summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2026-05-20Fixed #37105 -- Disallowed admin change form actions on different objects.Sarah Boyce
Bug in f30acb184f75fd9260cfd6ddc48a3bbbd49f9c1d. Refs #12090.
2026-05-18Fixed #36825 -- Extended admin templates so CSP nonce is included if available.Johannes Maron
Error pages, admin, and registration templates were updated to use `{% csp_nonce %}` on their explicit `<script>`, `<link>`, and `<style>` HTML elements. Co-authored-by: Antoliny0919 <antoliny0919@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-18Refs #36938 -- Reverted "Refs #36938 -- Tolerated unnecessary ordering in ↵Jacob Walls
compound queries on SQLite." This mostly reverts 2314cdf1ff860058a6579bb9f9bac1253fc9ab43, but keeps the removal of some test skips.
2026-05-18Fixed #37097 -- Made Query.clear_ordering() clear ordering on combined ↵Jacob Walls
queries also. Thanks Shai Berger for the report. Regression in 087bb9e8f3478d53f12b1737af865992af17c5f2. (That commit drove more traffic into an error that would have been reachable only with an explicit order_by() after each union().) Co-authored-by: Simon Charette <charettes@gmail.com> Co-authored-by: siddus <dcsid10@gmail.com>
2026-05-15Fixed #37062 -- Added preserve_request support to RedirectView.VAIBHAVPANT07
2026-05-15Pinned selenium version to "<4.44.0" due to change in get_attribute("class") ↵Sarah Boyce
behavior. Before selenium 4.44.0, target_element.get_attribute("class") returned "" when there was no class attribute. This now returns None.
2026-05-14Refs #36664 -- Updated SMTP EmailBackend tests for Python 3.15.Mike Edmunds
Versions of Python prior to 3.15 would incorrectly encode non-ASCII email addresses using rfc2047, resulting in undeliverable email. The SMTP EmailBackend detects and prevents that (#35713). Python 3.15 fixes that behavior (CPython issue gh-122476). Updated test_rejects_non_ascii_local_part() to feature-detect the fix (in case it is backported) and check for a representative section of the Python error message if so; otherwise test for the SMTP EmailBackend workaround. Updated comments to clarify need and requirement.
2026-05-13Fixed #37092, Refs #35870 -- Added missing deprecation warnings for ↵Jacob Walls
USE_BLANK_CHOICE_DASH. Follow-up to 63c56cda133a85a158502891c40465bc0331d3d9. Modeled on 5d80843ebc5376d00f98bf2a6aadbada4c29365c.
2026-05-13Fixed #35514 -- Implemented dictionary-based MAILERS.Mike Edmunds
See DEP 0018. Added: * MAILERS setting. * django.core.mail.mailers dict-like EmailBackend factory. * `using` argument to mail sending APIs. * `sent_using` attribute to mail.outbox messages in locmem backend. * MAILERS in startproject settings template, set to console backend. * AdminLogHandler.using argument. * BrokenLinkEmailsMiddleware.send_mail() method. Updated: * BaseEmailBackend to track the MAILERS alias used to construct it, and to report errors for unknown kwargs (OPTIONS). * EmailBackend implementations to initialize from kwargs (OPTIONS) only when MAILERS is being used. * smtp.EmailBackend to require `host` option and to default `port` option based on SSL/TLS options. * SimpleTestCase setup to substitute the locmem backend for all defined MAILERS configurations. * Django's tests that send mail to define MAILERS. Deprecated: * EMAIL_BACKEND and other backend-related EMAIL_* settings. * mail.get_connection(). * The `connection`, `fail_silently`, `auth_user`, and `auth_password` arguments to mail functions. * The EmailMessage.connection attribute. * BaseEmailBackend support for `fail_silently`. Backends that support fail_silently (SMTP, console, file) now implement it directly. * AdminEmailHandler.email_backend argument. Removed undocumented features without deprecation: * EmailMessage.get_connection() method. (send() now raises an error if a subclass has attempted to override it.) * EmailMessage.send() no longer sets self.connection to the connection used for sending. (It still _uses_ a pre-existing self.connection.) * AdminEmailHandler.connection() method. (Init now raises an error if a subclass has attempted to override it.) Thanks to Natalia Bidart for shepherding DEP 0018 and for extensive reviews and suggestions on the implementation. Thanks to Jacob Rief for the initial implementation and multiple iterations while refining the design. Co-authored-by: Jacob Rief <jacob.rief@gmail.com>
2026-05-13Fixed #37094 -- Replaced "Go" with "Run" in list_editable alert message.Jacob Walls
Bug in 019acad112da3d00bb81b3022fd25ccd8457e5d9.
