Django

Latest version: v5.1.3

Safety actively analyzes 681775 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 33 of 54

1.11.5

Not secure
===========================

*September 5, 2017*

Django 1.11.5 fixes a security issue and several bugs in 1.11.4.

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
=============================================================================

In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed
a cross-site scripting attack. This vulnerability shouldn't affect most
production sites since you shouldn't run with ``DEBUG = True`` (which makes
this page accessible) in your production settings.

Bugfixes
========

* Fixed GEOS version parsing if the version has a commit hash at the end (new
in GEOS 3.6.2) (:ticket:`28441`).

* Added compatibility for ``cx_Oracle`` 6 (:ticket:`28498`).

* Fixed select widget rendering when option values are tuples (:ticket:`28502`).

* Django 1.11 inadvertently changed the sequence and trigger naming scheme on
Oracle. This causes errors on INSERTs for some tables if
``'use_returning_into': False`` is in the ``OPTIONS`` part of ``DATABASES``.
The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily
requires an update to Oracle tables created with Django 1.11.[1-4]. Use the
upgrade script in :ticket:`28451` comment 8 to update sequence and trigger
names to use the pre-1.11 naming scheme.

* Added POST request support to ``LogoutView``, for equivalence with the
function-based ``logout()`` view (:ticket:`28513`).

* Omitted ``pages_per_range`` from ``BrinIndex.deconstruct()`` if it's ``None``
(:ticket:`25809`).

* Fixed a regression where ``SelectDateWidget`` localized the years in the
select box (:ticket:`28530`).

* Fixed a regression in 1.11.4 where ``runserver`` crashed with non-Unicode
system encodings on Python 2 + Windows (:ticket:`28487`).

* Fixed a regression in Django 1.10 where changes to a ``ManyToManyField``
weren't logged in the admin change history (:ticket:`27998`) and prevented
``ManyToManyField`` initial data in model forms from being affected by
subsequent model changes (:ticket:`28543`).

* Fixed non-deterministic results or an ``AssertionError`` crash in some
queries with multiple joins (:ticket:`26522`).

* Fixed a regression in ``contrib.auth``'s ``login()`` and ``logout()`` views
where they ignored positional arguments (:ticket:`28550`).


===========================

1.11.4

Not secure
===========================

*August 1, 2017*

Django 1.11.4 fixes several bugs in 1.11.3.

Bugfixes
========

* Fixed a regression in 1.11.3 on Python 2 where non-ASCII ``format`` values
for date/time widgets results in an empty ``value`` in the widget's HTML
(:ticket:`28355`).

* Fixed ``QuerySet.union()`` and ``difference()`` when combining with
a queryset raising ``EmptyResultSet`` (:ticket:`28378`).

* Fixed a regression in pickling of ``LazyObject`` on Python 2 when the wrapped
object doesn't have ``__reduce__()`` (:ticket:`28389`).

* Fixed crash in ``runserver``'s ``autoreload`` with Python 2 on Windows with
non-``str`` environment variables (:ticket:`28174`).

* Corrected ``Field.has_changed()`` to return ``False`` for disabled form
fields: ``BooleanField``, ``MultipleChoiceField``, ``MultiValueField``,
``FileField``, ``ModelChoiceField``, and ``ModelMultipleChoiceField``.

* Fixed ``QuerySet.count()`` for ``union()``, ``difference()``, and
``intersection()`` queries. (:ticket:`28399`).

* Fixed ``ClearableFileInput`` rendering as a subwidget of ``MultiWidget``
(:ticket:`28414`). Custom ``clearable_file_input.html`` widget templates
will need to adapt for the fact that context values
``checkbox_name``, ``checkbox_id``, ``is_initial``, ``input_text``,
``initial_text``, and ``clear_checkbox_label`` are now attributes of
``widget`` rather than appearing in the top-level context.

* Fixed queryset crash when using a ``GenericRelation`` to a proxy model
(:ticket:`28418`).


===========================

1.11.3

Not secure
===========================

*July 1, 2017*

Django 1.11.3 fixes several bugs in 1.11.2.

Bugfixes
========

* Removed an incorrect deprecation warning about a missing ``renderer``
argument if a ``Widget.render()`` method accepts ``**kwargs``
(:ticket:`28265`).

* Fixed a regression causing ``Model.__init__()`` to crash if a field has an
instance only descriptor (:ticket:`28269`).

* Fixed an incorrect ``DisallowedModelAdminLookup`` exception when using
a nested reverse relation in ``list_filter`` (:ticket:`28262`).

* Fixed admin's ``FieldListFilter.get_queryset()`` crash on invalid input
(:ticket:`28202`).

* Fixed invalid HTML for a required ``AdminFileWidget`` (:ticket:`28278`).

* Fixed model initialization to set the name of class-based model indexes
for models that only inherit ``models.Model`` (:ticket:`28282`).

* Fixed crash in admin's inlines when a model has an inherited non-editable
primary key (:ticket:`27967`).

* Fixed ``QuerySet.union()``, ``intersection()``, and ``difference()`` when
combining with an ``EmptyQuerySet`` (:ticket:`28293`).

* Prevented ``Paginator``’s unordered object list warning from evaluating a
``QuerySet`` (:ticket:`28284`).

* Fixed the value of ``redirect_field_name`` in ``LoginView``’s template
context. It's now an empty string (as it is for the original function-based
``login()`` view) if the corresponding parameter isn't sent in a request (in
particular, when the login page is accessed directly) (:ticket:`28229`).

* Prevented attribute values in the ``django/forms/widgets/attrs.html``
template from being localized so that numeric attributes (e.g. ``max`` and
``min``) of ``NumberInput`` work correctly (:ticket:`28303`).

* Removed casting of the option value to a string in the template context of
the ``CheckboxSelectMultiple``, ``NullBooleanSelect``, ``RadioSelect``,
``SelectMultiple``, and ``Select`` widgets (:ticket:`28176`). In Django
1.11.1, casting was added in Python to avoid localization of numeric values
in Django templates, but this made some use cases more difficult. Casting is
now done in the template using the ``|stringformat:'s'`` filter.

