement a instance instead of a models module. Introspecting applications -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~ Since :setting:`INSTALLED_APPS` now supports application configuration classes in addition to application modules, you should review code that accesses this @@ -1090,7 +1090,7 @@ following changes that take effect immediately: longer exists, nor does the ``seed_cache`` argument of ``get_model``. Management commands and order of :setting:`INSTALLED_APPS` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------- When several applications provide management commands with the same name, Django loads the command from the application that comes first in @@ -1104,7 +1104,7 @@ files, templates, and translations. .. _validation-error-constructor-and-internal-storage: ``ValidationError`` constructor and internal storage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------- The behavior of the ``ValidationError`` constructor has changed when it receives a container of errors as an argument (e.g. a ``list`` or an @@ -1161,7 +1161,7 @@ workaround to convert any ``list`` into ``ErrorList``:: self._errors[field] = self.error_class(error_list) Behavior of ``LocMemCache`` regarding pickle errors -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- An inconsistency existed in previous versions of Django regarding how pickle errors are handled by different cache backends. @@ -1171,7 +1171,7 @@ cache-specific errors. This has been fixed in Django 1.7, see :ticket:`21200` for more details. Cache keys are now generated from the request's absolute URL -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------ Previous versions of Django generated cache keys using a request's path and query string but not the scheme or host. If a Django application was serving @@ -1184,7 +1184,7 @@ generated by older versions of Django. After upgrading to Django 1.7, the first request to any previously cached URL will be a cache miss. Passing ``None`` to ``Manager.db_manager()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- In previous versions of Django, it was possible to use ``db_manager(using=None)`` on a model manager instance to obtain a manager @@ -1196,7 +1196,7 @@ the way routing information cascaded over joins. See :ticket:`13724` for more details. pytz may be required -~~~~~~~~~~~~~~~~~~~~ +-------------------- If your project handles datetimes before 1970 or after 2037 and Django raises a :exc:`ValueError` when encountering them, you will have to install pytz_. You @@ -1206,7 +1206,7 @@ formats or :mod:`django.contrib.syndication`. .. _pytz: https://pypi.python.org/pypi/pytz/ ``remove()`` and ``clear()`` methods of related managers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- The ``remove()`` and ``clear()`` methods of the related managers created by ``ForeignKey``, ``GenericForeignKey``, and ``ManyToManyField`` suffered from a @@ -1234,7 +1234,7 @@ Fixing the issues introduced some backward incompatible changes: See :ref:`this note <nested-queries-performance>` for more details. Admin login redirection strategy -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- Historically, the Django admin site passed the request from an unauthorized or unauthenticated user directly to the login view, without HTTP redirection. In @@ -1248,7 +1248,7 @@ Note also that the admin login form has been updated to not contain the has been set to the more regular ``invalid_login`` key. ``select_for_update()`` requires a transaction -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- Historically, queries that use :meth:`~django.db.models.query.QuerySet.select_for_update()` could be @@ -1272,7 +1272,7 @@ in a test class which is a subclass of :class:`~django.test.TestCase`. Contrib middleware removed from default :setting:`MIDDLEWARE_CLASSES` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------- The :ref:`app-loading refactor <app-loading-refactor-17-release-note>` deprecated using models from apps which are not part of the @@ -1293,7 +1293,7 @@ project's needs. You should also check for any code that accesses ``django.conf.global_settings.MIDDLEWARE_CLASSES`` directly. Miscellaneous -~~~~~~~~~~~~~ +------------- * The :meth:`django.core.files.uploadhandler.FileUploadHandler.new_file()` method is now passed an additional ``content_type_extra`` parameter. If you @@ -1466,20 +1466,20 @@ Features deprecated in 1.7 ========================== ``django.core.cache.get_cache`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- ``django.core.cache.get_cache`` has been supplanted by :data:`django.core.cache.caches`. ``django.utils.dictconfig``/``django.utils.importlib`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------ ``django.utils.dictconfig`` and ``django.utils.importlib`` were copies of respectively :mod:`logging.config` and :mod:`importlib` provided for Python versions prior to 2.7. They have been deprecated. ``django.utils.module_loading.import_by_path`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- The current ``django.utils.module_loading.import_by_path`` function catches ``AttributeError``, ``ImportError``, and ``ValueError`` exceptions, @@ -1490,7 +1490,7 @@ It has been deprecated in favor of :meth:`~django.utils.module_loading.import_string`. ``django.utils.tzinfo`` -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- ``django.utils.tzinfo`` provided two :class:`~datetime.tzinfo` subclasses, ``LocalTimezone`` and ``FixedOffset``. They've been deprecated in favor of @@ -1499,7 +1499,7 @@ more correct alternatives provided by :mod:`django.utils.timezone`, :func:`django.utils.timezone.get_fixed_timezone`. ``django.utils.unittest`` -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- ``django.utils.unittest`` provided uniform access to the ``unittest2`` library on all Python versions. Since ``unittest2`` became the standard library's @@ -1508,7 +1508,7 @@ Python versions, this module isn't useful anymore. It has been deprecated. Use :mod:`unittest` instead. ``django.utils.datastructures.SortedDict`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ As :class:`~collections.OrderedDict` was added to the standard library in Python 2.7, ``SortedDict`` is no longer needed and has been deprecated. @@ -1530,7 +1530,7 @@ for a particular form instance. For example (from Django itself):: ) Custom SQL location for models package -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- Previously, if models were organized in a package (``myapp/models/``) rather than simply ``myapp/models.py``, Django would look for initial SQL data in @@ -1541,7 +1541,7 @@ exists, the deprecation is irrelevant as the entire feature will be removed in Django 1.9. Reorganization of ``django.contrib.sites`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ ``django.contrib.sites`` provides reduced functionality when it isn't in :setting:`INSTALLED_APPS`. The app-loading refactor adds some constraints in @@ -1554,7 +1554,7 @@ locations are deprecated: ``django.contrib.sites.shortcuts``. ``declared_fieldsets`` attribute on ``ModelAdmin`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------- ``ModelAdmin.declared_fieldsets`` has been deprecated. Despite being a private API, it will go through a regular deprecation path. This attribute was mostly @@ -1562,7 +1562,7 @@ used by methods that bypassed ``ModelAdmin.get_fieldsets()`` but this was considered a bug and has been addressed. Reorganization of ``django.contrib.contenttypes`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- Since ``django.contrib.contenttypes.generic`` defined both admin and model related objects, an import of this module could trigger unexpected side effects. @@ -1581,14 +1581,14 @@ submodules and the ``django.contrib.contenttypes.generic`` module is deprecated: :mod:`~django.contrib.contenttypes.admin`. ``syncdb`` -~~~~~~~~~~ +---------- The ``syncdb`` command has been deprecated in favor of the new :djadmin:`migrate` command. ``migrate`` takes the same arguments as ``syncdb`` used to plus a few more, so it's safe to just change the name you're calling and nothing else. ``util`` modules renamed to ``utils`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- The following instances of ``util.py`` in the Django codebase have been renamed to ``utils.py`` in an effort to unify all util and utils references: @@ -1599,14 +1599,14 @@ to ``utils.py`` in an effort to unify all util and utils references: * ``django.forms.util`` ``get_formsets`` method on ``ModelAdmin`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------- ``ModelAdmin.get_formsets`` has been deprecated in favor of the new :meth:`~django.contrib.admin.ModelAdmin.get_formsets_with_inlines`, in order to better handle the case of selectively showing inlines on a ``ModelAdmin``. ``IPAddressField`` -~~~~~~~~~~~~~~~~~~ +------------------ The ``django.db.models.IPAddressField`` and ``django.forms.IPAddressField`` fields have been deprecated in favor of @@ -1614,14 +1614,14 @@ fields have been deprecated in favor of :class:`django.forms.GenericIPAddressField`. ``BaseMemcachedCache._get_memcache_timeout`` method -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- The ``BaseMemcachedCache._get_memcache_timeout()`` method has been renamed to ``get_backend_timeout()``. Despite being a private API, it will go through the normal deprecation. Natural key serialization options -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- The ``--natural`` and ``-n`` options for :djadmin:`dumpdata` have been deprecated. Use :option:`dumpdata --natural-foreign` instead. @@ -1630,14 +1630,14 @@ Similarly, the ``use_natural_keys`` argument for ``serializers.serialize()`` has been deprecated. Use ``use_natural_foreign_keys`` instead. Merging of ``POST`` and ``GET`` arguments into ``WSGIRequest.REQUEST`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------------- It was already strongly suggested that you use ``GET`` and ``POST`` instead of ``REQUEST``, because the former are more explicit. The property ``REQUEST`` is deprecated and will be removed in Django 1.9. ``django.utils.datastructures.MergeDict`` class -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- ``MergeDict`` exists primarily to support merging ``POST`` and ``GET`` arguments into a ``REQUEST`` property on ``WSGIRequest``. To merge @@ -1645,7 +1645,7 @@ dictionaries, use ``dict.update()`` instead. The class ``MergeDict`` is deprecated and will be removed in Django 