summaryrefslogtreecommitdiff
path: root/django/db/models
AgeCommit message (Collapse)Author
2026-04-28Fixed #36912 -- Added connector validation to Q.create().Anna Makarudze
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-04-22Fixed #37057 -- Adjusted UniqueConstraint handling of UNKNOWN condition.Simon Charette
When we adjusted UNKNOWN handling for CheckConstraint in refs #33996 we assumed that all usage of Q.check would benefit from this approach. However while CHECK constraints enforcement do ignore conditions involving NULL that resolve to UNKNOWN it's not the case for other type of constraints such as UNIQUE ones. Given how UNKNOWN should be treated depends on the callers context it appears that a better strategy for COALESCE wrapping is to force them to apply it if necessary. Thanks Drew Shapiro for the report.
2026-04-22Fixed #35870 -- Made blank choice label in forms more accessible.Annabelle Wiegart
Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for an accessible and translatable blank choice label in forms. Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant. Added the immediately deprecated transitional setting USE_BLANK_CHOICE_DASH. Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev>
2026-04-19Refs #28586 -- Added DEFAULT_FETCH_MODE module constant.Jacob Walls
This is a more attractive target for alteration than all of QuerySet.__init__().
2026-04-19Fixed #37047 -- Fixed crash in Query.orderby_issubset_groupby for descending ↵Anže Pečar
and random order_by strings. Run this example: ```python User.objects.values("is_staff").annotate(latest=Max("date_joined")).order_by("-latest").count() ``` You should see the following exception: ``` django.core.exceptions.FieldError: Cannot resolve keyword '-latest' into field. ``` Regression in 2ce5cb0f7a4618dfdc5f5c10e53e2e9b9543d298.
2026-04-18Fixed #37036 -- Added missing flat=True arg in DeferredAttribute.fetch_many().garybadwal
2026-04-18Fixed #37028 -- Added BitAnd(), BitOr(), and BitXor() aggregates.Mariusz Felisiak
2026-04-14Fixed #27150 -- Made base File objects truthy by default.VIZZARD-X
2026-04-03Fixed #37016 -- Avoided propagating invalid arguments from When() to Q().varunkasyap
2026-04-02Fixed #36973 -- Made fields.E348 check detect further clashes between ↵Clifford Gama
managers and related_names. Clashes were only detected for self-referential relationships, i.e. ForeignKey("self"). Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011. Thanks JaeHyuckSa for the thorough review!
2026-04-02Fixed #20024 -- Fixed handling of __in lookups with None in exclude().Eddy Adegnandjou
Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration.
2026-03-24Refs #36494 -- Prevented crash in JSONField numeric lookups with expressions.Vignesh Anand
2026-03-19Refs #36795 -- Deprecated SQLCompiler.quote_name_unless_alias().Simon Charette
It has been superseded with .quote_name(), which ensures aliases are always quoted.
2026-03-19Fixed #36795 -- Enforced quoting of all database object names.Simon Charette
This ensures all database identifiers are quoted independently of their orign and most importantly that user provided aliases through annotate() and alias() which paves the way for dropping the allow list of characters such aliases can contain. This will require adjustments to raw SQL interfaces such as RawSQL that might make reference to ORM managed annotations as these will now be quoted. The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias for the newly introduced `.quote_name` method but will be duly deprecated in a follow up commit.
2026-03-18Fixed #36987 -- Observed prepared argument in UUIDField.get_db_prep_value().Jacob Walls
This avoids two isinstance() calls per UUID value.
2026-03-16Fixed #36906 -- Handled coalescing JSON-primitive strings and JSON values on ↵Kanin Kearpimy
Oracle.
2026-03-13Fixed #36927 -- Optimized Field.deconstruct().Adam Johnson
2026-03-12Fixed #36727 -- Deprecated Field.get_placeholder in favor of ↵Simon Charette
get_placeholder_sql. The lack of ability of the get_placeholder call chain to return SQL and parameters separated so they can be mogrified by the backend at execution time forced implementations to dangerously interpolate potentially user controlled values. The get_placeholder_sql name was chosen due to its proximity to the previous method, but other options such as Field.as_sql were considered but ultimately rejected due to its different input signature compared to Expression.as_sql that might have lead to confusion. There is a lot of overlap between what Field.get_db_prep_value and get_placeholder_sql do but folding the latter in the former would require changing its return signature to return expression which is a way more invasive change than what is proposed here. Given we always call get_db_prep_value it might still be an avenue worth exploring in the future to offer a publicly documented interface to allow field to take an active part in the compilation chain. Thanks Jacob for the review.
