| Age | Commit message (Collapse) | Author |
|
|
|
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Thanks Sarah Boyce and Jacob Walls for reviews.
Co-authored-by: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
|
|
Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Before, if no exception occurred, "None Type: None" was logged.
|
|
references from HTML truncation docs.
|
|
Visual regression in bc03f1064e10fa247a46d4e8a98ba9b26aa4790d.
|
|
ContentTypes.
|
|
|
|
icons in related-widget-wrapper.
|
|
encoding.
Added LookupError to the except clause so invalid headers are silently
skipped, consistent with other malformed header handling.
|
|
While working on https://github.com/typeddjango/django-stubs/pull/3114/changes#diff-c408a224a641ee1ad26789d61b19c64c44667c1feb8fce0d58aea0338844ca66R276-R278 we have noticed that loop variables leak into the module namespace.
It has two negative effects:
1. Users can access `smartif.op` and `smartif.key` public attrs, which is clearly not intenteded
2. We in `django-stubs` have to ignore these two objects from annotations
Let's remove them :)
|
|
|
|
model_class() is None.
Updated ContentType.app_labeled_name to include the app_label in its string representation.
This removed ambiguity for content types whose models were not present in the current codebase
(for example, when multiple applications share the same database).
Adjusted related tests to reflect the new representation.
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
failure on Oracle.
Oracle's SQL parser does not allow ORDER BY in components of a union in some
cases, so xfail this test until an exception can be raised.
|
|
containing only whitespace in admin.
|
|
Thanks Simon Charette for the idea.
|
|
Explicitly set the text color for the admin M2M widget to ensure
selected rows remain readable in browsers like Microsoft Edge and
Firefox when the widget was not focused.
|
|
`DatabaseOperations.check_expression_support()`.
|
|
Avoided reconstructing the same tuples on every call by defining them as module-level constants.
|
|
admin.
Regression in b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010.
|
|
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
default delimiter.
|
|
|
|
Needed by MongoDB.
|
|
When dropping support for GEOS 3.13 the `GEOSCoordSeq_hasZ()` function will be available on all supported GEOS versions. Instead of the parent geometry providing the z dimension we can reply on GEOSCoordSeq functions directly. This will follow a similar implementation to what was done for the M dimension.
While it could be adopted earlier we would need to guess that geometries with 3 dimensions on GEOS < 3.14 are Z geometries.
|
|
|
|
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
|
|
|
|
|
|
contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
|
|
with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
|
|
band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
|
|
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
|
|
auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|
|
|
|
|
|
the admin.
Thanks Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
the admin.
The issue manifested when there were multiple relations and only some
of them participated in a filter_horizontal.
Regression in cd0479ff764272add5e0aba2afcf5649a241ca00.
|
|
Instead of casting non-text fields to CharField (which prevents index
usage), skip exact lookups when the search term fails
formfield.to_python().
This preserves index usage for valid searches while gracefully handling
invalid search terms by simply not including them in the query for that
field.
For multi-term searches like 'foo 123' on search_fields=['name', 'age__exact']:
- 'foo': invalid for age, so only name lookup is used
- '123': valid for both, so both lookups are used
This entails a slight increase in permissiveness for search terms that
can be normalized by formfield.to_python().
|
|
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
|
|
Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Ever since the beginning of Django's migration framework, there's been a
bit of an inconsistency on how index_together and unique_together values
have been stored on the ModelState[^1].
It's only really obvious, when looking at the current code for
`from_model()`[^2] and the `rename_field()` state alteration code[^3].
The problem in the autodetector's detection of the `*_together` options
as raised in the ticket, reinforces the inconsistency[^4]: the old value
is being normalized to a set of tuples, whereas the new value is taken
as-is.
Why this hasn't been caught before, is likely to the fact, that we
never really look at a `to_state` that comes from migration operations
in the autodetector. Instead, in both usages in Django[^5], [^6] the
`to_state` is a `ProjectState.from_apps()`. And that state is
consistently using sets of tuples and not lists of lists.
[^1]: https://github.com/django/django/commit/67dcea711e92025d0e8676b869b7ef15dbc6db73#diff-5dd147e9e978e645313dd99eab3a7bab1f1cb0a53e256843adb68aeed71e61dcR85-R87
[^2]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L842
[^3]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L340-L345
[^4]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/autodetector.py#L1757-L1771
[^5]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/makemigrations.py#L215-L219
[^6]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/migrate.py#L329-L332
|
|
|