1.9. Language codes ``zh-cn``, ``zh-tw`` and ``fy-nl`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- The currently used language codes for Simplified Chinese ``zh-cn``, Traditional Chinese ``zh-tw`` and (Western) Frysian ``fy-nl`` are deprecated @@ -1655,7 +1655,7 @@ locale directories and update your settings to reflect these changes. The deprecated language codes will be removed in Django 1.9. ``django.utils.functional.memoize`` function -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- The function ``memoize`` is deprecated and should be replaced by the ``functools.lru_cache`` decorator (available from Python 3.2 onwards). @@ -1665,13 +1665,13 @@ available at ``django.utils.lru_cache.lru_cache``. The deprecated function will be removed in Django 1.9. Geo Sitemaps -~~~~~~~~~~~~ +------------ Google has retired support for the Geo Sitemaps format. Hence Django support for Geo Sitemaps is deprecated and will be removed in Django 1.8. Passing callable arguments to queryset methods -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- Callable arguments for querysets were an undocumented feature that was unreliable. It's been deprecated and will be removed in Django 1.9. @@ -1682,26 +1682,26 @@ evaluating arguments before passing them to queryset and created confusion that the arguments may have been evaluated at query time. ``ADMIN_FOR`` setting -~~~~~~~~~~~~~~~~~~~~~ +--------------------- The ``ADMIN_FOR`` feature, part of the admindocs, has been removed. You can remove the setting from your configuration at your convenience. ``SplitDateTimeWidget`` with ``DateTimeField`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- ``SplitDateTimeWidget`` support in :class:`~django.forms.DateTimeField` is deprecated, use ``SplitDateTimeWidget`` with :class:`~django.forms.SplitDateTimeField` instead. ``validate`` -~~~~~~~~~~~~ +------------ The ``validate`` management command is deprecated in favor of the :djadmin:`check` command. ``django.core.management.BaseCommand`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- ``requires_model_validation`` is deprecated in favor of a new ``requires_system_checks`` flag. If the latter flag is missing, then the @@ -1711,7 +1711,7 @@ value of the former flag is used. Defining both ``requires_system_checks`` and The ``check()`` method has replaced the old ``validate()`` method. ``ModelAdmin`` validators -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- The ``ModelAdmin.validator_class`` and ``default_validator_class`` attributes are deprecated in favor of the new ``checks_class`` attribute. @@ -1722,7 +1722,7 @@ The ``ModelAdmin.validate()`` method is deprecated in favor of The ``django.contrib.admin.validation`` module is deprecated. ``django.db.backends.DatabaseValidation.validate_field`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- This method is deprecated in favor of a new ``check_field`` method. The functionality required by ``check_field()`` is the same as that provided @@ -1731,7 +1731,7 @@ backends needing this functionality should provide an implementation of ``check_field()``. Loading ``ssi`` and ``url`` template tags from ``future`` library -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------- Django 1.3 introduced ``{% load ssi from future %}`` and ``{% load url from future %}`` syntax for forward compatibility of the @@ -1740,7 +1740,7 @@ will be removed in Django 1.9. You can simply remove the ``{% load ... from future %}`` tags. ``django.utils.text.javascript_quote`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- ``javascript_quote()`` was an undocumented function present in ``django.utils.text``. It was used internally in the :ref:`javascript_catalog view <javascript_catalog-view>` @@ -1752,7 +1752,7 @@ If all you need is to generate valid JavaScript strings, you can simply use ``json.dumps()``. ``fix_ampersands`` utils method and template filter -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- The ``django.utils.html.fix_ampersands`` method and the ``fix_ampersands`` template filter are deprecated, as the escaping of ampersands is already taken care @@ -1765,7 +1765,7 @@ As this is an accelerated deprecation, ``fix_ampersands`` and ``clean_html`` will be removed in Django 1.8. Reorganization of database test settings -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- All database settings with a ``TEST_`` prefix have been deprecated in favor of entries in a :setting:`TEST <DATABASE-TEST>` dictionary in the database @@ -1774,13 +1774,13 @@ compatibility with older versions of Django, you can define both versions of the settings as long as they match. FastCGI support -~~~~~~~~~~~~~~~ +--------------- FastCGI support via the ``runfcgi`` management command will be removed in Django 1.9. Please deploy your project using WSGI. Moved objects in ``contrib.sites`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Following the app-loading refactor, two objects in ``django.contrib.sites.models`` needed to be moved because they must be @@ -1791,13 +1791,13 @@ available without importing ``django.contrib.sites.models`` when Django 1.9. ``django.forms.forms.get_declared_fields()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- Django no longer uses this functional internally. Even though it's a private API, it'll go through the normal deprecation cycle. Private Query Lookup APIs -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- Private APIs ``django.db.models.sql.where.WhereNode.make_atom()`` and ``django.db.models.sql.where.Constraint`` are deprecated in favor of the new diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt index d75250082e..2342e587fe 100644 --- a/docs/releases/1.8.txt +++ b/docs/releases/1.8.txt @@ -37,7 +37,7 @@ What's new in Django 1.8 ======================== ``Model._meta`` API -~~~~~~~~~~~~~~~~~~~ +------------------- Django now has a formalized API for :doc:`Model._meta </ref/models/meta>`, providing an officially supported way to :ref:`retrieve fields @@ -53,7 +53,7 @@ new official API have been deprecated and will eventually be removed. A <migrating-old-meta-api>` has been provided. Multiple template engines -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- Django 1.8 defines a stable API for integrating template backends. It includes built-in support for the Django template language and for @@ -63,7 +63,7 @@ new features in the :doc:`topic guide </topics/templates>` and check the :doc:`upgrade instructions </ref/templates/upgrading>` for details. Security enhancements -~~~~~~~~~~~~~~~~~~~~~ +--------------------- Several features of the django-secure_ third-party library have been integrated into Django. :class:`django.middleware.security.SecurityMiddleware` @@ -74,7 +74,7 @@ file for ways to increase the security of your site. .. _django-secure: https://pypi.python.org/pypi/django-secure New PostgreSQL specific functionality -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- Django now has a module with extensions for PostgreSQL specific features, such as :class:`~django.contrib.postgres.fields.ArrayField`, @@ -83,7 +83,7 @@ as :class:`~django.contrib.postgres.fields.ArrayField`, :doc:`in the documentation </ref/contrib/postgres/index>`. New data types -~~~~~~~~~~~~~~ +-------------- * Django now has a :class:`~django.db.models.UUIDField` for storing universally unique identifiers. It is stored as the native ``uuid`` data type @@ -99,7 +99,7 @@ New data types <django.forms.DurationField>`. Query Expressions, Conditional Expressions, and Database Functions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------ :doc:`Query Expressions </ref/models/expressions>` allow you to create, customize, and compose complex SQL expressions. This has enabled annotate @@ -119,7 +119,7 @@ also included with functionality such as :class:`~django.db.models.functions.Substr`. ``TestCase`` data setup -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- :class:`~django.test.TestCase` has been refactored to allow for data initialization at the class level using transactions and savepoints. Database @@ -138,10 +138,10 @@ for each test. ``TestCase``. Minor features -~~~~~~~~~~~~~~ +-------------- :mod:`django.contrib.admin` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :class:`~django.contrib.admin.ModelAdmin` now has a :meth:`~django.contrib.admin.ModelAdmin.has_module_permission` @@ -186,12 +186,12 @@ Minor features objects using a popup. :mod:`django.contrib.admindocs` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * reStructuredText is now parsed in model docstrings. :mod:`django.contrib.auth` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~ * Authorization backends can now raise :class:`~django.core.exceptions.PermissionDenied` in @@ -216,7 +216,7 @@ Minor features change the default value. :mod:`django.contrib.gis` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~ * A new :doc:`GeoJSON serializer </ref/contrib/gis/serializers>` is now available. @@ -242,19 +242,19 @@ Minor features used any longer. :mod:`django.contrib.sessions` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Session cookie is now deleted after :meth:`~django.contrib.sessions.backends.base.SessionBase.flush()` is called. :mod:`django.contrib.sitemaps` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The new :attr:`Sitemap.i18n <django.contrib.sitemaps.Sitemap.i18n>` attribute allows you to generate a sitemap based on the :setting:`LANGUAGES` setting. :mod:`django.contrib.sites` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :func:`~django.contrib.sites.shortcuts.get_current_site` will now lookup the current site based on :meth:`request.get_host() @@ -266,20 +266,20 @@ Minor features using ``pk=1``). Cache -^^^^^ +~~~~~ * The ``incr()`` method of the ``django.core.cache.backends.locmem.LocMemCache`` backend is now thread-safe. Cryptography -^^^^^^^^^^^^ +~~~~~~~~~~~~ * The ``max_age`` parameter of the :meth:`django.core.signing.TimestampSigner.unsign` method now also accepts a :py:class:`datetime.timedelta` object. Database backends -^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~ * The MySQL backend no longer strips microseconds from ``datetime`` values as MySQL 5.6.4 and up supports fractional seconds depending on the declaration @@ -296,7 +296,7 @@ Database backends when getting the description of a table. Email -^^^^^ +~~~~~ * :ref:`Email backends <topic-email-backends>` now support the context manager protocol for opening and