* Prevented a primary key alteration from adding a foreign key constraint if
``db_constraint=False`` (:ticket:`28298`).

* Fixed ``UnboundLocalError`` crash in ``RenameField`` with nonexistent field
(:ticket:`28350`).

* Fixed a regression preventing a model field's ``limit_choices_to`` from being
evaluated when a ``ModelForm`` is instantiated (:ticket:`28345`).


===========================

1.11.2

Not secure
===========================

*June 1, 2017*

Django 1.11.2 adds a minor feature and fixes several bugs in 1.11.1. Also, the
latest string translations from Transifex are incorporated.

Minor feature
=============

The new ``LiveServerTestCase.port`` attribute reallows the use case of binding
to a specific port following the :ref:`bind to port zero
<liveservertestcase-port-zero-change>` change in Django 1.11.

Bugfixes
========

* Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported
versions 1.7 and 1.8 (:ticket:`28181`).

* Changed ``contrib.gis`` to raise ``ImproperlyConfigured`` rather than
``GDALException`` if ``gdal`` isn't installed, to allow third-party apps to
catch that exception (:ticket:`28178`).

* Fixed ``django.utils.http.is_safe_url()`` crash on invalid IPv6 URLs
(:ticket:`28142`).

* Fixed regression causing pickling of model fields to crash (:ticket:`28188`).

* Fixed ``django.contrib.auth.authenticate()`` when multiple authentication
backends don't accept a positional ``request`` argument (:ticket:`28207`).

* Fixed introspection of index field ordering on PostgreSQL (:ticket:`28197`).

* Fixed a regression where ``Model._state.adding`` wasn't set correctly on
multi-table inheritance parent models after saving a child model
(:ticket:`28210`).

* Allowed ``DjangoJSONEncoder`` to serialize
``django.utils.deprecation.CallableBool`` (:ticket:`28230`).

* Relaxed the validation added in Django 1.11 of the fields in the ``defaults``
argument of ``QuerySet.get_or_create()`` and ``update_or_create()`` to
reallow settable model properties (:ticket:`28222`).

* Fixed ``MultipleObjectMixin.paginate_queryset()`` crash on Python 2 if the
``InvalidPage`` message contains non-ASCII (:ticket:`28204`).

* Prevented ``Subquery`` from adding an unnecessary ``CAST`` which resulted in
invalid SQL (:ticket:`28199`).

* Corrected detection of GDAL 2.1 on Windows (:ticket:`28181`).

* Made date-based generic views return a 404 rather than crash when given an
out of range date (:ticket:`28209`).

* Fixed a regression where ``file_move_safe()`` crashed when moving files to a
CIFS mount (:ticket:`28170`).

* Moved the ``ImageField`` file extension validation added in Django 1.11 from
the model field to the form field to reallow the use case of storing images
without an extension (:ticket:`28242`).


===========================

1.11.1

Not secure
===========================

*May 6, 2017*

Django 1.11.1 adds a minor feature and fixes several bugs in 1.11.

Allowed disabling server-side cursors on PostgreSQL
===================================================

The change in Django 1.11 to make :meth:`.QuerySet.iterator()` use server-side
cursors on PostgreSQL prevents running Django with PgBouncer in transaction
pooling mode. To reallow that, use the :setting:`DISABLE_SERVER_SIDE_CURSORS
<DATABASE-DISABLE_SERVER_SIDE_CURSORS>` setting in :setting:`DATABASES`.

See :ref:`transaction-pooling-server-side-cursors` for more discussion.

Bugfixes
========

* Made migrations respect ``Index``’s ``name`` argument. If you created a
named index with Django 1.11, ``makemigrations`` will create a migration to
recreate the index with the correct name (:ticket:`28051`).

* Fixed a crash when using a ``__icontains`` lookup on a ``ArrayField``
(:ticket:`28038`).

* Fixed a crash when using a 2-tuple in ``EmailMessage``’s ``attachments``
argument (:ticket:`28042`).

* Fixed ``QuerySet.filter()`` crash when it references the name of a
``OneToOneField`` primary key (:ticket:`28047`).

* Fixed empty POST data table appearing instead of "No POST data" in HTML debug
page (:ticket:`28079`).

* Restored ``BoundField``\s without any ``choices`` evaluating to ``True``
(:ticket:`28058`).

* Prevented ``SessionBase.cycle_key()`` from losing session data if
``_session_cache`` isn't populated (:ticket:`28066`).

* Fixed layout of ``ReadOnlyPasswordHashWidget`` (used in the admin's user
change page) (:ticket:`28097`).

* Allowed prefetch calls on managers with custom ``ModelIterable`` subclasses
(:ticket:`28096`).

* Fixed change password link in the ``contrib.auth`` admin for ``el``,
``es_MX``, and ``pt`` translations (:ticket:`28100`).

* Restored the output of the ``class`` attribute in the ``<ul>`` of widgets
that use the ``multiple_input.html`` template. This fixes
``ModelAdmin.radio_fields`` with ``admin.HORIZONTAL`` (:ticket:`28059`).

* Fixed crash in ``BaseGeometryWidget.subwidgets()`` (:ticket:`28039`).

* Fixed exception reraising in ORM query execution when ``cursor.execute()``
fails and the subsequent ``cursor.close()`` also fails (:ticket:`28091`).

* Fixed a regression where ``CheckboxSelectMultiple``, ``NullBooleanSelect``,
``RadioSelect``, ``SelectMultiple``, and ``Select`` localized option values
(:ticket:`28075`).

* Corrected the stack level of unordered queryset pagination warnings
(:ticket:`28109`).

* Fixed a regression causing incorrect queries for ``__in`` subquery lookups
when models use ``ForeignKey.to_field`` (:ticket:`28101`).

* Fixed crash when overriding the template of
``django.views.static.directory_index()`` (:ticket:`28122`).

* Fixed a regression in formset ``min_num`` validation with unchanged forms
that have initial data (:ticket:`28130`).

* Prepared for ``cx_Oracle`` 6.0 support (:ticket:`28138`).

* Updated the ``contrib.postgres`` ``SplitArrayWidget`` to use template-based
widget rendering (:ticket:`28040`).

