summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-05-06Refs #35514 -- Verified test runner swaps in testing email backend.Mike Edmunds
Added missing test to verify Django's test runner swaps in the locmem EmailBackend during tests. Extracted reusable mock_test_state() helper from SetupTestEnvironmentTests.test_allowed_hosts().
2026-05-06Refs #35514 -- Added error for missing EMAIL_FILE_PATH setting.Mike Edmunds
Replaced TypeError in `os.path.abspath(None)` with ImproperlyConfigured error when settings.EMAIL_FILE_PATH is required but missing.
2026-05-06Refs #35514 -- Added missing mail tests.Mike Edmunds
Added tests for: * BaseEmailBackend class. * EmailBackend support for fail_silently arg and unknown kwargs. * File backend support for EMAIL_FILE_PATH setting. * File backend configuration error reporting (where possible). * SMTP backend support for EMAIL_HOST and EMAIL_PORT settings. * SMTP backend use of ssl_certfile, ssl_keyfile, timeout options. * send_mail() return value. * send_mass_mail() basic behavior. * send_mail() and send_mass_mail() support for auth_user, auth_password, and fail_silently args. * get_connection() support for EMAIL_BACKEND setting and backend-specfic kwargs.
2026-05-06Refs #35514 -- Simplified mail tests.Mike Edmunds
* Removed unnecessary empty username/password args and unnecessary test email content. * Replaced monkeypatching with mock.patch. Minimized scope of patches. * Added missing assertions in some tests. * Cleaned up uses of assertTrue() and assertFalse(). * Removed implicit assumption in LocmemBackendTests that mail is always sent by the locmem backend during tests. * Made FileBackendTests tmp_dir cleanup more robust, and added helpers to simplify test cases. * Split FileBackendTests.test_sessions() into three distinct cases (and removed unrelated, duplicative verification of message content). * Used mock to simplify and improve accuracy of SMTP AUTH test. * Replaced `get_connection("mail.custombackend.EmailBackend")` with direct `custombackend.EmailBackend()` construction to avoid soon-to- be-deprecated usage of `get_connection(backend_path)` in cases that aren't trying to test creating a connection from an import path.
2026-05-06Refs #35514 -- Cleaned up mail tests.Mike Edmunds
* Renamed shared backend test case class to SharedEmailBackendTests, to avoid confusion with tests for the BaseEmailBackend. * Used consistent module references to mail functions (removed `mail.` from most uses; kept it for `mail.get_connection()`). * Used consistent `backend` variable name for EmailBackend instances in backend tests (matching most SMTP tests, replacing `connection` and `conn` in other tests). * Renamed some test cases for clarity. * Removed some unnecessary docstrings from test cases. * Reformatted some docstrings with nearby edits.
2026-05-06Fixed #36784 -- Added csp_nonce_attr template tag for CSP nonce inclusion.Natalia
New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce inclusion into `<script>` and `<link>` elements. `{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is present in the template context, and renders nothing otherwise. `{% csp_nonce_attr media %}` renders a `Media` object's assets with the nonce attr applied to each tag. Thanks Jacob Walls for the accurate and spot on review comments. Co-authored-by: Johannes Maron <johannes@maron.family>
2026-05-06Refs #36620 -- Mentioned coverage workflow uses PostgreSQL.Jacob Walls
Before c507aaf9abeff4b93b7f9bdbc55801f2ccfc2d01, this workflow used to run on SQLite.