closing connections. @@ -312,7 +312,7 @@ Email support the ``reply_to`` parameter. File Storage -^^^^^^^^^^^^ +~~~~~~~~~~~~ * :meth:`Storage.get_available_name() <django.core.files.storage.Storage.get_available_name>` and @@ -325,7 +325,7 @@ File Storage storage classes. Forms -^^^^^ +~~~~~ * Form widgets now render attributes with a value of ``True`` or ``False`` as HTML5 boolean attributes. @@ -363,7 +363,7 @@ Forms instantiating a :class:`~django.forms.ChoiceField`. Generic Views -^^^^^^^^^^^^^ +~~~~~~~~~~~~~ * Generic views that use :class:`~django.views.generic.list.MultipleObjectMixin` may now specify the ordering applied to the @@ -387,7 +387,7 @@ Generic Views supported but will be removed in Django 1.10. Internationalization -^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~ * :setting:`FORMAT_MODULE_PATH` can now be a list of strings representing module paths. This allows importing several format modules from different @@ -395,14 +395,14 @@ Internationalization Django project. Logging -^^^^^^^ +~~~~~~~ * The :class:`django.utils.log.AdminEmailHandler` class now has a :meth:`~django.utils.log.AdminEmailHandler.send_mail` method to make it more subclass friendly. Management Commands -^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~ * Database connections are now always closed after a management command called from the command line has finished doing its job. @@ -451,7 +451,7 @@ Management Commands their dependencies in a project. Middleware -^^^^^^^^^^ +~~~~~~~~~~ * The :attr:`CommonMiddleware.response_redirect_class <django.middleware.common.CommonMiddleware.response_redirect_class>` @@ -462,7 +462,7 @@ Middleware in :setting:`DEBUG` mode. Migrations -^^^^^^^^^^ +~~~~~~~~~~ * The :class:`~django.db.migrations.operations.RunSQL` operation can now handle parameters passed to the SQL statements. @@ -490,7 +490,7 @@ Migrations <deprecated-signature-of-allow-migrate>` for more details. Models -^^^^^^ +~~~~~~ * Django now logs at most 9000 queries in ``connections.queries``, in order to prevent excessive memory usage in long-running processes in debug mode. @@ -537,7 +537,7 @@ Models ``None``. Signals -^^^^^^^ +~~~~~~~ * Exceptions from the ``(receiver, exception)`` tuples returned by :meth:`Signal.send_robust() <django.dispatch.Signal.send_robust>` now have @@ -552,12 +552,12 @@ Signals situations. Django no longer does so itself. System Check Framework -^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~ * :attr:`~django.core.checks.register` can now be used as a function. Templates -^^^^^^^^^ +~~~~~~~~~ * :tfilter:`urlize` now supports domain-only links that include characters after the top-level domain (e.g. ``djangoproject.com/`` and @@ -574,7 +574,7 @@ Templates usual syntax: ``{% now 'j n Y' as varname %}``. Requests and Responses -^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~ * ``WSGIRequest`` now respects paths starting with ``//``. @@ -621,7 +621,7 @@ Requests and Responses conditional view processing now supports the ``If-unmodified-since`` header. Tests -^^^^^ +~~~~~ * The :class:`RequestFactory.trace() <django.test.RequestFactory>` and :class:`Client.trace() <django.test.Client.trace>` methods were @@ -656,7 +656,7 @@ Tests between threads. Validators -^^^^^^^^^^ +~~~~~~~~~~ * :class:`~django.core.validators.URLValidator` now supports IPv6 addresses, unicode domains, and URLs containing authentication data. @@ -673,7 +673,7 @@ Backwards incompatible changes in 1.8 backwards incompatible change. Related object operations are run in a transaction -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------- Some operations on related objects such as :meth:`~django.db.models.fields.related.RelatedManager.add()` or direct @@ -690,7 +690,7 @@ exception in a signal handler will prevent the whole operation. .. _unsaved-model-instance-check-18: Assigning unsaved objects to relations raises an error -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------ .. note:: @@ -737,7 +737,7 @@ objects to the database), you can disable this check by using the removed in 1.8.4 as it's no longer relevant.) Management commands that only accept positional arguments -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------- If you have written a custom management command that only accepts positional arguments and you didn't specify the ``args`` command variable, you might get @@ -750,7 +750,7 @@ older Django versions, it's better to implement the new in :doc:`/howto/custom-management-commands`. Custom test management command arguments through test runner -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------ The method to add custom arguments to the `test` management command through the test runner has changed. Previously, you could provide an `option_list` class @@ -761,7 +761,7 @@ Now to implement the same behavior, you have to create an :py:class:`argparse.ArgumentParser` instance. Model check ensures auto-generated column names are within limits specified by database -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------------------- A field name that's longer than the column name length supported by a database can create problems. For example, with MySQL you'll get an exception trying to @@ -783,7 +783,7 @@ and then specify :attr:`~django.db.models.Field.db_column` on its column(s) as needed. Query relation lookups now check object types -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------- Querying for model lookups now checks if the object passed is of correct type and raises a :exc:`ValueError` if not. Previously, Django didn't care if the @@ -798,7 +798,7 @@ lookups:: ValueError: Cannot query "<Book: Django>": Must be "Author" instance. ``select_related()`` now checks given fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- ``select_related()`` now validates that the given fields actually exist. Previously, nonexistent fields were silently ignored. Now, an error is raised:: @@ -816,7 +816,7 @@ The validation also makes sure that the given field is relational:: FieldError: Non-relational field given in select_related: 'name' Default ``EmailField.max_length`` increased to 254 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------- The old default 75 character ``max_length`` was not capable of storing all possible RFC3696/5321-compliant email addresses. In order to store all @@ -827,7 +827,7 @@ your current fields). A migration for :attr:`django.contrib.auth.models.User.email` is included. Support for PostgreSQL versions older than 9.0 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- The end of upstream support periods was reached in July 2014 for PostgreSQL 8.4. As a consequence, Django 1.8 sets 9.0 as the minimum PostgreSQL version it @@ -840,21 +840,21 @@ Django also now requires the use of Psycopg2 version 2.4.5 or higher (or 2.5+ if you want to use :mod:`django.contrib.postgres`). Support for MySQL versions older than 5.5 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------- The end of upstream support periods was reached in January 2012 for MySQL 5.0 and December 2013 for MySQL 5.1. As a consequence, Django 1.8 sets 5.5 as the minimum MySQL version it officially supports. Support for Oracle versions older than 11.1 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- The end of upstream support periods was reached in July 2010 for Oracle 9.2, January 2012 for Oracle 10.1, and July 2013 for Oracle 10.2. As a consequence, Django 1.8 sets 11.1 as the minimum Oracle version it officially supports. Specific privileges used instead of roles for tests on Oracle -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------- Earlier versions of Django granted the CONNECT and RESOURCE roles to the test user on Oracle. These roles have been deprecated, so Django 1.8 uses the @@ -864,7 +864,7 @@ creating a test user). The exact privileges required now are detailed in :ref:`Oracle notes <oracle-notes>`. ``AbstractUser.last_login`` allows null values -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- The :attr:`AbstractUser.last_login <django.contrib.auth.models.User.last_login>` field now allows null values. Previously, it defaulted to the time when the user @@ -888,7 +888,7 @@ for users who haven't logged in, you can run this query:: ).update(last_login=None) :mod:`django.contrib.gis` -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- * Support for GEOS 3.1 and GDAL 1.6 has been dropped. @@ -904,7 +904,7 @@ for users who haven't logged in, you can run this query:: contain the SRID value of geometry objects. Priority of context processors for ``TemplateResponse`` brought in line with ``render`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------------------- The :class:`~django.template.response.TemplateResponse` constructor is designed to be a drop-in replacement for the :func:`~django.shortcuts.render` function. However, @@ -918,7 +918,7 @@ in the view. If you were relying on the fact context data in a need to change your code. Overriding ``setUpClass`` / ``tearDownClass`` in test cases -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------- The decorators :func:`~django.test.override_settings` and :func:`~django.test.modify_settings` now act at the class level when used as @@ -926,7 +926,7 @@ class decorators. As a consequence, when overriding ``setUpClass()`` or ``tearDownClass()``, the ``super`` implementation should always be called. Removal of ``django.contrib.formtools`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- The formtools contrib app has been moved to a separate package and the relevant documentation pages have been updated or removed. @@ -936,7 +936,7 @@ The new package is available `on GitHub`_ and on PyPI. .. _on GitHub: https://github.com/django/django-formtools/ Database connection reloading between tests -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- Django previously closed database connections between each test within a ``TestCase``. This is no longer the case as Django now wraps the whole @@ -944,7 +944,7 @@ Django previously closed database connections between each test within a behavior, you should have them inherit from ``TransactionTestCase`` instead. Cleanup of the ``django.template`` namespace -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- If you've been relying on private APIs exposed in the ``django.template`` module, you may have to import them from ``django.template.base`` instead. @@ -954,7 +954,7 @@ Also private APIs ``django.template.base.compile_string()``, ``django.template.loader.get_template_from_string()`` were removed. ``model`` attribute on private model relations -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------- In earlier versions of Django, on a model with a reverse foreign key relationship (for example), ``model._meta.get_all_related_objects()`` returned @@ -992,7 +992,7 @@ Also note that ``get_all_related_objects()`` is deprecated in 1.8. See the :ref:`upgrade guide <migrating-old-meta-api>` for the new API. Database backend API -~~~~~~~~~~~~~~~~~~~~ +-------------------- The following changes to the database backend API are documented to assist those writing third-party backends in updating their code: @@ -1021,7 +1021,7 @@ those writing third-party backends in updating their code: ``timedelta`` parameter. :mod:`django.contrib.admin` -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- * ``AdminSite`` no longer takes an ``app_name`` argument and its ``app_name`` attribute has been removed. The application name is always ``admin`` (as @@ -1038,7 +1038,7 @@ those writing third-party backends in updating their code: identifier used to retrieve the object before deletion. Default autoescaping of functions in ``django.template.defaultfilters`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------------- In order to make built-in template filters that output HTML "safe by default" when calling them in Python code, the following functions in @@ -1058,7 +1058,7 @@ are passing trusted content. This change doesn't have any effect when using the corresponding filters in templates. Miscellaneous -~~~~~~~~~~~~~ +------------- * ``connections.queries`` is now a read-only attribute. @@ -1203,7 +1203,7 @@ Features deprecated in 1.8 ========================== Selected methods in ``django.db.models.options.Options`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------- As part of the formalization of the ``Model._meta`` API (from the :class:`django.db.models.options.Options` class), a number of methods have been @@ -1223,7 +1223,7 @@ A :ref:`migration guide <migrating-old-meta-api>` has been provided to assist in converting your code from the old API to the new, official API. Loading ``cycle`` and ``firstof`` template tags from ``future`` library -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------------- Django 1.6 introduced ``{% load cycle from future %}`` and ``{% load firstof from future %}`` syntax for forward compatibility of the @@ -1232,7 +1232,7 @@ and will be removed in Django 1.10. You can simply remove the ``{% load ... from future %}`` tags. ``django.conf.urls.patterns()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- In the olden days of Django, it was encouraged to reference views as strings in ``urlpatterns``:: @@ -1284,14 +1284,14 @@ Updating your code is as simple as ensuring that ``urlpatterns`` is a list of ] Passing a string as ``view`` to :func:`~django.conf.urls.url` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------- Related to the previous item, referencing views as strings in the ``url()`` function is deprecated. Pass the callable view as described in the previous section instead. Template-related settings -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- As a consequence of the multiple template engines refactor, several settings are deprecated in favor of :setting:`TEMPLATES`: @@ -1304,13 +1304,13 @@ are deprecated in favor of :setting:`TEMPLATES`: * ``TEMPLATE_STRING_IF_INVALID`` ``django.core.context_processors`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Built-in template context processors have been moved to ``django.template.context_processors``. ``django.test.SimpleTestCase.urls`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------- The attribute ``SimpleTestCase.urls`` for specifying URLconf configuration in tests has been deprecated and will be removed in Django 1.10. Use @@ -1318,20 +1318,20 @@ tests has been deprecated and will be removed in Django 1.10. Use instead. ``prefix`` argument to :func:`~django.conf.urls.i18n.i18n_patterns` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------- Related to the previous item, the ``prefix`` argument to :func:`django.conf.urls.i18n.i18n_patterns` has been deprecated. Simply pass a list of :func:`django.conf.urls.url` instances instead. Using an incorrect count of unpacked values in the :ttag:`for` template tag -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------- Using an incorrect count of unpacked values in :ttag:`for` tag will raise an exception rather than fail silently in Django 1.10. Passing a dotted path to ``reverse()`` and :ttag:`url` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------ Reversing URLs by Python path is an expensive operation as it causes the path being reversed to be imported. This behavior has also resulted in a @@ -1354,7 +1354,7 @@ or ``name='django.contrib.gis.sitemaps.views.kmz'``. .. _security issue: https://www.djangoproject.com/weblog/2014/apr/21/security/#s-issue-unexpected-code-execution-using-reverse Aggregate methods and modules -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- The ``django.db.models.sql.aggregates`` and ``django.contrib.gis.db.models.sql.aggregates`` modules (both private API), have @@ -1377,7 +1377,7 @@ in Django 1.10: * ``Query.append_aggregate_mask()``, replaced by ``append_annotation_mask()``. Extending management command arguments through ``Command.option_list`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------------- Management commands now use :py:mod:`argparse` instead of :py:mod:`optparse` to parse command-line arguments passed to commands. This also means that the way @@ -1388,21 +1388,21 @@ arguments through ``argparse.add_argument()``. See :ref:`this example <custom-commands-options>` for more details. ``django.core.management.NoArgsCommand`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- The class ``NoArgsCommand`` is now deprecated and will be removed in Django 1.10. Use :class:`~django.core.management.BaseCommand` instead, which takes no arguments by default. Listing all migrations in a project -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------- The ``--list`` option of the :djadmin:`migrate` management command is deprecated and will be removed in Django 1.10. Use :djadmin:`showmigrations` instead. ``cache_choices`` option of ``ModelChoiceField`` and ``ModelMultipleChoiceField`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------------- :class:`~django.forms.ModelChoiceField` and :class:`~django.forms.ModelMultipleChoiceField` took an undocumented, untested @@ -1411,27 +1411,27 @@ the same ``Form`` object. This option is subject to an accelerated deprecation and will be removed in Django 1.9. ``django.template.resolve_variable()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- The function has been informally marked as "Deprecated" for some time. Replace ``resolve_variable(path, context)`` with ``django.template.Variable(path).resolve(context)``. ``django.contrib.webdesign`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- It provided the :ttag:`lorem` template tag which is now included in the built-in tags. Simply remove ``'django.contrib.webdesign'`` from :setting:`INSTALLED_APPS` and ``{% load webdesign %}`` from your templates. ``error_message`` argument to ``django.forms.RegexField`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------- It provided backwards compatibility for pre-1.0 code, but its functionality is redundant. Use ``Field.error_messages['invalid']`` instead. Old :tfilter:`unordered_list` syntax -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------ An older (pre-1.0), more restrictive and verbose input format for the :tfilter:`unordered_list` template filter has been deprecated:: @@ -1443,13 +1443,13 @@ Using the new syntax, this becomes:: ``['States', ['Kansas', ['Lawrence', 'Topeka'], 'Illinois']]`` ``django.forms.Field._has_changed()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- Rename this method to :meth:`~django.forms.Field.has_changed` by removing the leading underscore. The old name will still work until Django 1.10. ``django.utils.html.remove_tags()`` and ``removetags`` template filter -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------------- ``django.utils.html.remove_tags()`` as well as the template filter ``removetags`` have been deprecated as they cannot guarantee safe output. Their @@ -1460,12 +1460,12 @@ The unused and undocumented ``django.utils.html.strip_entities()`` function has also been deprecated. ``is_admin_site`` argument to ``django.contrib.auth.views.password_reset()`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------------------- It's a legacy option that should no longer be necessary. ``SubfieldBase`` -~~~~~~~~~~~~~~~~ +---------------- ``django.db.models.fields.subclassing.SubfieldBase`` has been deprecated and will be removed in Django 1.10. Historically, it was used to handle fields where @@ -1476,7 +1476,7 @@ not call the :meth:`~django.db.models.Field.to_python` method on assignment as was the case with ``SubfieldBase``. ``django.utils.checksums`` -~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------- The ``django.utils.checksums`` module has been deprecated and will be removed in Django 1.10. The functionality it provided (validating checksum using the @@ -1486,7 +1486,7 @@ moved to the `django-localflavor`_ package (version 1.1+). .. _django-localflavor: https://pypi.python.org/pypi/django-localflavor ``InlineAdminForm.original_content_type_id`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- The ``original_content_type_id`` attribute on ``InlineAdminForm`` has been deprecated and will be removed in Django 1.10. Historically, it was used @@ -1494,14 +1494,14 @@ to construct the "view on site" URL. This URL is now accessible using the ``absolute_url`` attribute of the form. ``django.views.generic.edit.FormMixin.get_form()``’s ``form_class`` argument -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------------------- ``FormMixin`` subclasses that override the ``get_form()`` method should make sure to provide a default value for the ``form_class`` argument since it's now optional. Rendering templates loaded by :func:`~django.template.loader.get_template()` with a :class:`~django.template.Context` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------------------------------------------------- The