* Fixed crash in ``BaseGeometryWidget.get_context()`` when overriding existing
``attrs`` (:ticket:`28105`).

* Prevented ``AddIndex`` and ``RemoveIndex`` from mutating model state
(:ticket:`28043`).

* Prevented migrations from dropping database indexes from ``Meta.indexes``
when changing ``Field.db_index`` to ``False`` (:ticket:`28052`).

* Fixed a regression in choice ordering in form fields with grouped and
non-grouped options (:ticket:`28157`).

* Fixed crash in ``BaseInlineFormSet._construct_form()`` when using
``save_as_new`` (:ticket:`28159`).

* Fixed a regression where ``Model._state.db`` wasn't set correctly on
multi-table inheritance parent models after saving a child model
(:ticket:`28166`).

* Corrected the return type of ``ArrayField(CITextField())`` values retrieved
from the database (:ticket:`28161`).

* Fixed ``QuerySet.prefetch_related()`` crash when fetching relations in nested
``Prefetch`` objects (:ticket:`27554`).

* Prevented hiding GDAL errors if it's not installed when using ``contrib.gis``
(:ticket:`28160`). (It's a required dependency as of Django 1.11.)

* Fixed a regression causing ``__in`` lookups on a foreign key to fail when
using the foreign key's parent model as the lookup value (:ticket:`28175`).


=========================

1.11

Not secure
=========================

*April 4, 2017*

Welcome to Django 1.11!

These release notes cover the :ref:`new features <whats-new-1.11>`, as well as
some :ref:`backwards incompatible changes <backwards-incompatible-1.11>` you'll
want to be aware of when upgrading from Django 1.10 or older versions. We've
:ref:`begun the deprecation process for some features
<deprecated-features-1.11>`.

See the :doc:`/howto/upgrade-version` guide if you're updating an existing
project.

Django 1.11 is designated as a :term:`long-term support release
<Long-term support release>`. It will receive security updates for at least
three years after its release. Support for the previous LTS, Django 1.8, will
end in April 2018.

Python compatibility
====================

Django 1.11 requires Python 2.7, 3.4, 3.5, 3.6, or 3.7 (as of 1.11.17). We
**highly recommend** and only officially support the latest release of each
series.

The Django 1.11.x series is the last to support Python 2. The next major
release, Django 2.0, will only support Python 3.4+.

Deprecating warnings are no longer loud by default
==================================================

Unlike older versions of Django, Django's own deprecation warnings are no
longer displayed by default. This is consistent with Python's default behavior.

This change allows third-party apps to support both Django 1.11 LTS and Django
1.8 LTS without having to add code to avoid deprecation warnings.

Following the release of Django 2.0, we suggest that third-party app authors
drop support for all versions of Django prior to 1.11. At that time, you should
be able run your package's tests using ``python -Wd`` so that deprecation
warnings do appear. After making the deprecation warning fixes, your app should
be compatible with Django 2.0.

.. _whats-new-1.11:

What's new in Django 1.11
=========================

Class-based model indexes
-------------------------

The new :mod:`django.db.models.indexes` module contains classes which ease
creating database indexes. Indexes are added to models using the
:attr:`Meta.indexes <django.db.models.Options.indexes>` option.

The :class:`~django.db.models.Index` class creates a b-tree index, as if you
used :attr:`~django.db.models.Field.db_index` on the model field or
``index_together`` on the model ``Meta`` class. It can be subclassed to support
different index types, such as
:class:`~django.contrib.postgres.indexes.GinIndex`. It also allows defining the
order (ASC/DESC) for the columns of the index.

Template-based widget rendering
-------------------------------

To ease customizing widgets, form widget rendering is now done using the
template system rather than in Python. See :doc:`/ref/forms/renderers`.

You may need to adjust any custom widgets that you've written for a few
:ref:`backwards incompatible changes <template-widget-incompatibilities-1-11>`.

``Subquery`` expressions
------------------------

The new :class:`~django.db.models.Subquery` and
:class:`~django.db.models.Exists` database expressions allow creating
explicit subqueries. Subqueries may refer to fields from the outer queryset
using the :class:`~django.db.models.OuterRef` class.

Minor features
--------------

:mod:`django.contrib.admin`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* :attr:`.ModelAdmin.date_hierarchy` can now reference fields across relations.

* The new :meth:`ModelAdmin.get_exclude()
<django.contrib.admin.ModelAdmin.get_exclude>` hook allows specifying the
exclude fields based on the request or model instance.

* The ``popup_response.html`` template can now be overridden per app, per
model, or by setting the :attr:`.ModelAdmin.popup_response_template`
attribute.

:mod:`django.contrib.auth`
~~~~~~~~~~~~~~~~~~~~~~~~~~

* The default iteration count for the PBKDF2 password hasher is increased by
20%.

* The :class:`~django.contrib.auth.views.LoginView` and
:class:`~django.contrib.auth.views.LogoutView` class-based views supersede the
deprecated ``login()`` and ``logout()`` function-based views.

* The :class:`~django.contrib.auth.views.PasswordChangeView`,
:class:`~django.contrib.auth.views.PasswordChangeDoneView`,
:class:`~django.contrib.auth.views.PasswordResetView`,
:class:`~django.contrib.auth.views.PasswordResetDoneView`,
:class:`~django.contrib.auth.views.PasswordResetConfirmView`, and
:class:`~django.contrib.auth.views.PasswordResetCompleteView` class-based
views supersede the deprecated ``password_change()``,
``password_change_done()``, ``password_reset()``, ``password_reset_done()``,
``password_reset_confirm()``, and ``password_reset_complete()`` function-based
views.

* The new ``post_reset_login`` attribute for
:class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
automatically logging in a user after a successful password reset.
If you have multiple ``AUTHENTICATION_BACKENDS`` configured, use the
``post_reset_login_backend`` attribute to choose which one to use.

* To avoid the possibility of leaking a password reset token via the HTTP
Referer header (for example, if the reset page includes a reference to CSS or
JavaScript hosted on another domain), the
:class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the
deprecated ``password_reset_confirm()`` function-based view) stores the token
in a session and redirects to itself to present the password change form to
the user without the token in the URL.

* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
key to allow a password change to invalidate stolen session cookies.

* The new ``success_url_allowed_hosts`` attribute for
:class:`~django.contrib.auth.views.LoginView` and
:class:`~django.contrib.auth.views.LogoutView` allows specifying a set of
hosts that are safe for redirecting after login and logout.

* Added password validators ``help_text`` to
:class:`~django.contrib.auth.forms.UserCreationForm`.

* The ``HttpRequest`` is now passed to :func:`~django.contrib.auth.authenticate`
which in turn passes it to the authentication backend if it accepts a
``request`` argument.

* The :func:`~django.contrib.auth.signals.user_login_failed` signal now
receives a ``request`` argument.

* :class:`~django.contrib.auth.forms.PasswordResetForm` supports custom user
models that use an email field named something other than ``'email'``.
Set :attr:`CustomUser.EMAIL_FIELD
<django.contrib.auth.models.CustomUser.EMAIL_FIELD>` to the name of the field.

* :func:`~django.contrib.auth.get_user_model` can now be called at import time,
even in modules that define models.

:mod:`django.contrib.contenttypes`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* When stale content types are detected in the
:djadmin:`remove_stale_contenttypes` command, there's now a list of related
objects such as ``auth.Permission``\s that will also be deleted. Previously,
only the content types were listed (and this prompt was after ``migrate``
rather than in a separate command).

:mod:`django.contrib.gis`
~~~~~~~~~~~~~~~~~~~~~~~~~

