| Age | Commit message (Collapse) | Author |
|
|
|
|
|
Thanks Johannes Maron for reviews.
|
|
|
|
|
|
delete_confirmation_max_display.
|
|
Forwardport of fcbbb1f920f7a7efb16a9871e8905b743447a939 from stable/6.1.x
|
|
Forwardport of dd895d6268f1dd544a565a321cb4527ca3ca1173 from stable/6.0.x.
|
|
path.
The existing user path also uses thread_sensitive=False in acheck_password().
Follow-up to 7f66c3b41f0fb0fb938d7b96e20a28dccdaa2ecd.
|
|
|
|
Forwardport of 9969df4f360221fc408da1604f0369f7594a1818 from stable/6.0.x.
|
|
Co-authored-by: Sohail Ahmad <sohailahmed34280@gmail.com>
|
|
|
|
|
|
|
|
Refs #37105, #12090.
|
|
|
|
Thanks David Smith for reviews.
|
|
|
|
action.
|
|
Bug in f30acb184f75fd9260cfd6ddc48a3bbbd49f9c1d. Refs #12090.
|
|
Error pages, admin, and registration templates were updated to use
`{% csp_nonce %}` on their explicit `<script>`, `<link>`, and `<style>`
HTML elements.
Co-authored-by: Antoliny0919 <antoliny0919@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
Bug in 019acad112da3d00bb81b3022fd25ccd8457e5d9.
|
|
Thank you to Benjamin Balder Bach and Jacob Walls for reviews.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
Now that calling `QuerySet.select_related()` without arguments is deprecated,
this commit deprecates the corresponding admin features.
|
|
This commit prepares for the deprecation of `QuerySet.select_related()` with no
arguments by explicitly naming the fields to select in this view.
|
|
This change makes `list_select_related = False` avoid unnecessary joins by only
selecting the related fields that are actually used in `list_display`.
Consequently, it avoids one code path that calls `QuerySet.select_related()`
with no arguments, which is targeted for deprecation.
|
|
|
|
on Python 3.15.
https://github.com/python/cpython/pull/149457
|
|
Since the existing user path eventually calls sync_to_async() in acheck_password,
aim for parity with the nonexistent/inactive user branch by adding sync_to_async().
Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
|
|
corresponds to request.META under ASGI.
Because these tests always passed both WSGI environ values and HTTP
headers via `**extra`, this masked a behavior difference between WSGI
and ASGI.
What should happen: everything should be passed via `headers` but for
the default REMOTE_USER case on WSGI, which should be passed via
`**extra`.
Since that was not done, a regression made it into Django 5.2
(50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer
corresponded to the request.META key under ASGI. To cope, an ASGI user
would have started(*) sending HTTP headers that match the `.header`
attribute, which may or may not have been edited to remove the HTTP_
prefix. (Note: the default `REMOTE_USER` case did not work under ASGI,
so the change in Django 5.2 had the effect of fixing the default case
but changing the semantic of the custom case.)
(*): Unless they were getting the sync execution path, which didn't have
this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a.
Thanks Mykhailo Havelia and Sarah Boyce for reviews.
|
|
|
|
cookie with SESSION_SAVE_EVERY_REQUEST=True.
Thank you Jacob Walls and Natalia Bidart for reviews.
|
|
This alleviates sync/async duplication.
|
|
We need to switch on whether the request is a WSGI or ASGI request to
know whether to prepend `HTTP_`: we cannot assume sync exceution means
we are running under WSGI, as there could be other sync middleware
forcing sync execution under ASGI.
Thanks Mykhailo Havelia for the report.
|
|
Thanks Eliana Rosselli for the review.
|
|
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
request.user/auser as handled by login().
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
handle subclasses.
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
The existing note that is shown to the users when entering a time value
from a different timezone than the server's timezone was not descriptive
enough and led to confusion. This commit updates the note to explicitly
state that the user should enter times in the server's timezone.
|
|
non-editable instances.
Added formset that excludes objects for which
user has no permission for POST formset as well.
Fixed regression test: the test was not simulating
real behaviour properly. By providing full form
data for the post request we skipped the part
where the user was actually limited in permissions
and only modified some of the rows.
Improved tests by getting rid of obj.id % 2
approach for granting permissions per object
for users, since it is not the safest.
Instead granting permissions simply by 'alive'
parameter, which is simpler and more stable.
Bug in 84db026228413dda4cd195464554d51c0b208e32.
|
|
|
|
Thank you Mar Bartolome and Tim Schilling for reviews.
|
|
Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
|
|
The new ModelAdmin.delete_confirmation_max_display attribute allows
limiting the number of related objects shown on the delete confirmation
page. When the limit is reached, a "…and N more objects." message is shown.
The feature relies on a new truncated_unordered_list template filter
added to django.contrib.admin.templatetags.admin_filters.
Thanks Jacob Tyler Walls for the review and guidance, Tobias McNulty for the report,
and terminator14 for the solution suggested.
|
|
truncated_unordered_list filter.
|
|
Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for
an accessible and translatable blank choice label in forms.
Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant.
Added the immediately deprecated transitional setting
USE_BLANK_CHOICE_DASH.
Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev>
|
|
Co-authored-by: Peter van der Does <peter@oneilinteractive.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
ModelAdmin.list_editable.
Instead of going over all objects in a queryset and filtering
by user permissions, added skipping while saving the formset
so there is no need to refetch objects again.
|
|
|