summaryrefslogtreecommitdiff
path: root/django/contrib
AgeCommit message (Collapse)Author
2026-06-17Fixed #37176 -- Made Action importable from django.contrib.admin.Mariusz Felisiak
2026-06-16Fixed #37163 -- Optimized @user_passes_test async checking.Adam Johnson
2026-06-11Fixed #36969, #35371 -- Reduced false positives in strings during collectstatic.James Bligh
Thanks Johannes Maron for reviews.
2026-06-11Fixed #36979 -- Made GenericInlineModelAdmin.get_formset() use get_exclude().Manas225
2026-06-10Fixed #37142 -- Moved django_file_prefixes() to django.utils.warnings.zhengkangyang
2026-06-05Fixed #36984 -- Made inline formset error messages respect ↵Karolis Ryselis
delete_confirmation_max_display.
2026-06-02Updated source translation catalogs.Jacob Walls
Forwardport of fcbbb1f920f7a7efb16a9871e8905b743447a939 from stable/6.1.x
2026-06-02Updated translations from Transifex.Jacob Walls
Forwardport of dd895d6268f1dd544a565a321cb4527ca3ca1173 from stable/6.0.x.
2026-06-02Refs #36439 -- Added missing thread_sensitive=False to dummy password hasher ↵Jacob Walls
path. The existing user path also uses thread_sensitive=False in acheck_password(). Follow-up to 7f66c3b41f0fb0fb938d7b96e20a28dccdaa2ecd.
2026-06-01Refs #28800 -- Lifted some url functions from admindocs into urls.utils.Chris Rose
2026-06-01Updated translations from Transifex.Jacob Walls
Forwardport of 9969df4f360221fc408da1604f0369f7594a1818 from stable/6.0.x.
2026-06-01Fixed #36436 -- Made CookieStorage.signer attribute private.Skyiesac
Co-authored-by: Sohail Ahmad <sohailahmed34280@gmail.com>
2026-05-28Fixed #36225 -- Coped with lack of get_by_natural_key() in createsuperuser.babbitt
2026-05-27Fixed #37019 -- Updated login() and logout() to set request.auser.vishwa
2026-05-26Bumped versions in pre-commit and npm configurations.Jacob Walls
2026-05-22Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions.Natalia
Refs #37105, #12090.
2026-05-20Increased the default PBKDF2 iterations for Django 6.2.Sarah Boyce
2026-05-20Fixed #37091 -- Confirmed support for GDAL 3.13.Milad Zarour
Thanks David Smith for reviews.
2026-05-20Fixed #36458 -- Trapped focus in the admin calendar and clock widgets.Skyiesac
2026-05-20Refs #12090 -- Aligned admin change form and list minimum permission to run ↵Sarah Boyce
action.
2026-05-20Fixed #37105 -- Disallowed admin change form actions on different objects.Sarah Boyce
Bug in f30acb184f75fd9260cfd6ddc48a3bbbd49f9c1d. Refs #12090.
2026-05-18Fixed #36825 -- Extended admin templates so CSP nonce is included if available.Johannes Maron
Error pages, admin, and registration templates were updated to use `{% csp_nonce %}` on their explicit `<script>`, `<link>`, and `<style>` HTML elements. Co-authored-by: Antoliny0919 <antoliny0919@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-13Fixed #37094 -- Replaced "Go" with "Run" in list_editable alert message.Jacob Walls
Bug in 019acad112da3d00bb81b3022fd25ccd8457e5d9.
2026-05-13Fixed #12090 -- Added admin actions to the admin change form.Marcelo Galigniana
Thank you to Benjamin Balder Bach and Jacob Walls for reviews. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2026-05-11Refs #36593 -- Deprecated setting ModelAdmin.list_select_related to True.Adam Johnson
Now that calling `QuerySet.select_related()` without arguments is deprecated, this commit deprecates the corresponding admin features.
2026-05-11Refs #36593 -- Used explicit select_related() in admin history_view().Adam Johnson
This commit prepares for the deprecation of `QuerySet.select_related()` with no arguments by explicitly naming the fields to select in this view.
2026-05-11Refs #36593 -- Made ModelAdmin.list_select_related = False more efficient.Adam Johnson
This change makes `list_select_related = False` avoid unnecessary joins by only selecting the related fields that are actually used in `list_display`. Consequently, it avoids one code path that calls `QuerySet.select_related()` with no arguments, which is targeted for deprecation.