2026-05-06Refs #36439 -- Added sync_to_async() to dummy password hasher path.Jacob Walls
Since the existing user path eventually calls sync_to_async() in acheck_password, aim for parity with the nonexistent/inactive user branch by adding sync_to_async(). Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
2026-05-06Refs #36862 -- Clarified security note for RemoteUserMiddleware.Jacob Walls
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Co-authored-by: Jake Howard <git@theorangeone.net>
2026-05-06Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header ↵Jacob Walls
corresponds to request.META under ASGI. Because these tests always passed both WSGI environ values and HTTP headers via `**extra`, this masked a behavior difference between WSGI and ASGI. What should happen: everything should be passed via `headers` but for the default REMOTE_USER case on WSGI, which should be passed via `**extra`. Since that was not done, a regression made it into Django 5.2 (50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer corresponded to the request.META key under ASGI. To cope, an ASGI user would have started(*) sending HTTP headers that match the `.header` attribute, which may or may not have been edited to remove the HTTP_ prefix. (Note: the default `REMOTE_USER` case did not work under ASGI, so the change in Django 5.2 had the effect of fixing the default case but changing the semantic of the custom case.) (*): Unless they were getting the sync execution path, which didn't have this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a. Thanks Mykhailo Havelia and Sarah Boyce for reviews.
2026-05-06Replaced old PR quality comments when writing new ones.Jacob Walls
2026-05-05Fixed #37053 -- Added validate=True to base64.b64decode() calls.Sarah Boyce
2026-05-05Added CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907 to security archive.Sarah Boyce
2026-05-05Added stub release notes for 6.0.6.Sarah Boyce
2026-05-05Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header ↵Sarah Boyce
contains an asterisk. Thank you Ahmad Sadeddin for the report and Jacob Walls for the review.
2026-05-05Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting session ↵Jake Howard
cookie with SESSION_SAVE_EVERY_REQUEST=True. Thank you Jacob Walls and Natalia Bidart for reviews.
2026-05-05Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in ↵Jacob Walls
MemoryFileUploadHandler on ASGI. In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-04Fixed #36767 -- Allowed max redirect URL length to be set on ↵varunkasyap
HttpResponseRedirect.
2026-05-04Fixed #37039 -- Removed outdated note from QuerySet.iterator() docs.Manas225
2026-05-04Fixed #35971 -- Added RemoteUserMiddleware.get_username() helper.Jacob Walls
This alleviates sync/async duplication.
2026-05-04Fixed #37079 -- Fixed specialization of header lookups in RemoteUserMiddleware.Jacob Walls
We need to switch on whether the request is a WSGI or ASGI request to know whether to prepend `HTTP_`: we cannot assume sync exceution means we are running under WSGI, as there could be other sync middleware forcing sync execution under ASGI. Thanks Mykhailo Havelia for the report.
2026-05-04Fixed #37080 -- Filtered by generic deprecation warnings in runtests.py.HectorCastillo
2026-05-04Fixed #37078 -- Deprecated SHA-1 default for salted_hmac() and base64_hmac() ↵Denny Biasiolli
algorithm. Deprecated the default value of the algorithm argument in django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(), which will change from 'sha1' to 'sha256' in Django 7.0.
2026-05-04Removed hardcoded pks in annotations and delete_regress tests.Tim Graham
2026-05-04Fixed #36459 -- Added aria-label to buttons in admin calendar and clock widgets.Skyiesac
Thanks Eliana Rosselli for the review.
2026-05-02Removed integer pk assumption from file_uploads test.Tim Graham
The test was incompatible with MongoDB's bson.ObjectId.
2026-05-01Refs #35303 -- Improved use of async methods in RemoteUserMiddleware.Sarah Boyce
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-05-01Refs #35303 -- Added missing async RemoteUserMiddleware tests for custom ↵Sarah Boyce
RemoteUserBackend.
2026-05-01Refs #689, #4015 -- Removed RemoteUserMiddleware updates to ↵Sarah Boyce
request.user/auser as handled by login(). Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-05-01Refs #689 -- Made RemoteUserMiddleware ImproperlyConfigured error message ↵Sarah Boyce
handle subclasses. Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-04-30Fixed #37075 -- Allowed overriding the PostgreSQL pool's "check" callable.HEADmaininitial-branchRaoni Timo
Setting "check" in OPTIONS["pool"] previously raised TypeError because the PostgreSQL backend always passed check= to ConnectionPool() and unpacked **pool_options on top, regardless of CONN_HEALTH_CHECKS. The user's callable now takes precedence via setdefault(); pool_options is copied first to avoid mutating the user's settings dict.
