summaryrefslogtreecommitdiff
path: root/docs
AgeCommit message (Collapse)Author
2025-07-22Fixed #36377 -- Added hints support to CreateExtension and subclasses.Anthony Sottile
2025-07-20Fixed #28696 -- Added GeometryType GIS database function and __geom_type lookup.Ahmed Ibrahim
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2025-07-17Refs #36163 -- Reordered EmailMessage options in docs/topics/email.txt.Mike Edmunds
Reordered the keyword-only EmailMessage parameters in the documentation to group similar options together and move rarely used options later. Used keywords for *all* parameters in EmailMessage examples to improve clarity.
2025-07-17Fixed #36163 -- Deprecated most positional arguments in django.core.mail.Mike Edmunds
In public mail APIs, changed less frequently used parameters from keyword-or-positional to keyword-only, emitting a warning during the required deprecation period.
2025-07-17Fixed get_connection() signature in docs/topics/email.txt.Mike Edmunds
django.core.mail.get_connection() has always supported only variable keyword arguments (never variable positional arguments).
2025-07-17Fixed #35680 -- Added automatic imports of common utilies to shell ↵Salvo Polizzi
management command.
2025-07-16Fixed #36477, Refs #36163 -- Added @deprecate_posargs decorator to simplify ↵Mike Edmunds
deprecation of positional arguments. This helper allows marking positional-or-keyword parameters as keyword-only with a deprecation period, in a consistent and correct manner.
2025-07-13Fixed typo in docs/ref/utils.txt.Clifford Gama
2025-07-13Added Django ecosystem page to the documentation.Tim Schilling
2025-07-10Fixed #36502 -- Restored UNNEST strategy for foreign key bulk inserts on ↵Simon Charette
PostgreSQL. Regression in 764af7a3d6c0b543dcf659a2c327f214da768fe4.
2025-07-09Updated asgiref dependency.Carlton Gibson
2025-07-02Added release date for 5.2.4.Natalia
2025-07-02Added stub release notes for 5.2.5.Natalia
2025-07-01Fixed #35846 -- Ensured consistent path ordering in ↵Matthew Stell
ManifestStaticFilesStorage manifest files. This change reuses the existing sorting of `hashed_files` in `ManifestStaticFilesStorage.save_manifest` to also store a sorted `paths` mapping in the manifest file. This ensures stable manifest output that does not change unnecessarily.
2025-06-30Fixed #36464 -- Fixed "__in" tuple lookup on backends lacking native support.Simon Charette
When native support for tuple lookups is missing in a DB backend, it can be emulated with an EXISTS clause. This is controlled by the backend feature flag "supports_tuple_lookups". The mishandling of subquery right-hand side in `TupleIn` (added to support `CompositePrimaryKey` in Refs #373) was likely missed because the only core backend we test with the feature flag disabled (Oracle < 23.4) supports it natively. Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls, and Natalia Bidart for reviews.
2025-06-27Fixed #15727 -- Added Content Security Policy (CSP) support.Rob Hudson
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-27Fixed indentation in docs/internals/howto-release-django.txt.Sarah Boyce
2025-06-27Separated creating the release and setting it as default in Trac in the ↵Sarah Boyce
post-release steps.
2025-06-25Fixed #36386 -- Added styles and icons for INFO and DEBUG messages in the admin.michalpokusa
2025-06-25Fixed #36471 -- Added support for __coveredby GIS lookup and Collect, ↵Mariusz Felisiak
GeoHash, IsValid on MariaDB 12.0.1+.
2025-06-20Fixed #36152 -- Deprecated use of "%" in column aliases.Jacob Walls
Unintentional support existed only on SQLite and Oracle.
2025-06-18Clarified that only latest dependency versions are valid for security reports.Jake Howard
2025-06-18Fixed #32770 -- Added system check to ensure django.contrib.postgres is ↵Clifford Gama
installed when using its features. Added postgres.E005 to validate 'django.contrib.postgres' is in INSTALLED_APPS when using: * PostgreSQL-specific fields (ArrayField, HStoreField, range fields, SearchVectorField), * PostgreSQL indexes (PostgresIndex and all subclasses), and * ExclusionConstraint The check provides immediate feedback during system checks rather than failing later with obscure runtime and database errors. Thanks to Simon Charette and Sarah Boyce for reviews.
