This preserves the behavior of redirecting to the logout URL without
query string parameters when an insecure ?next=... parameter is given.
It changes the behavior of a POST to the logout URL, as shown by the
test that is changed. Currently, this results in a GET to the logout
URL. However, such GET requests are deprecated. This change would be
necessary in Django 5.0 anyway. This commit merely anticipates it.
This might change the behavior when self.next_page == "". However,
resolve_url(self.next_page) would almost certainly fail in that case.
It is technically possible to define a logout URLpattern whose name is
"": path('logout/', LogoutView.as_view(), name=''), and then to refer to
this pattern with next_page = "". However this feels like a pathological
case, so we decided not to handle it.
Most checks on next_page, LOGIN_REDIRECT_URL, and LOGOUT_REDIRECT_URL
are performed with boolean evaluation rather than comparison with None.
That's why we standardizing that way.
This aligns it with LoginView. Also, it removes confusion with the
get_next_page() method of paginators. get_next_page() was a private
API, therefore this refactoring is allowed.
This also renames SuccessURLAllowedHostsMixin to RedirectURLMixin.
This doesn't change the behavior of LogoutView.get_next_page() because
next_page == "" implies url_is_safe == False before the refactoring.
The default argument is unnecessary because
url_has_allowed_host_and_scheme() returns False when its first argument
is "" or None, so get_redirect_url() still returns "".
This also aligns LoginView.get_redirect_url() and LogoutView.get_next_page().
Adjusted admin javascript to add newly created related objects to
already loaded select widgets.
In this version, applies only where limit_choices_to is not set.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
This includes refactoring of CombinedExpression._resolve_output_field()
so it no longer uses the behavior inherited from Expression of guessing
same output type if argument types match, and instead we explicitly
define the output type of all supported operations.
This also makes nonsensical operations involving dates
(e.g. date + date) raise a FieldError, and adds support for
automatically inferring output_field for cases such as:
* date - date
* date + duration
* date - duration
* time + duration
* time - time
Carlton Gibson
Andrew Godwin
Marcelo Galigniana
L
marcperrinoptel
siddhartha-star-dev
Hannes Ljungberg
Collin Anderson
Mariusz Felisiak
Adam Johnson
sarahboyce
Aymeric Augustin
Andrey Otto
Scott
Alexandru Mărășteanu
Claude Paroz
Tim Graham
Florian Apolloner
David Smith
Himanshu-Balasamanta
Mateo Radman
Manel Clos
Simon Charette
David Smith
Baptiste Mispelon
Brian Helba
Lucidiot
Luke Plant