2026-04-30Fixed typo in stub release notes for 5.2.14.Jacob Walls
2026-04-30Fixed #36919 -- Allowed Task and TaskResult to be pickled.varunkasyap
2026-04-29Refs #35738 -- Improved release note for '..' template deprecation.Adam Johnson
2026-04-29Fixed #16429 -- Extracted set_choices() method from FilePathField.__init__().TildaDares
2026-04-29Fixed #37067 -- Added trailing slash in django_file_prefixes().Fashad Ahmed
Ensure skip_file_prefixes does not match sibling packages like django*. Bug in f42b89f1bf49a5b89ed852b60f79342320a81c5e and 34bd3ed944bf38792c631b55e581963d44d52284.
2026-04-29Fixed #35951 -- Mentioned server timezone in admin DateTime widgets.Vedran Karacic
The existing note that is shown to the users when entering a time value from a different timezone than the server's timezone was not descriptive enough and led to confusion. This commit updates the note to explicitly state that the user should enter times in the server's timezone.
2026-04-28Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.Shai Berger
2026-04-28Refs #15759 -- Fixed ModelAdmin.list_editable form submission for ↵Artyom Kotovskiy
non-editable instances. Added formset that excludes objects for which user has no permission for POST formset as well. Fixed regression test: the test was not simulating real behaviour properly. By providing full form data for the post request we skipped the part where the user was actually limited in permissions and only modified some of the rows. Improved tests by getting rid of obj.id % 2 approach for granting permissions per object for users, since it is not the safest. Instead granting permissions simply by 'alive' parameter, which is simpler and more stable. Bug in 84db026228413dda4cd195464554d51c0b208e32.
2026-04-28Fixed #36990 -- Bumped OpenLayers to 10.9.0.VIZZARD-X
2026-04-28Fixed #35738 -- Deprecated double-dot variable lookups.David Smith
2026-04-28Added stub release notes and release date for 6.0.5 and 5.2.14.Sarah Boyce
2026-04-28Fixed #36912 -- Added connector validation to Q.create().Anna Makarudze
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-04-27Refs #35514 -- Added warn_about_external_use() deprecation utility.Mike Edmunds
Implemented a new `warn_about_external_use()` helper to conditionally issue warnings depending on whether a deprecated feature is used from within Django. Fixed `LazySettings._show_deprecation_warning()` (Refs #26029) to work correctly when called from anywhere in `LazySettings`. Previously, it assumed a specific code path through `LazyObject.__getattribute__()` and an `@property` getter on `LazySettings`.
2026-04-27Moved QuerySet.extra() assertions to a separate test.Tim Graham
This allows backends that don't support extra() to skip it.
2026-04-27Fixed #36901 -- Centralized auth timing attack mitigations.afenoum
Thank you Mar Bartolome and Tim Schilling for reviews.
2026-04-25Refs #35007 -- Pinned exact biome version.Jacob Walls
Avoid drift against the following in biome.json: "$schema": "https://biomejs.dev/schemas/2.4.12/schema.json"
2026-04-24Fixed #36542 -- Marked authenticate() with @sensitive_variables() decorator.KANIN KEARPIMY
Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
2026-04-24Reverted inadvertent changes to PK formatting in tests.Tim Graham
Bad conflict resolution in 63c56cda133a85a158502891c40465bc0331d3d9 reverted bits of d007fcf7291cc3c24d4545e23c759bde22b6a8a6.
2026-04-24Replaced references in docs to accepted PEPs with specific Python docs links.Mike Edmunds
Where the docs used `:pep:` links for established Python language features, replaced them with direct references to the Python docs (usually glossary terms).