* The new :meth:`.GEOSGeometry.from_gml` and :meth:`.OGRGeometry.from_gml`
methods allow creating geometries from GML.

* Added support for the :lookup:`dwithin` lookup on SpatiaLite.

* The :class:`~django.contrib.gis.db.models.functions.Area` function,
:class:`~django.contrib.gis.db.models.functions.Distance` function, and
distance lookups now work with geodetic coordinates on SpatiaLite.

* The OpenLayers-based form widgets now use ``OpenLayers.js`` from
``https://cdnjs.cloudflare.com`` which is more suitable for production use
than the old ``https://openlayers.org/`` source. They are also updated to use
OpenLayers 3.

* PostGIS migrations can now change field dimensions.

* Added the ability to pass the ``size``, ``shape``, and ``offset`` parameters
when creating :class:`~django.contrib.gis.gdal.GDALRaster` objects.

* Added SpatiaLite support for the
:class:`~django.contrib.gis.db.models.functions.IsValid` function,
:class:`~django.contrib.gis.db.models.functions.MakeValid` function, and
:lookup:`isvalid` lookup.

* Added Oracle support for the
:class:`~django.contrib.gis.db.models.functions.AsGML` function,
:class:`~django.contrib.gis.db.models.functions.BoundingCircle` function,
:class:`~django.contrib.gis.db.models.functions.IsValid` function, and
:lookup:`isvalid` lookup.

:mod:`django.contrib.postgres`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* The new ``distinct`` argument for
:class:`~django.contrib.postgres.aggregates.StringAgg` determines if
concatenated values will be distinct.

* The new :class:`~django.contrib.postgres.indexes.GinIndex` and
:class:`~django.contrib.postgres.indexes.BrinIndex` classes allow
creating ``GIN`` and ``BRIN`` indexes in the database.

* ``django.contrib.postgres.fields.JSONField`` accepts a new ``encoder``
parameter to specify a custom class to encode data types not supported by the
standard encoder.

* The new ``CIText`` mixin and
:class:`~django.contrib.postgres.operations.CITextExtension` migration
operation allow using PostgreSQL's ``citext`` extension for case-insensitive
lookups. Three fields are provided: ``CICharField``, ``CIEmailField``, and
``CITextField``.

* The new :class:`~django.contrib.postgres.aggregates.JSONBAgg` allows
aggregating values as a JSON array.

* The :class:`~django.contrib.postgres.fields.HStoreField` (model field) and
:class:`~django.contrib.postgres.forms.HStoreField` (form field) allow
storing null values.

Cache
~~~~~

* Memcached backends now pass the contents of :setting:`OPTIONS <CACHES-OPTIONS>`
as keyword arguments to the client constructors, allowing for more advanced
control of client behavior. See the :ref:`cache arguments <cache_arguments>`
documentation for examples.

* Memcached backends now allow defining multiple servers as a comma-delimited
string in :setting:`LOCATION <CACHES-LOCATION>`, for convenience with
third-party services that use such strings in environment variables.

CSRF
~~~~

* Added the :setting:`CSRF_USE_SESSIONS` setting to allow storing the CSRF
token in the user's session rather than in a cookie.

Database backends
~~~~~~~~~~~~~~~~~

* Added the ``skip_locked`` argument to :meth:`.QuerySet.select_for_update()`
on PostgreSQL 9.5+ and Oracle to execute queries with
``FOR UPDATE SKIP LOCKED``.

* Added the :setting:`TEST['TEMPLATE'] <TEST_TEMPLATE>` setting to let
PostgreSQL users specify a template for creating the test database.

* :meth:`.QuerySet.iterator()` now uses `server-side cursors`_ on PostgreSQL.
This feature transfers some of the worker memory load (used to hold query
results) to the database and might increase database memory usage.

.. _server-side cursors: https://www.psycopg.org/docs/usage.html#server-side-cursors

* Added MySQL support for the ``'isolation_level'`` option in
:setting:`OPTIONS` to allow specifying the :ref:`transaction isolation level
<mysql-isolation-level>`. To avoid possible data loss, it's recommended to
switch from MySQL's default level, repeatable read, to read committed.

* Added support for ``cx_Oracle`` 5.3.

Email
~~~~~

* Added the :setting:`EMAIL_USE_LOCALTIME` setting to allow sending SMTP date
headers in the local time zone rather than in UTC.

* ``EmailMessage.attach()`` and ``attach_file()`` now fall back to MIME type
:mimetype:`application/octet-stream` when binary content that can't be
decoded as UTF-8 is specified for a :mimetype:`text/*` attachment.