return type of :func:`~django.template.loader.get_template()` has changed in Django 1.8: instead of a :class:`django.template.Template`, it returns a @@ -1518,7 +1518,7 @@ Since it's easier to understand with examples, the :ref:`upgrade guide All this also applies to :func:`~django.template.loader.select_template()`. :class:`~django.template.Template` and :class:`~django.template.Context` classes in template responses -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------------------------------------------ Some methods of :class:`~django.template.response.SimpleTemplateResponse` and :class:`~django.template.response.TemplateResponse` accepted @@ -1533,7 +1533,7 @@ Check the :doc:`template response API documentation </ref/template-response>` for details. ``current_app`` argument of template-related APIs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- The following functions and classes will no longer accept a ``current_app`` parameter to set an URL namespace in Django 1.10: @@ -1548,7 +1548,7 @@ to these functions or classes. If you're using a plain ``Context``, use a ``RequestContext`` instead. ``dictionary`` and ``context_instance`` arguments of rendering functions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------------ The following functions will no longer accept the ``dictionary`` and ``context_instance`` parameters in Django 1.10: @@ -1566,7 +1566,7 @@ pass a :class:`dict` in the ``context`` parameter instead. If you're passing a ``request`` parameter. ``dirs`` argument of template-finding functions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- The following functions will no longer accept a ``dirs`` parameter to override ``TEMPLATE_DIRS`` in Django 1.10: @@ -1580,14 +1580,14 @@ The parameter didn't work consistently across different template loaders and didn't work for included templates. ``django.template.loader.BaseLoader`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------- ``django.template.loader.BaseLoader`` was renamed to ``django.template.loaders.base.Loader``. If you've written a custom template loader that inherits ``BaseLoader``, you must inherit ``Loader`` instead. ``django.test.utils.TestTemplateLoader`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------- Private API ``django.test.utils.TestTemplateLoader`` is deprecated in favor of ``django.template.loaders.locmem.Loader`` and will be removed in Django 1.9. @@ -1595,7 +1595,7 @@ Private API ``django.test.utils.TestTemplateLoader`` is deprecated in favor of .. _storage-max-length-update: Support for the ``max_length`` argument on custom ``Storage`` classes -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------- ``Storage`` subclasses should add ``max_length=None`` as a parameter to :meth:`~django.core.files.storage.Storage.get_available_name` and/or @@ -1604,7 +1604,7 @@ Support for storages that do not accept this argument will be removed in Django 1.10. ``qn`` replaced by ``compiler`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- In previous Django versions, various internal ORM methods (mostly ``as_sql`` methods) accepted a ``qn`` (for "quote name") argument, which was a reference @@ -1618,14 +1618,14 @@ deprecated: you should rename your ``qn`` arguments to ``compiler``, and call ``qn(...)``. Default value of ``RedirectView.permanent`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- The default value of the :attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>` attribute will change from ``True`` to ``False`` in Django 1.9. Using ``AuthenticationMiddleware`` without ``SessionAuthenticationMiddleware`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------------------ ``django.contrib.auth.middleware.SessionAuthenticationMiddleware`` was added in Django 1.7. In Django 1.7.2, its functionality was moved to @@ -1640,14 +1640,14 @@ to your ``MIDDLEWARE_CLASSES`` sometime before then to opt-in. Please read the :ref:`upgrade considerations <session-invalidation-on-password-change>` first. ``django.contrib.sitemaps.FlatPageSitemap`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------- ``django.contrib.sitemaps.FlatPageSitemap`` has moved to ``django.contrib.flatpages.sitemaps.FlatPageSitemap``. The old import location is deprecated and will be removed in Django 1.9. Model ``Field.related`` -~~~~~~~~~~~~~~~~~~~~~~~ +----------------------- Private attribute ``django.db.models.Field.related`` is deprecated in favor of ``Field.rel``. The latter is an instance of @@ -1657,7 +1657,7 @@ module has been removed and the ``Field.related`` attribute will be removed in Django 1.10. ``ssi`` template tag -~~~~~~~~~~~~~~~~~~~~ +-------------------- The ``ssi`` template tag allows files to be included in a template by absolute path. This is of limited use in most deployment situations, and @@ -1665,20 +1665,20 @@ the :ttag:`include` tag often makes more sense. This tag is now deprecated and will be removed in Django 1.10. ``=`` as comparison operator in ``if`` template tag -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- Using a single equals sign with the ``{% if %}`` template tag for equality testing was undocumented and untested. It's now deprecated in favor of ``==``. ``%(<foo>)s`` syntax in ``ModelFormMixin.success_url`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------ The legacy ``%(<foo>)s`` syntax in :attr:`ModelFormMixin.success_url <django.views.generic.edit.ModelFormMixin.success_url>` is deprecated and will be removed in Django 1.10. ``GeoQuerySet`` aggregate methods -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- The ``collect()``, ``extent()``, ``extent3d()``, ``make_line()``, and ``unionagg()`` aggregate methods are deprecated and should be replaced by their @@ -1688,7 +1688,7 @@ function-based aggregate equivalents (``Collect``, ``Extent``, ``Extent3D``, .. _deprecated-signature-of-allow-migrate: Signature of the ``allow_migrate`` router method -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ The signature of the :meth:`allow_migrate` method of database routers has changed from ``allow_migrate(db, model)`` to diff --git a/docs/releases/1.9.txt b/docs/releases/1.9.txt index a74798b928..dc43dce873 100644 --- a/docs/releases/1.9.txt +++ b/docs/releases/1.9.txt @@ -29,7 +29,7 @@ What's new in Django 1.9 ======================== Performing actions after a transaction commit -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------- The new :func:`~django.db.transaction.on_commit` hook allows performing actions after a database transaction is successfully committed. This is useful for @@ -42,7 +42,7 @@ integrated into Django. .. _django-transaction-hooks: https://pypi.python.org/pypi/django-transaction-hooks Password validation -~~~~~~~~~~~~~~~~~~~ +------------------- Django now offers password validation to help prevent the usage of weak passwords by users. The validation is integrated in the included password @@ -82,7 +82,7 @@ the included auth forms for your project, you could set, for example:: See :ref:`password-validation` for more details. Permission mixins for class-based views -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------- Django now ships with the mixins :class:`~django.contrib.auth.mixins.AccessMixin`, @@ -119,7 +119,7 @@ though: .. _django-braces: http://django-braces.readthedocs.org/en/latest/index.html New styling for ``contrib.admin`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- The admin sports a modern, flat design with new SVG icons which look perfect on HiDPI screens. It still provides a fully-functional experience to `YUI's @@ -129,7 +129,7 @@ degradation. .. _YUI's A-grade: https://github.com/yui/yui3/wiki/Graded-Browser-Support Running tests in parallel -~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------- The :djadmin:`test` command now supports a :option:`--parallel <test --parallel>` option to run a project's tests in multiple processes in parallel. @@ -144,10 +144,10 @@ This option is enabled by default for Django's own test suite provided: - the database backend supports it (all the built-in backends but Oracle) Minor features -~~~~~~~~~~~~~~ +-------------- :mod:`django.contrib.admin` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Admin views now have ``model_admin`` or ``admin_site`` attributes. @@ -185,13 +185,13 @@ Minor features * JavaScript slug generation now supports Romanian characters. :mod:`django.contrib.admindocs` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The model section of the ``admindocs`` now also describes methods that take arguments, rather than ignoring them. :mod:`django.contrib.auth` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~ * The default iteration count for the PBKDF2 password hasher has been increased by 20%. This backwards compatible change will not affect users who have @@ -219,14 +219,14 @@ Minor features ``extra_email_context`` parameter. :mod:`django.contrib.contenttypes` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * It's now possible to use :attr:`~django.db.models.Options.order_with_respect_to` with a ``GenericForeignKey``. :mod:`django.contrib.gis` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~ * All ``GeoQuerySet`` methods have been deprecated and replaced by :doc:`equivalent database functions </ref/contrib/gis/functions>`. As soon @@ -259,7 +259,7 @@ Minor features from 2.13 to 2.13.1. :mod:`django.contrib.postgres` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Added support for the :lookup:`rangefield.contained_by` lookup for some built in fields which correspond to the range fields. @@ -272,7 +272,7 @@ Minor features function. :mod:`django.contrib.sessions` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The session model and ``SessionStore`` classes for the ``db`` and ``cached_db`` backends are refactored to allow a custom database session @@ -280,7 +280,7 @@ Minor features :ref:`extending-database-backed-session-engines` for more details. :mod:`django.contrib.sites` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :func:`~django.contrib.sites.shortcuts.get_current_site` now handles the case where ``request.get_host()`` returns ``domain:port``, e.g. @@ -289,14 +289,14 @@ Minor features lookup is retried with the domain part only. :mod:`django.contrib.syndication` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Support for multiple enclosures per feed item has been added. If multiple enclosures are defined on a RSS feed, an exception is raised as