summaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)Author
2026-02-21Fixed a typo in tests/i18n/tests.py.jun
2026-02-20Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.usman
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-02-20Fixed #36127 -- Applied default empty display value to links otherwise ↵SiHyunLee
containing only whitespace in admin.
2026-02-19Fixed #36929 -- Dropped support for GEOS 3.9.Pravin Kamble
Thanks David Smith for report and Tim Graham for review.
2026-02-13Fixed #36857 -- Added QuerySet.totally_ordered property.VIZZARD-X
Thanks Simon Charette for the idea.
2026-02-12Added tests for QuerySet.union() across different models and value aliases.Emanuel Lupi
These tests were developed during work on MongoDB and capture edge cases discovered there.
2026-02-12Improved error message in SQLite ↵Adam Johnson
`DatabaseOperations.check_expression_support()`.
2026-02-12Added extra pattern lookup escaping cases in tests/expressions/tests.py.Tim Graham
These new cases have regex characters that must be escaped by backends like MongoDB.
2026-02-11Fixed #36921 -- Fixed KeyError in inline form for model not registered with ↵Sean Helvey
admin. Regression in b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010.
2026-02-11Refs #35809 -- Fixed test_selectbox_selected_rows() on macOS.Jacob Walls
2026-02-11Relaxed a query ordering assertion in filtered_relation test.Tim Graham
2026-02-10Fixed #36841 -- Made multipart parser class pluggable on HttpRequest.farhan
2026-02-10Fixed #36903 -- Fixed further NameErrors when inspecting functions with ↵93578237
deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
2026-02-10Fixed #36890 -- Supported StringAgg(distinct=True) on SQLite with the ↵varunkasyap
default delimiter.
2026-02-10Added various missing test skips observed on MongoDB.Tim Graham
2026-02-10Modified tests to format PKs with %s rather than %d.Tim Graham
It's how Django formats values internally and makes tests compatible with databases that use non-integer primary keys.
2026-02-09Added DatabaseFeatures.supports_inspectdb.Tim Graham
Needed by MongoDB.
2026-02-09Refs #36036 -- Added m dimension to GEOSCoordSeq.David Smith
2026-02-06Fixed #36246 -- Caught GDALException in BaseGeometryWidget.deserialize.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-02-06Fixed #36644 -- Enabled empty order_by() to avoid pk ordering by first()/last().Nilesh Kumar Pahari
2026-02-06Refs #36644 -- Applied default ordering after union().Nilesh Kumar Pahari
2026-02-05Refs #33579 -- Added extra tests for NotUpdated exception.Nick Pope
When `NotUpdated` was added in ab148c02cedbac492f29930dcd5346e1af052635, these additional tests that have equivalents for the `DoesNotExist` and `MultipleObjectsReturned` exceptions were missed.
2026-02-03Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases ↵Jacob Walls
contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-02-03Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews.
2026-02-03Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via ↵Jacob Walls
band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-02-03Fixed #36879 -- Identified Django client in Redis client metadata.ar3ph
2026-02-02Fixed line length in admin_views test_prepopulated_fields().Jacob Walls
2026-02-02Fixed #36893 -- Serialized elidable kwarg for RunSQL and RunPython operations.SnippyCodes
2026-02-02Fixed selenium tests in Firefox.Patryk Bratkowski
Unlike Chromium-based browsers, Firefox does not automatically scroll elements into view when using the Actions API with move_to_element. This calls the scrollIntoView function explicitly, which fixes some selenium tests when not running in headless mode.
2026-02-02Fixed #36788 -- Fixed horizontal form field alignment under <fieldset> in ↵Jacob Walls
the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-01-31Refs #36865 -- Fixed test_exact_lookup_validates_each_field_independently() ↵Jacob Walls
crash on databases that don't support primitives in JSONFields. For example on Oracle < 21c.
2026-01-31Added supports_expression_indexes skip to nulls_distinct test.Tim Graham
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-30Fixed #36468 -- Fixed failure to close popup when adding a related object in ↵Mark Niehues
the admin. The issue manifested when there were multiple relations and only some of them participated in a filter_horizontal. Regression in cd0479ff764272add5e0aba2afcf5649a241ca00.