2026-05-08Fixed #37074 -- Synced admin calendar today highlight with server time.Aaryan P
2026-05-08Refs #36712, #36664 -- Used annotation_format parameter of getfullargspec() ↵Jacob Walls
on Python 3.15. https://github.com/python/cpython/pull/149457
2026-05-06Refs #36439 -- Added sync_to_async() to dummy password hasher path.Jacob Walls
Since the existing user path eventually calls sync_to_async() in acheck_password, aim for parity with the nonexistent/inactive user branch by adding sync_to_async(). Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
2026-05-06Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header ↵Jacob Walls
corresponds to request.META under ASGI. Because these tests always passed both WSGI environ values and HTTP headers via `**extra`, this masked a behavior difference between WSGI and ASGI. What should happen: everything should be passed via `headers` but for the default REMOTE_USER case on WSGI, which should be passed via `**extra`. Since that was not done, a regression made it into Django 5.2 (50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer corresponded to the request.META key under ASGI. To cope, an ASGI user would have started(*) sending HTTP headers that match the `.header` attribute, which may or may not have been edited to remove the HTTP_ prefix. (Note: the default `REMOTE_USER` case did not work under ASGI, so the change in Django 5.2 had the effect of fixing the default case but changing the semantic of the custom case.) (*): Unless they were getting the sync execution path, which didn't have this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a. Thanks Mykhailo Havelia and Sarah Boyce for reviews.
2026-05-05Fixed #37053 -- Added validate=True to base64.b64decode() calls.Sarah Boyce
2026-05-05Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting session ↵Jake Howard
cookie with SESSION_SAVE_EVERY_REQUEST=True. Thank you Jacob Walls and Natalia Bidart for reviews.
2026-05-04Fixed #35971 -- Added RemoteUserMiddleware.get_username() helper.Jacob Walls
This alleviates sync/async duplication.
2026-05-04Fixed #37079 -- Fixed specialization of header lookups in RemoteUserMiddleware.Jacob Walls
We need to switch on whether the request is a WSGI or ASGI request to know whether to prepend `HTTP_`: we cannot assume sync exceution means we are running under WSGI, as there could be other sync middleware forcing sync execution under ASGI. Thanks Mykhailo Havelia for the report.
2026-05-04Fixed #36459 -- Added aria-label to buttons in admin calendar and clock widgets.Skyiesac
Thanks Eliana Rosselli for the review.
2026-05-01Refs #35303 -- Improved use of async methods in RemoteUserMiddleware.Sarah Boyce
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-05-01Refs #689, #4015 -- Removed RemoteUserMiddleware updates to ↵Sarah Boyce
request.user/auser as handled by login(). Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-05-01Refs #689 -- Made RemoteUserMiddleware ImproperlyConfigured error message ↵Sarah Boyce
handle subclasses. Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-04-29Fixed #35951 -- Mentioned server timezone in admin DateTime widgets.Vedran Karacic
The existing note that is shown to the users when entering a time value from a different timezone than the server's timezone was not descriptive enough and led to confusion. This commit updates the note to explicitly state that the user should enter times in the server's timezone.
2026-04-28Refs #15759 -- Fixed ModelAdmin.list_editable form submission for ↵Artyom Kotovskiy
non-editable instances. Added formset that excludes objects for which user has no permission for POST formset as well. Fixed regression test: the test was not simulating real behaviour properly. By providing full form data for the post request we skipped the part where the user was actually limited in permissions and only modified some of the rows. Improved tests by getting rid of obj.id % 2 approach for granting permissions per object for users, since it is not the safest. Instead granting permissions simply by 'alive' parameter, which is simpler and more stable. Bug in 84db026228413dda4cd195464554d51c0b208e32.
2026-04-28Fixed #36990 -- Bumped OpenLayers to 10.9.0.VIZZARD-X
2026-04-27Fixed #36901 -- Centralized auth timing attack mitigations.afenoum
Thank you Mar Bartolome and Tim Schilling for reviews.
2026-04-24Fixed #36542 -- Marked authenticate() with @sensitive_variables() decorator.KANIN KEARPIMY
Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
2026-04-22Fixed #10919 -- Added delete_confirmation_max_display to ModelAdmin.Rodrigo Vieira
The new ModelAdmin.delete_confirmation_max_display attribute allows limiting the number of related objects shown on the delete confirmation page. When the limit is reached, a "…and N more objects." message is shown. The feature relies on a new truncated_unordered_list template filter added to django.contrib.admin.templatetags.admin_filters. Thanks Jacob Tyler Walls for the review and guidance, Tobias McNulty for the report, and terminator14 for the solution suggested.
2026-04-22Refs #10919 -- Refactored walk_items as module-level _walk_items and added ↵Rodrigo Vieira
truncated_unordered_list filter.
2026-04-22Fixed #35870 -- Made blank choice label in forms more accessible.Annabelle Wiegart
Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for an accessible and translatable blank choice label in forms. Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant. Added the immediately deprecated transitional setting USE_BLANK_CHOICE_DASH. Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev>
2026-04-22Fixed #35943 -- Replaced unload event listener with pagehide.Amar
Co-authored-by: Peter van der Does <peter@oneilinteractive.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-04-22Fixed #15759 -- Excluded fields by per-object permissions for ↵Artyom Kotovskiy
ModelAdmin.list_editable. Instead of going over all objects in a queryset and filtering by user permissions, added skipping while saving the formset so there is no need to refetch objects again.
2026-04-22Refs #15759 -- Factored out _save_formset() in ModelAdmin.Artyom Kotovskiy