2026-05-13Fixed #12090 -- Added admin actions to the admin change form.Marcelo Galigniana
Thank you to Benjamin Balder Bach and Jacob Walls for reviews. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2026-05-12Fixed #37095 -- Checked maximum redirect lengths against percent-encoded URLs.Jacob Walls
2026-05-12Fixed #37096 -- Fixed test_invalid_choice_db_option on Python 3.14.5+.kasey
2026-05-12Removed constraints' test_validate_nullable_condition dependency on ↵Tim Graham
generated columns. Co-authored-by: JaeHyuckSa <jaehyuck.sa.dev@gmail.com>
2026-05-11Refs #36938 -- Tolerated unnecessary ordering in compound queries on SQLite.Jacob Walls
2026-05-11Removed hardcoded pks in AdminViewPermissionsTest.Artyom Kotovskiy
Replaced obj.id permission checks with explicit boolean fields.
2026-05-11Refs #36593 -- Deprecated setting ModelAdmin.list_select_related to True.Adam Johnson
Now that calling `QuerySet.select_related()` without arguments is deprecated, this commit deprecates the corresponding admin features.
2026-05-11Fixed #36593 -- Deprecated QuerySet.select_related() with no arguments.Adam Johnson
This commit deprecates the "fetch all relations" form of `QuerySet.select_related()` due to its poor performance characteristics, and updates several tests relying on that feature to ignore the new warning.
2026-05-11Refs #36593 -- Used explicit select_related() calls in tests.Adam Johnson
This commit prepares for the deprecation of select_related() without arguments by updating tests that used select_related() as a shorthand to explicitly specify the related fields to be selected.
2026-05-11Refs #36593 -- Made ModelAdmin.list_select_related = False more efficient.Adam Johnson
This change makes `list_select_related = False` avoid unnecessary joins by only selecting the related fields that are actually used in `list_display`. Consequently, it avoids one code path that calls `QuerySet.select_related()` with no arguments, which is targeted for deprecation.
2026-05-08Refs #37060 -- Shortened app label in AlterField test for Oracle.Jacob Walls
This avoids having to run connection.ops.truncate_name() when deriving the table name. Follow-up to 21c51c2623a966ba1ad8fd10e36bc8bbec93b70e.
2026-05-08Refs #35514 -- Decoupled settings from functional EmailBackend tests.Mike Edmunds
Reworked tests/mail/test_backends.py so that cases covering functional behavior don't depend on EMAIL_BACKEND or other EMAIL_* settings. (But kept unchanged existing tests to verify backend instance properties are initialized from EMAIL_* settings.) Most backend behavior tests had implicitly relied on email settings overrides in test setup (e.g., to use an emulated SMTP server). They either used mail.get_connection(...) or directly constructed a backend class instance with the specific attributes being tested, relying on the settings overrides to initialize other required attributes. That approach won't work after those settings are deprecated as part of EMAIL_PROVIDERS. Instead, replaced backend construction in "functional" tests with new SharedEmailBackendTests.create_backend() which constructs the testable backend instance with _all_ options needed to avoid global settings. Tests to verify the settings are read correctly continue to directly construct backend instances, without using create_backend().
2026-05-07Fixed #37084 -- Added CSP nonce context processor system check.Milad Zarour
2026-05-07Fixed #37085 -- Added support for object-based form media stylesheet assets.Natalia
Thank you James Walls and James Bligh for reviews. Co-authored-by: Johannes Maron <johannes@maron.family>
2026-05-07Fixed #37060 -- Propagated AlterField through attname-based to_field references.Andrea Zanotto
Schema dependency discovery treated to_field values as raw field names, so attname aliases such as "primary_id" were not matched to the underlying relation field "primary". As a result, AlterField on a unique target field updated direct dependencies but missed transitive attname-based references. Resolved the dependency matching by comparing resolved remote fields rather than only field names, and updated SQLite's related-table rebuild path to use the same recursive dependency discovery. Added a regression test covering a transitive relation chain where ForeignKey(..., to_field="primary_id") must widen along with the unique leaf field it ultimately references.