RSS feeds, unlike Atom feeds, do not support multiple enclosures per feed item. Cache -^^^^^ +~~~~~ * ``django.core.cache.backends.base.BaseCache`` now has a ``get_or_set()`` method. @@ -306,7 +306,7 @@ Cache to better prevent caching. This was also added in Django 1.8.8. CSRF -^^^^ +~~~~ * The request header's name used for CSRF authentication can be customized with :setting:`CSRF_HEADER_NAME`. @@ -319,14 +319,14 @@ CSRF cross-origin unsafe requests (e.g. ``POST``) over HTTPS. Database backends -^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~ * The PostgreSQL backend (``django.db.backends.postgresql_psycopg2``) is also available as ``django.db.backends.postgresql``. The old name will continue to be available for backwards compatibility. File Storage -^^^^^^^^^^^^ +~~~~~~~~~~~~ * :meth:`Storage.get_valid_name() <django.core.files.storage.Storage.get_valid_name>` is now called when @@ -336,7 +336,7 @@ File Storage Python 3. Forms -^^^^^ +~~~~~ * :class:`~django.forms.ModelForm` accepts the new ``Meta`` option ``field_classes`` to customize the type of the fields. See @@ -368,7 +368,7 @@ Forms :meth:`~django.forms.Field.get_bound_field()` method. Generic Views -^^^^^^^^^^^^^ +~~~~~~~~~~~~~ * Class-based views generated using ``as_view()`` now have ``view_class`` and ``view_initkwargs`` attributes. @@ -378,7 +378,7 @@ Generic Views of methods <decorating-class-based-views>`. Internationalization -^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~ * The :func:`django.views.i18n.set_language` view now properly redirects to :ref:`translated URLs <url-internationalization>`, when available. @@ -414,7 +414,7 @@ Internationalization * Two new languages are available: Colombian Spanish and Scottish Gaelic. Management Commands -^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~ * The new :djadmin:`sendtestemail` command lets you send a test email to easily confirm that email sending through Django is working. @@ -447,7 +447,7 @@ Management Commands ``--no-input`` as an alias for that option. Migrations -^^^^^^^^^^ +~~~~~~~~~~ * Initial migrations are now marked with an :attr:`initial = True <django.db.migrations.Migration.initial>` class attribute which allows @@ -478,7 +478,7 @@ Migrations migration from which migrations will be squashed. Models -^^^^^^ +~~~~~~ * :meth:`QuerySet.bulk_create() <django.db.models.query.QuerySet.bulk_create>` now works on proxy models. @@ -550,7 +550,7 @@ Models ``bulk_create()``. Requests and Responses -^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~ * Unless :attr:`HttpResponse.reason_phrase <django.http.HttpResponse.reason_phrase>` is explicitly set, it now is @@ -594,7 +594,7 @@ Requests and Responses the requested URL. Templates -^^^^^^^^^ +~~~~~~~~~ * Template tags created with the :meth:`~django.template.Library.simple_tag` helper can now store results in a template variable by using the ``as`` @@ -638,7 +638,7 @@ Templates rendering, speeding up reuse in places such as for loops. Tests -^^^^^ +~~~~~ * Added the :meth:`json() <django.test.Response.json>` method to test client responses to give access to the response body as JSON. @@ -649,7 +649,7 @@ Tests :meth:`~django.test.Client.login()`. URLs -^^^^ +~~~~ * Regular expression lookaround assertions are now allowed in URL patterns. @@ -661,7 +661,7 @@ URLs * System checks have been added for common URL pattern mistakes. Validators -^^^^^^^^^^ +~~~~~~~~~~ * Added :func:`django.core.validators.int_list_validator` to generate validators of strings containing integers separated with a custom character. @@ -684,7 +684,7 @@ Backwards incompatible changes in 1.9 may appear as a backwards incompatible change. Database backend API -~~~~~~~~~~~~~~~~~~~~ +-------------------- * A couple of new tests rely on the ability of the backend to introspect column defaults (returning the result as ``Field.default``). You can set the @@ -729,13 +729,13 @@ Database backend API ``DatabaseCreation.get_test_db_clone_settings()``. Default settings that were tuples are now lists -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------- The default settings in ``django.conf.global_settings`` were a combination of lists and tuples. All settings that were formerly tuples are now lists. ``is_usable`` attribute on template loaders is removed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------ Django template loaders previously required an ``is_usable`` attribute to be defined. If a loader was configured in the template settings and this attribute @@ -745,7 +745,7 @@ attribute is now removed and the egg loader instead fails at runtime if setuptools is not installed. Related set direct assignment -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- Direct assignment of related objects in the ORM used to perform a ``clear()`` followed by a call to ``add()``. This caused needlessly large data changes and @@ -764,7 +764,7 @@ assignment for many-to-many relations and as a consequence now use the new behavior. Filesystem-based template loaders catch more specific exceptions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------------- When using the :class:`filesystem.Loader <django.template.loaders.filesystem.Loader>` or :class:`app_directories.Loader <django.template.loaders.app_directories.Loader>` @@ -777,7 +777,7 @@ does not exist. All other situations result in the original ``IOError`` being raised. HTTP redirects no longer forced to absolute URIs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------ Relative redirects are no longer converted to absolute URIs. :rfc:`2616` required the ``Location`` header in redirect responses to be an absolute URI, @@ -792,19 +792,19 @@ replaced by ``self.assertRedirects(response, '/some-url/')`` (unless the redirection specifically contained an absolute URL, of course). Dropped support for PostgreSQL 9.0 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Upstream support for PostgreSQL 9.0 ended in September 2015. As a consequence, Django 1.9 sets 9.1 as the minimum PostgreSQL version it officially supports. Dropped support for Oracle 11.1 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- Upstream support for Oracle 11.1 ended in August 2015. As a consequence, Django 1.9 sets 11.2 as the minimum Oracle version it officially supports. Bulk behavior of ``add()`` method of related managers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------- To improve performance, the ``add()`` methods of the related managers created by ``ForeignKey`` and ``GenericForeignKey`` changed from a series of @@ -813,7 +813,7 @@ that ``pre_save`` and ``post_save`` signals aren't sent anymore. You can use the ``bulk=False`` keyword argument to revert to the previous behavior. Template ``LoaderOrigin`` and ``StringOrigin`` are removed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------------------------------- In previous versions of Django, when a template engine was initialized with debug as ``True``, an instance of ``django.template.loader.LoaderOrigin`` or @@ -827,7 +827,7 @@ Django 2.0. .. _default-logging-changes-19: Changes to the default logging configuration -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------- To make it easier to write custom logging configurations, Django's default logging configuration no longer defines 'django.request' and 'django.security' @@ -846,7 +846,7 @@ If you are overriding Django's default logging, you should check to see how your configuration merges with the new defaults. ``HttpRequest`` details in error reporting -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ It was redundant to display the full details of the :class:`~django.http.HttpRequest` each time it appeared as a stack frame @@ -861,7 +861,7 @@ traceback of the same structure as in the case of AJAX requests. The traceback details are rendered by the ``ExceptionReporter.get_traceback_text()`` method. Removal of time zone aware global adapters and converters for datetimes -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------------- Django no longer registers global adapters and converters for managing time zone information on :class:`~datetime.datetime` values sent to the database as @@ -896,7 +896,7 @@ even if you're using :meth:`raw() <django.db.models.query.QuerySet.raw>` queries. The ORM takes care of managing time zone information. Template tag modules are imported when templates are configured -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------- The :class:`~django.template.backends.django.DjangoTemplates` backend now performs discovery on installed template tag modules when instantiated. This @@ -908,7 +908,7 @@ rather than when a template with a :ttag:`{% load %}<load>` tag is first compiled. ``django.template.base.add_to_builtins()`` is removed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------- Although it was a private API, projects commonly used ``add_to_builtins()`` to make template tags and filters available without using the @@ -920,7 +920,7 @@ define built-in libraries via the ``'builtins'`` key of :setting:`OPTIONS .. _simple-tag-conditional-escape-fix: ``simple_tag`` now wraps tag output in ``conditional_escape`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------- In general, template tags do not autoescape their contents, and this behavior is :ref:`documented <tags-auto-escaping>`. For tags like @@ -961,7 +961,7 @@ Tags that follow these rules will be correct and safe whether they are run on Django 1.9+ or earlier. ``Paginator.page_range`` -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ :attr:`Paginator.page_range <django.core.paginator.Paginator.page_range>` is now an iterator instead of a list. @@ -974,7 +974,7 @@ Existing code that depends on ``list`` specific features, such as indexing, can be ported by converting the iterator into a ``list`` using ``list()``. Implicit ``QuerySet`` ``__in`` lookup removed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------- In earlier versions, queries such as:: @@ -992,7 +992,7 @@ subquery returns multiple results, at least some databases will throw an error. .. _admin-browser-support-19: ``contrib.admin`` browser support -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- The admin no longer supports Internet Explorer 8 and below, as these browsers have reached end-of-life. @@ -1015,7 +1015,7 @@ a Django application with this structure:: .. _syntax-error-old-setuptools-django-19: ``SyntaxError`` when installing Django setuptools 