summaryrefslogtreecommitdiff
path: root/django
AgeCommit message (Collapse)Author
2025-07-09Fixed typo in ReverseManyToOneDescriptor docstring.tinmarbusir
2025-07-09Refs #35844, #35945 -- Used asgiref.sync.iscoroutinefunction() instead of ↵Mariusz Felisiak
deprecated asyncio.iscoroutinefunction(). Follow up to bd3b1dfa2422e02ced3a894adb7544e42540c97d. Introduced in 2ae3044d9d4dfb8371055513e440e0384f211963. Fixes DeprecationWarning: 'asyncio.iscoroutinefunction' is deprecated and slated for removal in Python 3.16; use inspect.iscoroutinefunction() instead.
2025-07-03Refs #27236 -- Removed references to removed index_together migration methods.Clifford Gama
2025-07-01Fixed #35846 -- Ensured consistent path ordering in ↵Matthew Stell
ManifestStaticFilesStorage manifest files. This change reuses the existing sorting of `hashed_files` in `ManifestStaticFilesStorage.save_manifest` to also store a sorted `paths` mapping in the manifest file. This ensures stable manifest output that does not change unnecessarily.
2025-06-30Fixed #36464 -- Fixed "__in" tuple lookup on backends lacking native support.Simon Charette
When native support for tuple lookups is missing in a DB backend, it can be emulated with an EXISTS clause. This is controlled by the backend feature flag "supports_tuple_lookups". The mishandling of subquery right-hand side in `TupleIn` (added to support `CompositePrimaryKey` in Refs #373) was likely missed because the only core backend we test with the feature flag disabled (Oracle < 23.4) supports it natively. Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls, and Natalia Bidart for reviews.
2025-06-27Refs #15727 -- Updated AdminSeleniumTestCase to use ↵Natalia
ContentSecurityPolicyMiddleware. Replaced the custom CSP middleware previously used in the admin's AdminSeleniumTestCase with the official ContentSecurityPolicyMiddleware. This change ensures alignment with Django's built-in CSP support. Also updates the test logic to inspect browser console logs to assert that no CSP violations are triggered during Selenium admin tests.
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-27Fixed #36366 -- Improved accessibility of pagination in the admin.antoliny0919
2025-06-27Fixed #35595, #35962 -- Removed indexes and constraints before fields in ↵wookkl
migrations.
2025-06-26Fixed #36478 -- Fixed inconsistent mail attachment handling.Mike Edmunds
Fixed an inconsistency between EmailMessage.attach() and .attachments when attaching bytes content with a text/* mimetype. The attach() function decodes UTF-8 bytes if possible and otherwise changes the mimetype to application/octet-stream to preserve the content's unknown encoding (refs #27007). Providing equivalent content directly in EmailMessage.attachments did not apply the same logic, leading to an "AttributeError: 'bytes' object has no attribute 'encode'" in SafeMIMEText.set_payload(). Updated EmailMessage._create_mime_attachment() to match attach()'s handling for text/* mimetypes with bytes content. Updated test cases to accurately cover behavior on both paths.
2025-06-25Fixed #36386 -- Added styles and icons for INFO and DEBUG messages in the admin.michalpokusa
2025-06-25Fixed #36471 -- Added support for __coveredby GIS lookup and Collect, ↵Mariusz Felisiak
GeoHash, IsValid on MariaDB 12.0.1+.
2025-06-23Fixed #35305 -- Avoided recreating constraints on fields renamed via db_column.Jacob Walls
2025-06-21Removed @skipIfDBFeature silencing of nonexistent features.Tim Graham
Follow up to f5df7ed7e62585c7d0289a88a327dab8d608efcf.
2025-06-20Removed @skipUnlessDBFeature silencing of nonexistent features.Tim Graham
This was added in 46c7707e50400e237cbd774a31ad801669ca3905 but is obsolete now that gis_tests are discovered separately. It's error-prone to ignore mistyped names.
2025-06-20Fixed #36152 -- Deprecated use of "%" in column aliases.Jacob Walls
Unintentional support existed only on SQLite and Oracle.
2025-06-19Refs #35038 -- Reduced CreateModel/AlterConstraint operations when ↵Jacob Walls
optimizing migrations.
2025-06-18Fixed #36465, Refs #35816 -- Disallowed '+' and '-' characters in template ↵haileyajohnson
variable names. Regression in 5183f7c287a9a5d61ca1103b55166cda52d9c647. Thank you to Jon Banafato and Baptiste Mispelon for the report.
2025-06-18Fixed #36467 -- Removed leading whitespaces from Set-Cookie header values in ↵Lukas Komischke
WSGIHandler. This also aligned the Set-Cookie logic in the WSGIHandler and ASGIHandler. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2025-06-18Fixed #36437 -- Improved accessibility of messages in admin.michalpokusa
2025-06-18Fixed #32770 -- Added system check to ensure django.contrib.postgres is ↵Clifford Gama
installed when using its features. Added postgres.E005 to validate 'django.contrib.postgres' is in INSTALLED_APPS when using: * PostgreSQL-specific fields (ArrayField, HStoreField, range fields, SearchVectorField), * PostgreSQL indexes (PostgresIndex and all subclasses), and * ExclusionConstraint The check provides immediate feedback during system checks rather than failing later with obscure runtime and database errors. Thanks to Simon Charette and Sarah Boyce for reviews.