2026-05-06Refs #35514 -- Cleaned up logging and middleware tests.Mike Edmunds
Simplified and removed use of soon-to-be-deprecated or removed features from tests for AdminEmailHandler and BrokenLinkEmailsMiddleware. Added or updated cases to ensure `fail_silently` usage remains consistent during the transition to email providers. Changed custom FailingEmailBackend to respect fail_silently and record its use in a class-level property. In AdminEmailHandlerTest: * Added make_log_record() helper to reduce duplicated code. * Changed test_fail_silently() to send through the FailingEmailBackend, which will fail if not initialized with fail_silently=True. (Rather than inspecting attributes of a soon-to-be-deprecated connection.) * Simplified test_uses_custom_email_backend() by replacing monkeypatches with inspectable custom backend. * In test_customize_send_mail_method(), removed use of the undocumented self.connection() method and the soon-to-be-deprecated `connection` arg to mail_managers(). This test verifies a subclass can customize sending by mailing the managers rather than the admins. Involving a email backend connection was irrelevant. In BrokenLinkEmailsMiddlewareTest, added a case with FailingEmailBackend to verify send uses fail_silently=True.
2026-05-06Refs #35514 -- Verified test runner swaps in testing email backend.Mike Edmunds
Added missing test to verify Django's test runner swaps in the locmem EmailBackend during tests. Extracted reusable mock_test_state() helper from SetupTestEnvironmentTests.test_allowed_hosts().
2026-05-06Refs #35514 -- Added error for missing EMAIL_FILE_PATH setting.Mike Edmunds
Replaced TypeError in `os.path.abspath(None)` with ImproperlyConfigured error when settings.EMAIL_FILE_PATH is required but missing.
2026-05-06Refs #35514 -- Added missing mail tests.Mike Edmunds
Added tests for: * BaseEmailBackend class. * EmailBackend support for fail_silently arg and unknown kwargs. * File backend support for EMAIL_FILE_PATH setting. * File backend configuration error reporting (where possible). * SMTP backend support for EMAIL_HOST and EMAIL_PORT settings. * SMTP backend use of ssl_certfile, ssl_keyfile, timeout options. * send_mail() return value. * send_mass_mail() basic behavior. * send_mail() and send_mass_mail() support for auth_user, auth_password, and fail_silently args. * get_connection() support for EMAIL_BACKEND setting and backend-specfic kwargs.
2026-05-06Refs #35514 -- Simplified mail tests.Mike Edmunds
* Removed unnecessary empty username/password args and unnecessary test email content. * Replaced monkeypatching with mock.patch. Minimized scope of patches. * Added missing assertions in some tests. * Cleaned up uses of assertTrue() and assertFalse(). * Removed implicit assumption in LocmemBackendTests that mail is always sent by the locmem backend during tests. * Made FileBackendTests tmp_dir cleanup more robust, and added helpers to simplify test cases. * Split FileBackendTests.test_sessions() into three distinct cases (and removed unrelated, duplicative verification of message content). * Used mock to simplify and improve accuracy of SMTP AUTH test. * Replaced `get_connection("mail.custombackend.EmailBackend")` with direct `custombackend.EmailBackend()` construction to avoid soon-to- be-deprecated usage of `get_connection(backend_path)` in cases that aren't trying to test creating a connection from an import path.
2026-05-06Refs #35514 -- Cleaned up mail tests.Mike Edmunds
* Renamed shared backend test case class to SharedEmailBackendTests, to avoid confusion with tests for the BaseEmailBackend. * Used consistent module references to mail functions (removed `mail.` from most uses; kept it for `mail.get_connection()`). * Used consistent `backend` variable name for EmailBackend instances in backend tests (matching most SMTP tests, replacing `connection` and `conn` in other tests). * Renamed some test cases for clarity. * Removed some unnecessary docstrings from test cases. * Reformatted some docstrings with nearby edits.
2026-05-06Fixed #36784 -- Added csp_nonce_attr template tag for CSP nonce inclusion.Natalia
New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce inclusion into `<script>` and `<link>` elements. `{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is present in the template context, and renders nothing otherwise. `{% csp_nonce_attr media %}` renders a `Media` object's assets with the nonce attr applied to each tag. Thanks Jacob Walls for the accurate and spot on review comments. Co-authored-by: Johannes Maron <johannes@maron.family>
2026-05-06Refs #36439 -- Added sync_to_async() to dummy password hasher path.Jacob Walls
Since the existing user path eventually calls sync_to_async() in acheck_password, aim for parity with the nonexistent/inactive user branch by adding sync_to_async(). Follow-up to 748ca0a146175c4868ece87f5e845a75416c30e3.