2025-06-17Added guidance on AI-assisted security reports to docs/internals/security.txt.nessita
Co-authored-by: Shai Berger <shai@platonix.com> Co-authored-by: Mike Edmunds <medmunds@gmail.com>
2025-06-16Fixed #36453 -- Made When.condition resolve with for_save=False.Clifford Gama
Value(None, JSONField()) when used in When.condition incorrectly resolved with for_save=True, resulting in the value being serialized as SQL NULL instead of JSON null. Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940. Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes for the review. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2025-06-16Fixed #36447 -- Selected preferred media type based on quality.Jake Howard
When matching which entry in the `Accept` header should be used for a given media type, the specificity matters. However once those are resolved, only the quality matters when selecting preference. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead. Thank you to Anders Kaseorg for the report.
2025-06-13Corrected jsonfield fieldlookup references.Sarah Boyce
2025-06-12Fixed #25706 -- Refactored geometry widgets to remove inline JavaScript.Claude Paroz
Refactored GIS-related JavaScript initialization to eliminate inline scripts from templates. Added support for specifying a base layer using the new `base_layer_name` attribute on `BaseGeometryWidget`, allowing custom map tile providers via user-defined JavaScript. As a result, the `gis/openlayers-osm.html` template was removed. Thanks Sarah Boyce for reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-12Fixed #36463 -- Fixed grammar in docs/intro/contributing.txt.Sulove Bista
2025-06-12Fixed #36454 -- Fixed typo in docs/intro/tutorial08.txt.ruvilonix
2025-06-11Made minor grammar and punctuation fixes in docs/topics/migrations.txt.Clifford Gama
2025-06-11Fixed #36425 -- Standardized integer fields descriptions.junghwan16
2025-06-10Added follow-up to CVE-2025-48432 to security archive.Sarah Boyce
2025-06-10Added stub release notes for 5.2.4.Sarah Boyce
2025-06-10Refs #373 -- Doc'd that on_delete is ignored for ForeignObject.Jacob Walls
2025-06-10Fixed #36449 -- Fixed field types in example model using ForeignObject.Jacob Walls
2025-06-09Fixed #36446 -- Restored "q" in internal MediaType.params property.Natalia
The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
2025-06-06Fixed #36419 -- Ensured for_save was propagated when resolving expressions.Clifford Gama
The for_save flag wasn't properly propagated when resolving expressions, which prevented get_db_prep_save() from being called in some cases. This affected fields like JSONField where None would be saved as JSON null instead of SQL NULL. Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9. Thanks to David Sanders and Simon Charette for reviews. Co-authored-by: Adam Johnson <me@adamj.eu>
2025-06-06Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.Jake Howard
Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-06Updated translations from Transifex.Sarah Boyce
Forwardport of 5901cfe591139b4389171ba738be81e8f4d5cfc9 from stable/5.2.x.
2025-06-04Added CVE-2025-48432 to security archive.Natalia
2025-06-04Added stub release notes for 5.2.3.Natalia
2025-06-04Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.Natalia
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
2025-06-04Fixed #36432 -- Fixed a prefetch_related crash on related target subclass ↵Simon Charette
queryset. Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report.
2025-06-03Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type ↵Jake Howard
parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews.
2025-06-03Fixed #36416 -- Made QuerySet.in_bulk() account for composite pks in id_list.Jacob Walls
2025-06-02Fixed #36423 -- Prevented filter_horizontal buttons from intercepting form ↵Blayze
submission. In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
2025-05-28Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.Natalia
2025-05-26Fixed #36402, Refs #35980 -- Updated built package name in reusable apps ↵Jason Judkins
tutorial for PEP 625.
2025-05-23Fixed #36405 -- Fixed Aggregate.order_by using OuterRef.Adam Johnson
co-authored-by: Simon Charette <charette.s@gmail.com>