File Storage
~~~~~~~~~~~~

* To make it wrappable by :class:`io.TextIOWrapper`,
:class:`~django.core.files.File` now has the ``readable()``, ``writable()``,
and ``seekable()`` methods.

Forms
~~~~~

* The new ``empty_value`` attribute on :class:`~django.forms.CharField`,
:class:`~django.forms.EmailField`, :class:`~django.forms.RegexField`,
:class:`~django.forms.SlugField`, and :class:`~django.forms.URLField` allows
specifying the Python value to use to represent "empty".

* The new :meth:`Form.get_initial_for_field()
<django.forms.Form.get_initial_for_field>` method returns initial data for a
form field.

Internationalization
~~~~~~~~~~~~~~~~~~~~

* Number formatting and the :setting:`NUMBER_GROUPING` setting support
non-uniform digit grouping.

Management Commands
~~~~~~~~~~~~~~~~~~~

* The new :option:`loaddata --exclude` option allows excluding models and apps
while loading data from fixtures.

* The new :option:`diffsettings --default` option allows specifying a settings
module other than Django's default settings to compare against.

* ``app_label``\s arguments now limit the :option:`showmigrations --plan`
output.

Migrations
~~~~~~~~~~

* Added support for serialization of ``uuid.UUID`` objects.

Models
~~~~~~

* Added support for callable values in the ``defaults`` argument of
:meth:`QuerySet.update_or_create()
<django.db.models.query.QuerySet.update_or_create>` and
:meth:`~django.db.models.query.QuerySet.get_or_create`.

* :class:`~django.db.models.ImageField` now has a default
:data:`~django.core.validators.validate_image_file_extension` validator.
(This validator moved to the form field in :doc:`Django 1.11.2 <1.11.2>`.)

* Added support for time truncation to
:class:`~django.db.models.functions.Trunc` functions.

* Added the :class:`~django.db.models.functions.ExtractWeek` function to
extract the week from :class:`~django.db.models.DateField` and
:class:`~django.db.models.DateTimeField` and exposed it through the
:lookup:`week` lookup.

* Added the :class:`~django.db.models.functions.TruncTime` function to truncate
:class:`~django.db.models.DateTimeField` to its time component and exposed it
through the :lookup:`time` lookup.

* Added support for expressions in :meth:`.QuerySet.values` and
:meth:`~.QuerySet.values_list`.

* Added support for query expressions on lookups that take multiple arguments,
such as ``range``.

* You can now use the ``unique=True`` option with
:class:`~django.db.models.FileField`.

* Added the ``nulls_first`` and ``nulls_last`` parameters to
:class:`Expression.asc() <django.db.models.Expression.asc>` and
:meth:`~django.db.models.Expression.desc` to control
the ordering of null values.

* The new ``F`` expression ``bitleftshift()`` and ``bitrightshift()`` methods
allow :ref:`bitwise shift operations <using-f-expressions-in-filters>`.

* Added :meth:`.QuerySet.union`, :meth:`~.QuerySet.intersection`, and
:meth:`~.QuerySet.difference`.

Requests and Responses
~~~~~~~~~~~~~~~~~~~~~~

* Added :meth:`QueryDict.fromkeys() <django.http.QueryDict.fromkeys>`.

* :class:`~django.middleware.common.CommonMiddleware` now sets the
``Content-Length`` response header for non-streaming responses.

* Added the :setting:`SECURE_HSTS_PRELOAD` setting to allow appending the
``preload`` directive to the ``Strict-Transport-Security`` header.

* :class:`~django.middleware.http.ConditionalGetMiddleware` now adds the
``ETag`` header to responses.

Serialization
~~~~~~~~~~~~~

* The new ``django.core.serializers.base.Serializer.stream_class`` attribute
allows subclasses to customize the default stream.

* The encoder used by the :ref:`JSON serializer <serialization-formats-json>`
can now be customized by passing a ``cls`` keyword argument to the
``serializers.serialize()`` function.

* :class:`~django.core.serializers.json.DjangoJSONEncoder` now serializes
:class:`~datetime.timedelta` objects (used by
:class:`~django.db.models.DurationField`).

Templates
~~~~~~~~~

* :meth:`~django.utils.safestring.mark_safe` can now be used as a decorator.

* The :class:`~django.template.backends.jinja2.Jinja2` template backend now
supports context processors by setting the ``'context_processors'`` option in
:setting:`OPTIONS <TEMPLATES-OPTIONS>`.

* The :ttag:`regroup` tag now returns ``namedtuple``\s instead of dictionaries
so you can unpack the group object directly in a loop, e.g.
``{% for grouper, list in regrouped %}``.

* Added a :ttag:`resetcycle` template tag to allow resetting the sequence of
the :ttag:`cycle` template tag.

* You can now specify specific directories for a particular
:class:`filesystem.Loader <django.template.loaders.filesystem.Loader>`.

Tests
~~~~~

* Added :meth:`.DiscoverRunner.get_test_runner_kwargs` to allow customizing the
keyword arguments passed to the test runner.

* Added the :option:`test --debug-mode` option to help troubleshoot test
failures by setting the :setting:`DEBUG` setting to ``True``.

* The new :func:`django.test.utils.setup_databases` (moved from
``django.test.runner``) and :func:`~django.test.utils.teardown_databases`
functions make it easier to build custom test runners.

* Added support for :meth:`python:unittest.TestCase.subTest`’s when using the
:option:`test --parallel` option.

* ``DiscoverRunner`` now runs the system checks at the start of a test run.
Override the :meth:`.DiscoverRunner.run_checks` method if you want to disable
that.