2026-05-06Fixed #36300 -- Restored the semantic where RemoteUserMiddleware.header ↵Jacob Walls
corresponds to request.META under ASGI. Because these tests always passed both WSGI environ values and HTTP headers via `**extra`, this masked a behavior difference between WSGI and ASGI. What should happen: everything should be passed via `headers` but for the default REMOTE_USER case on WSGI, which should be passed via `**extra`. Since that was not done, a regression made it into Django 5.2 (50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer corresponded to the request.META key under ASGI. To cope, an ASGI user would have started(*) sending HTTP headers that match the `.header` attribute, which may or may not have been edited to remove the HTTP_ prefix. (Note: the default `REMOTE_USER` case did not work under ASGI, so the change in Django 5.2 had the effect of fixing the default case but changing the semantic of the custom case.) (*): Unless they were getting the sync execution path, which didn't have this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a. Thanks Mykhailo Havelia and Sarah Boyce for reviews.
2026-05-05Fixed #37053 -- Added validate=True to base64.b64decode() calls.Sarah Boyce
2026-05-05Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header ↵Sarah Boyce
contains an asterisk. Thank you Ahmad Sadeddin for the report and Jacob Walls for the review.
2026-05-05Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting session ↵Jake Howard
cookie with SESSION_SAVE_EVERY_REQUEST=True. Thank you Jacob Walls and Natalia Bidart for reviews.
2026-05-05Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in ↵Jacob Walls
MemoryFileUploadHandler on ASGI. In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-05-04Fixed #36767 -- Allowed max redirect URL length to be set on ↵varunkasyap
HttpResponseRedirect.
2026-05-04Fixed #37079 -- Fixed specialization of header lookups in RemoteUserMiddleware.Jacob Walls
We need to switch on whether the request is a WSGI or ASGI request to know whether to prepend `HTTP_`: we cannot assume sync exceution means we are running under WSGI, as there could be other sync middleware forcing sync execution under ASGI. Thanks Mykhailo Havelia for the report.
2026-05-04Fixed #37080 -- Filtered by generic deprecation warnings in runtests.py.HectorCastillo
2026-05-04Fixed #37078 -- Deprecated SHA-1 default for salted_hmac() and base64_hmac() ↵Denny Biasiolli
algorithm. Deprecated the default value of the algorithm argument in django.utils.crypto.salted_hmac() and django.core.signing.base64_hmac(), which will change from 'sha1' to 'sha256' in Django 7.0.
2026-05-04Removed hardcoded pks in annotations and delete_regress tests.Tim Graham
2026-05-02Removed integer pk assumption from file_uploads test.Tim Graham
The test was incompatible with MongoDB's bson.ObjectId.
2026-05-01Refs #35303 -- Added missing async RemoteUserMiddleware tests for custom ↵Sarah Boyce
RemoteUserBackend.
2026-05-01Refs #689 -- Made RemoteUserMiddleware ImproperlyConfigured error message ↵Sarah Boyce
handle subclasses. Co-authored-by: Arfey <Arfey17.mg@gmail.com>
2026-04-30Fixed #37075 -- Allowed overriding the PostgreSQL pool's "check" callable.HEADmaininitial-branchRaoni Timo
Setting "check" in OPTIONS["pool"] previously raised TypeError because the PostgreSQL backend always passed check= to ConnectionPool() and unpacked **pool_options on top, regardless of CONN_HEALTH_CHECKS. The user's callable now takes precedence via setdefault(); pool_options is copied first to avoid mutating the user's settings dict.
2026-04-30Fixed #36919 -- Allowed Task and TaskResult to be pickled.varunkasyap
2026-04-29Fixed #16429 -- Extracted set_choices() method from FilePathField.__init__().TildaDares
2026-04-29Fixed #37067 -- Added trailing slash in django_file_prefixes().Fashad Ahmed
Ensure skip_file_prefixes does not match sibling packages like django*. Bug in f42b89f1bf49a5b89ed852b60f79342320a81c5e and 34bd3ed944bf38792c631b55e581963d44d52284.