2026-03-12Encapsulated loop logic to avoid leaking module-level variables.Emmanuel Ferdman
2026-03-11Refs #28455 -- Avoided QuerySet cloning for Prefetch() when queryset is not ↵Keryn Knight
provided. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2026-03-11Refs #28455 -- Avoided QuerySet cloning in simple prefetch_related() usages.Keryn Knight
manager.get_queryset() always returns freshly instantiated per-instance QuerySet which doesn't need subsequent cloning. Based on work originally done by Anssi Kääriäinen and Tim Graham.
2026-03-11Refs #28455 -- Implemented private API methods for preventing QuerySet cloning.Keryn Knight
Multiple calls are idempotent assuming they're balanced. Also, multiple calls to disable cloning followed by a single call to re-enable cloning will subsequently cause clones to occur - it is not a stack, just a toggle. @contextlib.contextmanager is intentionally not used for performance reasons: - decorator takes 1.1µs to execute, or 2µs if used correctly in a `with ...:` statement - custom class takes 300ns to execute, or 900ns if used correctly in a `with ...:` statement Based on work originally done by Anssi Kääriäinen and Tim Graham.
2026-03-09Refactored PatternLookup to improve readability.Tim Graham
2026-03-08Added DatabaseFeatures.pattern_lookup_needs_param_pattern.Tim Graham
It's useful on MongoDB.
2026-03-02Refs #35381 -- Moved JSONNull to django.db.models.expressions.Clifford Gama
2026-02-28Added DatabaseOperations.convert_trunc_expression() hook.Tim Graham
Needed on MongoDB.
2026-02-27Refs #35972 -- Returned params in a tuple in further expressions.Jacob Walls
2026-02-13Fixed #36857 -- Added QuerySet.totally_ordered property.VIZZARD-X
Thanks Simon Charette for the idea.
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-10Fixed #36890 -- Supported StringAgg(distinct=True) on SQLite with the ↵varunkasyap
default delimiter.
2026-02-06Fixed #36644 -- Enabled empty order_by() to avoid pk ordering by first()/last().Nilesh Kumar Pahari
2026-02-06Refs #36644 -- Applied default ordering after union().Nilesh Kumar Pahari
2026-02-03Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases ↵Jacob Walls
contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-01-29Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report.
2026-01-20Fixed #36030 -- Fixed precision loss in division of Decimal literals on SQLite.VIZZARD-X
Thanks Bob Kline for the review.
2026-01-18Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0
2026-01-16Fixed #36352 -- Improved error message for fields excluded by prior ↵JaeHyuck Sa
values()/values_list() calls. Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-01-14Fixed #36821 -- Treated empty strings as NULL for iexact lookups on Oracle.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-01-13Fixed #35442 -- Prevented N+1 queries in RelatedManager with only().Samriddha9619
Co-authored-by: Simon Charette <charette.s@gmail.com>
2026-01-12Fixed #36858 -- Optimized `Field._get_default()` for `db_default` case.Adam Johnson
Create and share a single instance of `DatabaseDefault` instead of making a new one each time the lambda is called. The quick benchmark on the ticket shows a ~12% speedup for a large `bulk_create()` operation.
2026-01-09Fixed #36815 -- Optimized insertion of db_default fields in bulk_create().YashRaj1506
Thanks Adam Sołtysik for the implementation idea.
2026-01-06Fixed #29257 -- Caught DatabaseError when attempting to close a possibly ↵VIZZARD-X
already-closed cursor.
2025-12-28Refs #24920 -- Made DecimalField system checks database dependent.Mariusz Felisiak
Thanks Tim Graham for the suggestion.
2025-12-22Fixed #36787 -- Fixed crash in In lookups with mixed expressions and strings.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2025-12-22Fixed #36508 -- Interpreted __iexact=None on KeyTransforms as __exact=None.Clifford Gama
Thanks Jacob Walls for the report.
2025-12-22Fixed #36806 -- Added system check for null kwarg in GeneratedField.Nilesh Kumar Pahari
The null argument has no effect on GeneratedField since the nullability of the column depends on the database and expression used.
2025-12-19Fixed #36808 -- Required name argument in UniqueConstraint signature.Jonathan Biemond
By trading ValueError for TypeError for omitted name arguments, we gain a little clarity.
2025-12-18Fixed #36701 -- Fixed memory leak in ModelState.Samriddha9619