Validators
~~~~~~~~~~

* Added :class:`~django.core.validators.FileExtensionValidator` to validate
file extensions and
:data:`~django.core.validators.validate_image_file_extension` to validate
image files.

.. _backwards-incompatible-1.11:

Backwards incompatible changes in 1.11
======================================

:mod:`django.contrib.gis`
-------------------------

* To simplify the codebase and because it's easier to install than when
``contrib.gis`` was first released, :ref:`gdalbuild` is now a required
dependency for GeoDjango. In older versions, it's only required for SQLite.

* ``contrib.gis.maps`` is removed as it interfaces with a retired version of
the Google Maps API and seems to be unmaintained. If you're using it,
:ticket:`let us know <14284>`.

* The ``GEOSGeometry`` equality operator now also compares SRID.

* The OpenLayers-based form widgets now use OpenLayers 3, and the
``gis/openlayers.html`` and ``gis/openlayers-osm.html`` templates have been
updated. Check your project if you subclass these widgets or extend the
templates. Also, the new widgets work a bit differently than the old ones.
Instead of using a toolbar in the widget, you click to draw, click and drag
to move the map, and click and drag a point/vertex/corner to move it.

* Support for SpatiaLite < 4.0 is dropped.

* Support for GDAL 1.7 and 1.8 is dropped.

* The widgets in ``contrib.gis.forms.widgets`` and the admin's
``OpenLayersWidget`` use the :doc:`form rendering API </ref/forms/renderers>`
rather than ``loader.render_to_string()``. If you're using a custom widget
template, you'll need to be sure your form renderer can locate it. For
example, you could use the :class:`~django.forms.renderers.TemplatesSetting`
renderer.

:mod:`django.contrib.staticfiles`
---------------------------------

* ``collectstatic`` may now fail during post-processing when using a hashed
static files storage if a reference loop exists (e.g. ``'foo.css'``
references ``'bar.css'`` which itself references ``'foo.css'``) or if the
chain of files referencing other files is too deep to resolve in several
passes. In the latter case, increase the number of passes using
:attr:`.ManifestStaticFilesStorage.max_post_process_passes`.

* When using ``ManifestStaticFilesStorage``, static files not found in the
manifest at runtime now raise a ``ValueError`` instead of returning an
unchanged path. You can revert to the old behavior by setting
:attr:`.ManifestStaticFilesStorage.manifest_strict` to ``False``.

Database backend API
--------------------

This section describes changes that may be needed in third-party database
backends.

* The ``DatabaseOperations.time_trunc_sql()`` method is added to support
``TimeField`` truncation. It accepts a ``lookup_type`` and ``field_name``
arguments and returns the appropriate SQL to truncate the given time field
``field_name`` to a time object with only the given specificity. The
``lookup_type`` argument can be either ``'hour'``, ``'minute'``, or
``'second'``.

* The ``DatabaseOperations.datetime_cast_time_sql()`` method is added to
support the :lookup:`time` lookup. It accepts a ``field_name`` and ``tzname``
arguments and returns the SQL necessary to cast a datetime value to time value.

* To enable ``FOR UPDATE SKIP LOCKED`` support, set
``DatabaseFeatures.has_select_for_update_skip_locked = True``.

* The new ``DatabaseFeatures.supports_index_column_ordering`` attribute
specifies if a database allows defining ordering for columns in indexes. The
default value is ``True`` and the ``DatabaseIntrospection.get_constraints()``
method should include an ``'orders'`` key in each of the returned
dictionaries with a list of ``'ASC'`` and/or ``'DESC'`` values corresponding
to the ordering of each column in the index.

* :djadmin:`inspectdb` no longer calls ``DatabaseIntrospection.get_indexes()``
which is deprecated. Custom database backends should ensure all types of
indexes are returned by ``DatabaseIntrospection.get_constraints()``.

* Renamed the ``ignores_quoted_identifier_case`` feature to
``ignores_table_name_case`` to more accurately reflect how it is used.

* The ``name`` keyword argument is added to the
``DatabaseWrapper.create_cursor(self, name=None)`` method to allow usage of
server-side cursors on backends that support it.

Dropped support for PostgreSQL 9.2 and PostGIS 2.0
--------------------------------------------------

Upstream support for PostgreSQL 9.2 ends in September 2017. As a consequence,
Django 1.11 sets PostgreSQL 9.3 as the minimum version it officially supports.

Support for PostGIS 2.0 is also removed as PostgreSQL 9.2 is the last version
to support it.

Also, the minimum supported version of psycopg2 is increased from 2.4.5 to
2.5.4.

.. _liveservertestcase-port-zero-change:

``LiveServerTestCase`` binds to port zero
-----------------------------------------

Rather than taking a port range and iterating to find a free port,
``LiveServerTestCase`` binds to port zero and relies on the operating system
to assign a free port. The ``DJANGO_LIVE_TEST_SERVER_ADDRESS`` environment
variable is no longer used, and as it's also no longer used, the
``manage.py test --liveserver`` option is removed.

If you need to bind ``LiveServerTestCase`` to a specific port, use the ``port``
attribute added in Django 1.11.2.

Protection against insecure redirects in :mod:`django.contrib.auth` and ``i18n`` views
--------------------------------------------------------------------------------------

``LoginView``, ``LogoutView`` (and the deprecated function-based equivalents),
and :func:`~django.views.i18n.set_language` protect users from being redirected
to non-HTTPS ``next`` URLs when the app is running over HTTPS.

``QuerySet.get_or_create()`` and ``update_or_create()`` validate arguments
--------------------------------------------------------------------------

To prevent typos from passing silently,
:meth:`~django.db.models.query.QuerySet.get_or_create` and
:meth:`~django.db.models.query.QuerySet.update_or_create` check that their
arguments are model fields. This should be backwards-incompatible only in the
fact that it might expose a bug in your project.

``pytz`` is a required dependency and support for ``settings.TIME_ZONE = None`` is removed
------------------------------------------------------------------------------------------

To simplify Django's timezone handling, ``pytz`` is now a required dependency.
It's automatically installed along with Django.

Support for ``settings.TIME_ZONE = None`` is removed as the behavior isn't
commonly used and is questionably useful. If you want to automatically detect
the timezone based on the system timezone, you can use :pypi:`tzlocal`::