2026-01-30Fixed #36865 -- Removed casting from exact lookups in admin searches.mlissner
Instead of casting non-text fields to CharField (which prevents index usage), skip exact lookups when the search term fails formfield.to_python(). This preserves index usage for valid searches while gracefully handling invalid search terms by simply not including them in the query for that field. For multi-term searches like 'foo 123' on search_fields=['name', 'age__exact']: - 'foo': invalid for age, so only name lookup is used - '123': valid for both, so both lookups are used This entails a slight increase in permissiveness for search terms that can be normalized by formfield.to_python().
2026-01-30Refs #36865 -- Added test for invalid value handling in admin changelist.mlissner
2026-01-29Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report.
2026-01-28Fixed #36233 -- Avoided quantizing integers stored in DecimalField on SQLite.Samriddha9619
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-01-28Fixed #36878 -- Unified data type for *_together options in ModelState.Markus Holtermann
Ever since the beginning of Django's migration framework, there's been a bit of an inconsistency on how index_together and unique_together values have been stored on the ModelState[^1]. It's only really obvious, when looking at the current code for `from_model()`[^2] and the `rename_field()` state alteration code[^3]. The problem in the autodetector's detection of the `*_together` options as raised in the ticket, reinforces the inconsistency[^4]: the old value is being normalized to a set of tuples, whereas the new value is taken as-is. Why this hasn't been caught before, is likely to the fact, that we never really look at a `to_state` that comes from migration operations in the autodetector. Instead, in both usages in Django[^5], [^6] the `to_state` is a `ProjectState.from_apps()`. And that state is consistently using sets of tuples and not lists of lists. [^1]: https://github.com/django/django/commit/67dcea711e92025d0e8676b869b7ef15dbc6db73#diff-5dd147e9e978e645313dd99eab3a7bab1f1cb0a53e256843adb68aeed71e61dcR85-R87 [^2]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L842 [^3]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L340-L345 [^4]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/autodetector.py#L1757-L1771 [^5]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/makemigrations.py#L215-L219 [^6]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/migrate.py#L329-L332
2026-01-27Refs #35744 -- Removed problematic __in lookup in ↵Tim Graham
test_intersection_in_nested_subquery. It's problematic on MongoDB. Simon: "It seems odd that we'd use __in=OuterRef("pk") over __in=[OuterRef("pk")]. It's a SQLism that only works because right-hand-side is wrapped with (...) and that's interpreted as a singleton tuple which is allowed with IN."
2026-01-26Fixed #36776 -- Clarified dev server runs in WSGI mode.jafarkhan83
2026-01-26Fixed #36883 -- Split monolithic aggregation regression tests.varunkasyap
2026-01-26Fixed #36850 -- Prevented admin filter sidebar from wrapping below the ↵Nilesh Kumar Pahari
changelist. Removed flex-wrap from .changelist-form-container and added min-width to the main content container to ensure proper layout behavior. Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
2026-01-25Fixed #36812 -- Dropped support for MariaDB < 10.11.Skyiesac
2026-01-23Refs #33735 -- Coped with stacklevel change in ASGITest.test_file_response().Jacob Walls
Follow-up to c042fe3a74fb213c93b1052f7de4d99a6e6948e0. The original ignore was added in 0bd2c0c9015b53c41394a1c0989afbfd94dc2830 but was not adjusted when the stacklevel changed.
2026-01-22Fixed #13883 -- Rendered named choice groups with <optgroup> in ↵seanhelvey
FilteredSelectMultiple. This patch adds support for <optgroup>s in FilteredSelectMultiple widgets. When a popup returns a new object, if the source field contains optgroup choices, the optgroup is now also included in the response data. Additionally, this adds error handling for invalid source_model parameters to prevent crashes and display user-friendly error messages instead. Co-authored-by: Michael McLarnon <mmclar@gmail.com>