| Age | Commit message (Collapse) | Author |
|
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
containing only whitespace in admin.
|
|
Thanks David Smith for report and Tim Graham for review.
|
|
Thanks Simon Charette for the idea.
|
|
These tests were developed during work on MongoDB and capture edge cases
discovered there.
|
|
`DatabaseOperations.check_expression_support()`.
|
|
These new cases have regex characters that must be escaped by backends
like MongoDB.
|
|
admin.
Regression in b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010.
|
|
|
|
|
|
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
default delimiter.
|
|
|
|
It's how Django formats values internally and makes tests compatible
with databases that use non-integer primary keys.
|
|
Needed by MongoDB.
|
|
|
|
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
|
|
|
|
|
|
When `NotUpdated` was added in ab148c02cedbac492f29930dcd5346e1af052635,
these additional tests that have equivalents for the `DoesNotExist` and
`MultipleObjectsReturned` exceptions were missed.
|
|
contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
|
|
with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
|
|
band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
|
|
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
|
|
auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|
|
|
|
|
|
Unlike Chromium-based browsers, Firefox does not automatically scroll
elements into view when using the Actions API with move_to_element.
This calls the scrollIntoView function explicitly, which fixes
some selenium tests when not running in headless mode.
|
|
the admin.
Thanks Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
|
|
crash on databases that don't support primitives in JSONFields.
For example on Oracle < 21c.
|
|
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
the admin.
The issue manifested when there were multiple relations and only some
of them participated in a filter_horizontal.
Regression in cd0479ff764272add5e0aba2afcf5649a241ca00.
|
|
Instead of casting non-text fields to CharField (which prevents index
usage), skip exact lookups when the search term fails
formfield.to_python().
This preserves index usage for valid searches while gracefully handling
invalid search terms by simply not including them in the query for that
field.
For multi-term searches like 'foo 123' on search_fields=['name', 'age__exact']:
- 'foo': invalid for age, so only name lookup is used
- '123': valid for both, so both lookups are used
This entails a slight increase in permissiveness for search terms that
can be normalized by formfield.to_python().
|
|
|
|
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
|
|
Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
|
|
Ever since the beginning of Django's migration framework, there's been a
bit of an inconsistency on how index_together and unique_together values
have been stored on the ModelState[^1].
It's only really obvious, when looking at the current code for
`from_model()`[^2] and the `rename_field()` state alteration code[^3].
The problem in the autodetector's detection of the `*_together` options
as raised in the ticket, reinforces the inconsistency[^4]: the old value
is being normalized to a set of tuples, whereas the new value is taken
as-is.
Why this hasn't been caught before, is likely to the fact, that we
never really look at a `to_state` that comes from migration operations
in the autodetector. Instead, in both usages in Django[^5], [^6] the
`to_state` is a `ProjectState.from_apps()`. And that state is
consistently using sets of tuples and not lists of lists.
[^1]: https://github.com/django/django/commit/67dcea711e92025d0e8676b869b7ef15dbc6db73#diff-5dd147e9e978e645313dd99eab3a7bab1f1cb0a53e256843adb68aeed71e61dcR85-R87
[^2]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L842
[^3]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L340-L345
[^4]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/autodetector.py#L1757-L1771
[^5]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/makemigrations.py#L215-L219
[^6]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/migrate.py#L329-L332
|
|
test_intersection_in_nested_subquery.
It's problematic on MongoDB. Simon: "It seems odd that we'd use
__in=OuterRef("pk") over __in=[OuterRef("pk")]. It's a SQLism that
only works because right-hand-side is wrapped with (...) and that's
interpreted as a singleton tuple which is allowed with IN."
|
|
|
|
|
|
changelist.
Removed flex-wrap from .changelist-form-container and added min-width to the
main content container to ensure proper layout behavior.
Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
|
|
|
|
Follow-up to c042fe3a74fb213c93b1052f7de4d99a6e6948e0.
The original ignore was added in 0bd2c0c9015b53c41394a1c0989afbfd94dc2830
but was not adjusted when the stacklevel changed.
|
|
FilteredSelectMultiple.
This patch adds support for <optgroup>s in FilteredSelectMultiple widgets.
When a popup returns a new object, if the source field contains optgroup
choices, the optgroup is now also included in the response data.
Additionally, this adds error handling for invalid source_model parameters
to prevent crashes and display user-friendly error messages instead.
Co-authored-by: Michael McLarnon <mmclar@gmail.com>
|