from tzlocal import get_localzone

TIME_ZONE = get_localzone().zone

This works similar to ``settings.TIME_ZONE = None`` except that it also sets
``os.environ['TZ']``. `Let us know
<https://groups.google.com/g/django-developers/c/OAV3FChfuPM/discussion>`__
if there's a use case where you find you can't adapt your code to set a
``TIME_ZONE``.

HTML changes in admin templates
-------------------------------

``<p class="help">`` is replaced with a ``<div>`` tag to allow including lists
inside help text.

Read-only fields are wrapped in ``<div class="readonly">...</div>`` instead of
``<p>...</p>`` to allow any kind of HTML as the field's content.

.. _template-widget-incompatibilities-1-11:

Changes due to the introduction of template-based widget rendering
------------------------------------------------------------------

Some undocumented classes in ``django.forms.widgets`` are removed:

* ``SubWidget``
* ``RendererMixin``, ``ChoiceFieldRenderer``, ``RadioFieldRenderer``,
``CheckboxFieldRenderer``
* ``ChoiceInput``, ``RadioChoiceInput``, ``CheckboxChoiceInput``

The undocumented ``Select.render_option()`` method is removed.

The ``Widget.format_output()`` method is removed. Use a custom widget template
instead.

Some widget values, such as ``<select>`` options, are now localized if
``settings.USE_L10N=True``. You could revert to the old behavior with custom
widget templates that uses the :ttag:`localize` template tag to turn off
localization.

``django.template.backends.django.Template.render()`` prohibits non-dict context
--------------------------------------------------------------------------------

For compatibility with multiple template engines,
``django.template.backends.django.Template.render()`` (returned from high-level
template loader APIs such as ``loader.get_template()``) must receive a
dictionary of context rather than ``Context`` or ``RequestContext``. If you
were passing either of the two classes, pass a dictionary instead -- doing so
is backwards-compatible with older versions of Django.

Model state changes in migration operations
-------------------------------------------

To improve the speed of applying migrations, rendering of related models is
delayed until an operation that needs them (e.g. ``RunPython``). If you have a
custom operation that works with model classes or model instances from the
``from_state`` argument in ``database_forwards()`` or ``database_backwards()``,
you must render model states using the ``clear_delayed_apps_cache()`` method as
described in :ref:`writing your own migration operation
<writing-your-own-migration-operation>`.

Server-side cursors on PostgreSQL
---------------------------------

The change to make :meth:`.QuerySet.iterator()` use server-side cursors on
PostgreSQL prevents running Django with PgBouncer in transaction pooling mode.
To reallow that, use the :setting:`DISABLE_SERVER_SIDE_CURSORS
<DATABASE-DISABLE_SERVER_SIDE_CURSORS>` setting (added in Django 1.11.1) in
:setting:`DATABASES`.

See :ref:`transaction-pooling-server-side-cursors` for more discussion.

Miscellaneous
-------------

* If no items in the feed have a ``pubdate`` or ``updateddate`` attribute,
:meth:`SyndicationFeed.latest_post_date()
<django.utils.feedgenerator.SyndicationFeed.latest_post_date>` now returns
the current UTC date/time, instead of a datetime without any timezone
information.

* CSRF failures are logged to the ``django.security.csrf`` logger instead of
``django.request``.

* :setting:`ALLOWED_HOSTS` validation is no longer disabled when running tests.
If your application includes tests with custom host names, you must include
those host names in :setting:`ALLOWED_HOSTS`. See
:ref:`topics-testing-advanced-multiple-hosts`.

* Using a foreign key's id (e.g. ``'field_id'``) in ``ModelAdmin.list_display``
displays the related object's ID. Remove the ``_id`` suffix if you want the
old behavior of the string representation of the object.

* In model forms, :class:`~django.db.models.CharField` with ``null=True`` now
saves ``NULL`` for blank values instead of empty strings.

* On Oracle, :meth:`Model.validate_unique()
<django.db.models.Model.validate_unique>` no longer checks empty strings for
uniqueness as the database interprets the value as ``NULL``.

* If you subclass :class:`.AbstractUser` and override ``clean()``, be sure it
calls ``super()``. :meth:`.BaseUserManager.normalize_email` is called in a
new :meth:`.AbstractUser.clean` method so that normalization is applied in
cases like model form validation.

* ``EmailField`` and ``URLField`` no longer accept the ``strip`` keyword
argument. Remove it because it doesn't have an effect in older versions of
Django as these fields always strip whitespace.

* The ``checked`` and ``selected`` attribute rendered by form widgets now uses
HTML5 boolean syntax rather than XHTML's ``checked='checked'`` and
``selected='selected'``.

* :meth:`RelatedManager.add()
<django.db.models.fields.related.RelatedManager.add>`,
:meth:`~django.db.models.fields.related.RelatedManager.remove`,
:meth:`~django.db.models.fields.related.RelatedManager.clear`, and
:meth:`~django.db.models.fields.related.RelatedManager.set` now
clear the ``prefetch_related()`` cache.

* To prevent possible loss of saved settings,
:func:`~django.test.utils.setup_test_environment` now raises an exception if
called a second time before calling
:func:`~django.test.utils.teardown_test_environment`.

* The undocumented ``DateTimeAwareJSONEncoder`` alias for
:class:`~django.core.serializers.json.DjangoJSONEncoder` (renamed in Django
1.0) is removed.

* The :class:`cached template loader <django.template.loaders.cached.Loader>`
is now enabled if :setting:`OPTIONS['loaders'] <TEMPLATES-OPTIONS>` isn't
specified and :setting:`OPTIONS['debug'] <TEMPLATES-OPTIONS>` is ``False``
(the latter option defaults to the value of :setting:`DEBUG`). This could
be backwards-incompatible if you have some :ref:`template tags that aren't
thread safe <template_tag_thread_safety>`.

* The prompt for stale content type deletion no longer occurs after running the
``migrate`` command. Use the new :djadmin:`remove_stale_contenttypes` command
instead.

* The admin's widget for ``IntegerField`` uses ``type="number"`` rather than
``type="text"``.

* Conditional HTTP headers are now parsed and compared according to the
:rfc:`7232` Conditional Requests specification rather than the older
:rfc:`2616`.

* :func:`~django.utils.cache.patch_response_headers` no longer adds a
``Last-Modified`` header. According to the :rfc:`7234section-4.2.2`, this
header is useless alongside other caching headers that provide an explicit
expiration time, e.g. ``Expires`` or ``Cache-Control``.