2025-06-16Fixed #36380 -- Deferred SQL formatting when running tests with --debug-sql.Natalia
Thanks to Jacob Walls for the report and previous iterations of this fix, to Simon Charette for the logging formatter idea, and to Tim Graham for testing and ensuring that 3rd party backends remain compatible. This partially reverts d8f093908c504ae0dbc39d3f5231f7d7920dde37. Refs #36112, #35448. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-06-16Fixed #36453 -- Made When.condition resolve with for_save=False.Clifford Gama
Value(None, JSONField()) when used in When.condition incorrectly resolved with for_save=True, resulting in the value being serialized as SQL NULL instead of JSON null. Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940. Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes for the review. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2025-06-16Fixed #36447 -- Selected preferred media type based on quality.Jake Howard
When matching which entry in the `Accept` header should be used for a given media type, the specificity matters. However once those are resolved, only the quality matters when selecting preference. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Thank you to Anders Kaseorg for the report.
2025-06-13Fixed #36433 -- Fixed constraint validation crash when condition uses a ↵Colleen Dunlap
ForeignKey attname. Regression in e44e8327d3d88d86895735c0e427102063ff5b55. Thank you to Jacob Walls for the report. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-06-12Fixed #25706 -- Refactored geometry widgets to remove inline JavaScript.Claude Paroz
Refactored GIS-related JavaScript initialization to eliminate inline scripts from templates. Added support for specifying a base layer using the new `base_layer_name` attribute on `BaseGeometryWidget`, allowing custom map tile providers via user-defined JavaScript. As a result, the `gis/openlayers-osm.html` template was removed. Thanks Sarah Boyce for reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-12Fixed #36442 -- Cloned FilteredRelation before rename_prefix_from_q.viliam mihalik
2025-06-11Removed default value for app_configs in system check functions.Adam Johnson
The documentation[0] encourages users to write functions without a default for `app_configs`, and checks are always passed the argument. [0] https://docs.djangoproject.com/en/5.2/topics/checks/
2025-06-09Fixed #36446 -- Restored "q" in internal MediaType.params property.Natalia
The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
2025-06-06Fixed #36419 -- Ensured for_save was propagated when resolving expressions.Clifford Gama
The for_save flag wasn't properly propagated when resolving expressions, which prevented get_db_prep_save() from being called in some cases. This affected fields like JSONField where None would be saved as JSON null instead of SQL NULL. Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9. Thanks to David Sanders and Simon Charette for reviews. Co-authored-by: Adam Johnson <me@adamj.eu>
2025-06-06Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.Jake Howard
Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-06Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() ↵Natalia
for consistency.
2025-06-06Updated translations from Transifex.Sarah Boyce
Forwardport of 5901cfe591139b4389171ba738be81e8f4d5cfc9 from stable/5.2.x.
2025-06-05Added validation to BaseSpatialFeatures.has_<Func>_function.Tim Graham
2025-06-05Fixed #36435 -- Made CaptureQueriesContext restore reset_queries conditionally.Adam Johnson
2025-06-05Fixed #36407 -- Ensured default value is cast in Case expressions used in ↵ontowhee
ORDER BY clause. Thanks to deceze for the report. Thanks to Sarah Boyce for the test. Thanks to Simon Charette for the investigation and review.
2025-06-04Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.Natalia
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
2025-06-04Fixed #36432 -- Fixed a prefetch_related crash on related target subclass ↵Simon Charette
queryset. Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report.
2025-06-03Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type ↵Jake Howard
parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews.
2025-06-03Fixed #36416 -- Made QuerySet.in_bulk() account for composite pks in id_list.Jacob Walls
2025-06-03Fixed #36060 -- Prevented IntegrityError in bulk_create() with ↵myoungjinGo-BE
order_with_respect_to.
2025-06-02Fixed #36423 -- Prevented filter_horizontal buttons from intercepting form ↵Blayze
submission. In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
2025-05-27Removed unreachable check for None in TruncBase.convert_value().Tim Graham
2025-05-23Fixed #36405 -- Fixed Aggregate.order_by using OuterRef.Adam Johnson
co-authored-by: Simon Charette <charette.s@gmail.com>
2025-05-23Fixed #36404 -- Fixed Aggregate.filter using OuterRef.Adam Johnson
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com>
2025-05-23Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review.
2025-05-20Refs #35829 -- Made cosmetic edits to ↵nessita
django/contrib/admin/static/admin/img/README.md.
2025-05-20Fixed #34262 -- Added support for AnyValue for SQLite, MySQL, Oracle, and ↵ontowhee
Postgresql 16+. Thanks Simon Charette for the guidance and review. Thanks Tim Schilling for the documentation review. Thanks David Wobrock for investigation and solution proposals.
2025-05-19Fixed #36388 -- Made QuerySet.union() return self when called with no arguments.Colleen Dunlap
Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172. Thank you to Antoine Humeau for the report and Simon Charette for the review.
2025-05-16Fixed #36348 -- Fixed handling multiple nested url()s in ↵Samuel Cormier-Iijima
ManifestStaticFilesStorage. Signed-off-by: Samuel Cormier-Iijima <samuel@cormier-iijima.com>