5.5.x -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------- When installing Django 1.9+ with setuptools 5.5.x, you'll see:: @@ -1037,7 +1037,7 @@ using pip, you can upgrade pip using ``pip install -U pip`` which will also upgrade setuptools. Miscellaneous -~~~~~~~~~~~~~ +------------- * The jQuery static files in ``contrib.admin`` have been moved into a ``vendor/jquery`` subdirectory. @@ -1158,7 +1158,7 @@ Features deprecated in 1.9 ========================== ``assignment_tag()`` -~~~~~~~~~~~~~~~~~~~~ +-------------------- Django 1.4 added the ``assignment_tag`` helper to ease the creation of template tags that store results in a template variable. The @@ -1167,7 +1167,7 @@ ability, making the ``assignment_tag`` obsolete. Tags that use ``assignment_tag`` should be updated to use ``simple_tag``. ``{% cycle %}`` syntax with comma-separated arguments -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------- The :ttag:`cycle` tag supports an inferior old syntax from previous Django versions: @@ -1180,7 +1180,7 @@ Its parsing caused bugs with the current syntax, so support for the old syntax will be removed in Django 1.10 following an accelerated deprecation. ``ForeignKey`` and ``OneToOneField`` ``on_delete`` argument -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------- In order to increase awareness about cascading model deletion, the ``on_delete`` argument of ``ForeignKey`` and ``OneToOneField`` will be required @@ -1193,7 +1193,7 @@ can also pass it as the second positional argument if you don't care about compatibility with older versions of Django. ``Field.rel`` changes -~~~~~~~~~~~~~~~~~~~~~ +--------------------- ``Field.rel`` and its methods and attributes have changed to match the related fields API. The ``Field.rel`` attribute is renamed to ``remote_field`` and many @@ -1202,7 +1202,7 @@ of its methods and attributes are either changed or renamed. The aim of these changes is to provide a documented API for relation fields. ``GeoManager`` and ``GeoQuerySet`` custom methods -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------- All custom ``GeoQuerySet`` methods (``area()``, ``distance()``, ``gml()``, ...) have been replaced by equivalent geographic expressions in annotations (see in @@ -1212,7 +1212,7 @@ methods, you can simply remove the ``objects = GeoManager()`` lines from your models. Template loader APIs have changed -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- Django template loaders have been updated to allow recursive template extending. This change necessitated a new template loader API. The old @@ -1221,7 +1221,7 @@ Details about the new API can be found :ref:`in the template loader documentation <custom-template-loaders>`. Passing a 3-tuple or an ``app_name`` to :func:`~django.conf.urls.include()` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------------------------------- The instance namespace part of passing a tuple as an argument to ``include()`` has been replaced by passing the ``namespace`` argument to ``include()``. For @@ -1290,7 +1290,7 @@ is deprecated. Instead, pass ``admin.site.urls`` directly to ] URL application namespace required if setting an instance namespace -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------------------------------- In the past, an instance namespace without an application namespace would serve the same purpose as the application namespace, but it was @@ -1299,7 +1299,7 @@ with the same name. Includes that specify an instance namespace require that the included URLconf sets an application namespace. ``current_app`` parameter to ``contrib.auth`` views -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------------- All views in ``django.contrib.auth.views`` have the following structure:: @@ -1317,14 +1317,14 @@ consistency, these views will require the caller to set ``current_app`` on the ``request`` instead of passing it in a separate argument. ``django.contrib.gis.geoip`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- The :mod:`django.contrib.gis.geoip2` module supersedes ``django.contrib.gis.geoip``. The new module provides a similar API except that it doesn't provide the legacy GeoIP-Python API compatibility methods. Miscellaneous -~~~~~~~~~~~~~ +------------- * The ``weak`` argument to ``django.dispatch.signals.Signal.disconnect()`` has been deprecated as it has no effect. diff --git a/docs/releases/security.txt b/docs/releases/security.txt index f6f2534baa..cbd5585244 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -1,5 +1,3 @@ -.. _security-releases: - ========================== Archive of security issues ========================== @@ -40,24 +38,24 @@ security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned. August 16, 2006 - CVE-2007-0404 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2007-0404 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__ * Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__ * Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007) January 21, 2007 - CVE-2007-0405 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2007-0405 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__ @@ -68,179 +66,179 @@ All other security issues have been handled under versions of Django's security process. These are listed below. October 26, 2007 - CVE-2007-5712 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2007-5712 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__ * Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__ May 14, 2008 - CVE-2008-2302 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2008-2302 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__ * Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__ September 2, 2008 - CVE-2008-3909 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2008-3909 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__ * Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__ * Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__ July 28, 2009 - CVE-2009-2659 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- `CVE-2009-2659 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__ * Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__ October 9, 2009 - CVE-2009-3965 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2009-3965 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__ * Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__ September 8, 2010 - CVE-2010-3082 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2010-3082 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__ December 22, 2010 - CVE-2010-4534 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2010-4534 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__ December 22, 2010 - CVE-2010-4535 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2010-4535 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__ February 8, 2011 - CVE-2011-0696 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2011-0696 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__ February 8, 2011 - CVE-2011-0697 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2011-0697 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__ February 8, 2011 - CVE-2011-0698 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2011-0698 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__ * Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__ September 9, 2011 - CVE-2011-4136 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2011-4136 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__ September 9, 2011 - CVE-2011-4137 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2011-4137 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__ September 9, 2011 - CVE-2011-4138 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2011-4138 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__ * Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__ September 9, 2011 - CVE-2011-4139 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2011-4139 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__ * Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__ September 9, 2011 - CVE-2011-4140 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2011-4140 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ This notification was an advisory only, so no patches were issued. @@ -248,165 +246,165 @@ This notification was an advisory only, so no patches were issued. * Django 1.3 July 30, 2012 - CVE-2012-3442 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- `CVE-2012-3442 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__ * Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__ July 30, 2012 - CVE-2012-3443 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- `CVE-2012-3443 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__ * Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__ July 30, 2012 - CVE-2012-3444 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- `CVE-2012-3444 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__ October 17, 2012 - CVE-2012-4520 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2012-4520 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__ December 10, 2012 - No CVE 1 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__ December 10, 2012 - No CVE 2 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__ * Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__ February 19, 2013 - No CVE -~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------- Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__ February 19, 2013 - CVE-2013-1664/1665 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------- `CVE-2013-1664 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__ February 19, 2013 - CVE-2013-0305 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2013-0305 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__ February 19, 2013 - CVE-2013-0306 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2013-0306 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__ August 13, 2013 - CVE-2013-4249 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2013-4249 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4249&cid=2>`_: XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__ August 13, 2013 - CVE-2013-6044 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2013-6044 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6044&cid=2>`_: Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__ September 10, 2013 - CVE-2013-4315 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- `CVE-2013-4315 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__ September 14, 2013 - CVE-2013-1443 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__ April 21, 2014 - CVE-2014-0472 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ `CVE-2014-0472 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1>`__ @@ -414,12 +412,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/546740544d7f69254a67b06a3fc7fa0c43512958>`__ April 21, 2014 - CVE-2014-0473 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ `CVE-2014-0473 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/1170f285ddd6a94a65f911a27788ba49ca08c0b0>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8>`__ @@ -427,12 +425,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/380545bf85cbf17fc698d136815b7691f8d023ca>`__ April 21, 2014 - CVE-2014-0474 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ `CVE-2014-0474 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f>`__ @@ -440,12 +438,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/34526c2f56b863c2103655a0893ac801667e86ea>`__ May 18, 2014 - CVE-2014-1418 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2014-1418 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&cid=2>`_: Caches may be allowed to store and serve private data. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/28e23306aa53bbbb8fb87db85f99d970b051026c>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/4001ec8698f577b973c5a540801d8a0bbea1205b>`__ @@ -453,12 +451,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a>`__ May 18, 2014 - CVE-2014-3730 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2014-3730 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&cid=2>`_: Malformed URLs from user input incorrectly validated. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d>`__ @@ -466,12 +464,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/e7b0cace455c2da24492660636bfd48c45a19cdf>`__ August 20, 2014 - CVE-2014-0480 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2014-0480 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&cid=2>`_: reverse() can generate URLs pointing to other hosts. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/c2fe73133b62a1d9e8f7a6b43966570b14618d7e>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/45ac9d4fb087d21902469fc22643f5201d41a0cd>`__ @@ -479,12 +477,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/bf650a2ee78c6d1f4544a875dcc777cf27fe93e9>`__ August 20, 2014 - CVE-2014-0481 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2014-0481 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&cid=2>`_: File upload denial of service. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/30042d475bf084c6723c6217a21598d9247a9c41>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/26cd48e166ac4d84317c8ee6d63ac52a87e8da99>`__ @@ -492,12 +490,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/3123f8452cf49071be9110e277eea60ba0032216>`__ August 20, 2014 - CVE-2014-0482 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2014-0482 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&cid=2>`_: RemoteUserMiddleware session hijacking. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/c9e3b9949cd55f090591fbdc4a114fcb8368b6d9>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/dd68f319b365f6cb38c5a6c106faf4f6142d7d88>`__ @@ -505,12 +503,12 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/1a45d059c70385fcd6f4a3955f3b4e4cc96d0150>`__ August 20, 2014 - CVE-2014-0483 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- `CVE-2014-0483 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&cid=2>`_: Data leakage via querystring manipulation in admin. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/027bd348642007617518379f8b02546abacaa6e0>`__ * Django 1.5 `(patch) <https://github.com/django/django/commit/2a446c896e7c814661fb9c4f212b071b2a7fa446>`__ @@ -518,94 +516,94 @@ Versions affected * Django 1.7 `(patch) <https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6>`__ January 13, 2015 - CVE-2015-0219 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2015-0219 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219&cid=2>`_: WSGI header spoofing via underscore/dash conflation. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/4f6fffc1dc429f1ad428ecf8e6620739e8837450>`__ * Django 1.6 `(patch) <https://github.com/django/django/commit/d7597b31d5c03106eeba4be14a33b32a5e25f4ee>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/41b4bc73ee0da7b2e09f4af47fc1fd21144c710f>`__ January 13, 2015 - CVE-2015-0220 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2015-0220 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/4c241f1b710da6419d9dca160e80b23b82db7758>`__ * Django 1.6 `(patch) <https://github.com/django/django/commit/72e0b033662faa11bb7f516f18a132728aa0ae28>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/de67dedc771ad2edec15c1d00c083a1a084e1e89>`__ January 13, 2015 - CVE-2015-0221 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2015-0221 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221&cid=2>`_: Denial-of-service attack against ``django.views.static.serve()``. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/d020da6646c5142bc092247d218a3d1ce3e993f7>`__ * Django 1.6 `(patch) <https://github.com/django/django/commit/553779c4055e8742cc832ed525b9ee34b174934f>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/818e59a3f0fbadf6c447754d202d88df025f8f2a>`__ January 13, 2015 - CVE-2015-0222 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------- `CVE-2015-0222 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222&cid=2>`_: Database denial-of-service with ``ModelMultipleChoiceField``. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.6 `(patch) <https://github.com/django/django/commit/d7a06ee7e571b6dad07c0f5b519b1db02e2a476c>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/bcfb47780ce7caecb409a9e9c1c314266e41d392>`__ March 9, 2015 - CVE-2015-2241 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------- `CVE-2015-2241 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2241&cid=2>`_: XSS attack via properties in ``ModelAdmin.readonly_fields``. `Full description <https://www.djangoproject.com/weblog/2015/mar/09/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.7 `(patch) <https://github.com/django/django/commit/d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059>`__ * Django 1.8 `(patch) <https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5>`_ March 18, 2015 - CVE-2015-2316 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ `CVE-2015-2316 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2316&cid=2>`_: Denial-of-service possibility with ``strip_tags()``. `Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.6 `(patch) <https://github.com/django/django/commit/b6b3cb9899214a23ebb0f4ebf0e0b300b0ee524f>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97>`__ * Django 1.8 `(patch) <https://github.com/django/django/commit/5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`__ March 18, 2015 - CVE-2015-2317 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------ `CVE-2015-2317 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2317&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.4 `(patch) <https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b>`__ * Django 1.6 `(patch) <https://github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9>`__ @@ -613,59 +611,59 @@ Versions affected * Django 1.8 `(patch) <https://github.com/django/django/commit/770427c2896a078925abfca2317486b284d22f04>`__ May 20, 2015 - CVE-2015-3982 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2015-3982 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3982&cid=2>`_: Fixed session flushing in the cached_db backend. `Full description <https://www.djangoproject.com/weblog/2015/may/20/security-release/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.8 `(patch) <https://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6>`__ July 8, 2015 - CVE-2015-5143 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2015-5143 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5143&cid=2>`_: Denial-of-service possibility by filling session store. `Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.8 `(patch) <https://github.com/django/django/commit/66d12d1ababa8f062857ee5eb43276493720bf16>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/1828f4341ec53a8684112d24031b767eba557663>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`__ July 8, 2015 - CVE-2015-5144 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2015-5144 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5144&cid=2>`_: Header injection possibility since validators accept newlines in input. `Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.8 `(patch) <https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a>`__ July 8, 2015 - CVE-2015-5145 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- `CVE-2015-5145 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5145&cid=2>`_: Denial-of-service possibility in URL validation. `Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.8 `(patch) <https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`__ August 18, 2015 - CVE-2015-5963/CVE-2015-5964 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------------------- `CVE-2015-5963 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5963&cid=2>`_ and @@ -674,21 +672,21 @@ Denial-of-service possibility in ``logout()`` view by filling session store. `Full description <https://www.djangoproject.com/weblog/2015/aug/18/security-releases/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.8 `(patch) <https://github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7>`__ * Django 1.4 `(patch) <https://github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`__ November 24, 2015 - CVE-2015-8213 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------------- `CVE-2015-8213 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8213&cid=2>`_: Settings leak possibility in ``date`` template filter. `Full description <https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/>`__ Versions affected ------------------ +~~~~~~~~~~~~~~~~~ * Django 1.8 `(patch) <https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991>`__ * Django 1.7 `(patch) <https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`__ |