:class:`~django.middleware.cache.UpdateCacheMiddleware` and
:func:`~django.utils.cache.add_never_cache_headers` call
``patch_response_headers()`` and therefore are also affected by this change.

* In the admin templates, ``<p class="help">`` is replaced with a ``<div>`` tag
to allow including lists inside help text.

* :class:`~django.middleware.http.ConditionalGetMiddleware` no longer sets the
``Date`` header as web servers set that header. It also no longer sets the
``Content-Length`` header as this is now done by
:class:`~django.middleware.common.CommonMiddleware`.

If you have a middleware that modifies a response's content and appears
before ``CommonMiddleware`` in the ``MIDDLEWARE`` or ``MIDDLEWARE_CLASSES``
settings, you must reorder your middleware so that responses aren't modified
after ``Content-Length`` is set, or have the response modifying middleware
reset the ``Content-Length`` header.

* :meth:`~django.apps.AppConfig.get_model` and
:meth:`~django.apps.AppConfig.get_models` now raise
:exc:`~django.core.exceptions.AppRegistryNotReady` if they're called before
models of all applications have been loaded. Previously they only required
the target application's models to be loaded and thus could return models
without all their relations set up. If you need the old behavior of
``get_model()``, set the ``require_ready`` argument to ``False``.

* The unused ``BaseCommand.can_import_settings`` attribute is removed.

* The undocumented ``django.utils.functional.lazy_property`` is removed.

* For consistency with non-multipart requests, ``MultiPartParser.parse()`` now
leaves ``request.POST`` immutable. If you're modifying that ``QueryDict``,
you must now first copy it, e.g. ``request.POST.copy()``.

* Support for ``cx_Oracle`` < 5.2 is removed.

* Support for IPython < 1.0 is removed from the ``shell`` command.

* The signature of private API ``Widget.build_attrs()`` changed from
``extra_attrs=None, **kwargs`` to ``base_attrs, extra_attrs=None``.

* File-like objects (e.g., :class:`~io.StringIO` and :class:`~io.BytesIO`)
uploaded to an :class:`~django.db.models.ImageField` using the test client
now require a ``name`` attribute with a value that passes the
:data:`~django.core.validators.validate_image_file_extension` validator.
See the note in :meth:`.Client.post`.

* :class:`~django.db.models.FileField` now moves rather than copies the file
it receives. With the default file upload settings, files larger than
:setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` now have the same permissions as
temporary files (often ``0o600``) rather than the system's standard umask
(often ``0o6644``). Set the :setting:`FILE_UPLOAD_PERMISSIONS` if you need
the same permission regardless of file size.

.. _deprecated-features-1.11:

Features deprecated in 1.11
===========================

``models.permalink()`` decorator
--------------------------------

Use :func:`django.urls.reverse` instead. For example::

from django.db import models


class MyModel(models.Model):
...

models.permalink
def url(self):
return ("guitarist_detail", [self.slug])

becomes::

from django.db import models
from django.urls import reverse


class MyModel(models.Model):
...

def url(self):
return reverse("guitarist_detail", args=[self.slug])

Miscellaneous
-------------

* ``contrib.auth``’s ``login()`` and ``logout()`` function-based views are
deprecated in favor of new class-based views
:class:`~django.contrib.auth.views.LoginView` and
:class:`~django.contrib.auth.views.LogoutView`.

* The unused ``extra_context`` parameter of
``contrib.auth.views.logout_then_login()`` is deprecated.

* ``contrib.auth``’s ``password_change()``, ``password_change_done()``,
``password_reset()``, ``password_reset_done()``, ``password_reset_confirm()``,
and ``password_reset_complete()`` function-based views are deprecated in favor
of new class-based views
:class:`~django.contrib.auth.views.PasswordChangeView`,
:class:`~django.contrib.auth.views.PasswordChangeDoneView`,
:class:`~django.contrib.auth.views.PasswordResetView`,
:class:`~django.contrib.auth.views.PasswordResetDoneView`,
:class:`~django.contrib.auth.views.PasswordResetConfirmView`, and
:class:`~django.contrib.auth.views.PasswordResetCompleteView`.

* ``django.test.runner.setup_databases()`` is moved to
:func:`django.test.utils.setup_databases`. The old location is deprecated.

* ``django.utils.translation.string_concat()`` is deprecated in
favor of :func:`django.utils.text.format_lazy`. ``string_concat(*strings)``
can be replaced by ``format_lazy('{}' * len(strings), *strings)``.

* For the ``PyLibMCCache`` cache backend, passing ``pylibmc`` behavior settings
as top-level attributes of ``OPTIONS`` is deprecated. Set them under a
``behaviors`` key within ``OPTIONS`` instead.

* The ``host`` parameter of ``django.utils.http.is_safe_url()`` is deprecated
in favor of the new ``allowed_hosts`` parameter.

* Silencing exceptions raised while rendering the
:ttag:`{% include %} <include>` template tag is deprecated as the behavior is
often more confusing than helpful. In Django 2.1, the exception will be
raised.

* ``DatabaseIntrospection.get_indexes()`` is deprecated in favor of
``DatabaseIntrospection.get_constraints()``.

* :func:`~django.contrib.auth.authenticate` now passes a ``request`` argument
to the ``authenticate()`` method of authentication backends. Support for
methods that don't accept ``request`` as the first positional argument will
be removed in Django 2.1.

* The ``USE_ETAGS`` setting is deprecated in favor of
:class:`~django.middleware.http.ConditionalGetMiddleware` which now adds the
``ETag`` header to responses regardless of the setting. ``CommonMiddleware``
and ``django.utils.cache.patch_response_headers()`` will no longer set ETags
when the deprecation ends.

* ``Model._meta.has_auto_field`` is deprecated in favor of checking if
``Model._meta.auto_field is not None``.

* Using regular expression groups with ``iLmsu`` in ``url()`` is deprecated.
The only group that's useful is ``(?i)`` for case-insensitive URLs, however,
case-insensitive URLs aren't a good practice because they create multiple
entries for search engines, for example. An alternative solution could be to
create a :data:`~django.conf.urls.handler404` that looks for uppercase
characters in the URL and redirects to a lowercase equivalent.

* The ``renderer`` argument is added to the :meth:`Widget.render()
<django.forms.Widget.render>` method. Methods that don't accept that argument
will work through a deprecation period.








===========================

Page 33 of 54

Links

Releases

Has known vulnerabilities

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.