Commit Graph

3812 Commits

Author SHA1 Message Date
Aymeric Augustin 35c991aa06 Added a default limit to the maximum number of forms in a formset.
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19 11:23:30 -07:00
Carl Meyer 1f39eafd60 Checked object permissions on admin history view.
This is a security fix. Disclosure and advisory coming shortly.

Patch by Russell Keith-Magee.
2013-02-19 11:23:30 -07:00
Carl Meyer c6d69c12ea Restrict the XML deserializer to prevent network and entity-expansion DoS attacks.
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19 11:23:30 -07:00
Carl Meyer d51fb74360 Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 11:23:29 -07:00
Anssi Kääriäinen 4b9fa49bc0 Avoided related_name conflicts in tests 2013-02-19 03:13:13 +02:00
Anssi Kääriäinen 607772b942 Removed accidentally committed file 2013-02-19 01:55:40 +02:00
Florian Hahn 3e71368423 Fixed #10870 -- Added aggreation + generic reverse relation test 2013-02-19 01:42:02 +02:00
Anssi Kääriäinen b4492a8ca4 Fixed #19837 -- Refactored split_exclude() join generation
The refactoring mainly concentrates on making sure the inner and outer
query agree about the split position. The split position is where the
multijoin happens, and thus the split position also determines the
columns used in the "WHERE col1 IN (SELECT col2 from ...)" condition.

This commit fixes a regression caused by #10790 and commit
69597e5bcc. The regression was caused
by wrong cols in the split position.
2013-02-19 01:10:49 +02:00
Aymeric Augustin aea98e8c53 Simplified MySQL version checking.
Django used to check the version of MySQL before handling the first
request, which required:
- opening a connection
- closing it, to avoid holding it idle until the first request.

This code isn't necessary any longer since Django dropped support for
some versions of MySQL, and other database backends don't implement a
similar dance. For consistency and maintenability, remove it.

Reverts 4423757c0c.

Closes #18135.
2013-02-18 21:46:26 +01:00
Aymeric Augustin 92837ae569 Avoided firing the request_finished signal in tests.
* Avoided calling BaseHttpResponse.close(). The test client take care of
  that since acc5396e.
* Disconnected the request_finished signal when this method must be
  called. The test client has a similar implementation since bacb097a.
2013-02-18 14:32:45 +01:00
Claude Paroz 632361611c Fixed #19833 -- Fixed import parameter encoding in get_runner
Thanks Danilo Bargen for the report.
2013-02-16 13:31:13 +01:00
Aymeric Augustin e74e207cce Fixed #17260 -- Added time zone aware aggregation and lookups.
Thanks Carl Meyer for the review.

Squashed commit of the following:

commit 4f290bdb60
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Wed Feb 13 21:21:30 2013 +0100

    Used '0:00' instead of 'UTC' which doesn't always exist in Oracle.

    Thanks Ian Kelly for the suggestion.

commit 01b6366f3c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Wed Feb 13 13:38:43 2013 +0100

    Made tzname a parameter of datetime_extract/trunc_sql.

    This is required to work around a bug in Oracle.

commit 924a144ef8
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Wed Feb 13 14:47:44 2013 +0100

    Added support for parameters in SELECT clauses.

commit b4351d2890
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Feb 11 22:30:22 2013 +0100

    Documented backwards incompatibilities in the two previous commits.

commit 91ef84713c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Feb 11 09:42:31 2013 +0100

    Used QuerySet.datetimes for the admin's date_hierarchy.

commit 0d0de288a5
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Feb 11 09:29:38 2013 +0100

    Used QuerySet.datetimes in date-based generic views.

commit 9c0859ff7c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 21:43:25 2013 +0100

    Implemented QuerySet.datetimes on Oracle.

commit 68ab511a4f
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 21:43:14 2013 +0100

    Implemented QuerySet.datetimes on MySQL.

commit 22d52681d3
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 21:42:29 2013 +0100

    Implemented QuerySet.datetimes on SQLite.

commit f6800fd04c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 21:43:03 2013 +0100

    Implemented QuerySet.datetimes on PostgreSQL.

commit 0c829c23f4
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 21:41:08 2013 +0100

    Added datetime-handling infrastructure in the ORM layers.

commit 104d82a777
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Mon Feb 11 10:05:55 2013 +0100

    Updated null_queries tests to avoid clashing with the __second lookup.

commit c01bbb3235
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 23:07:41 2013 +0100

    Updated tests of .dates().

    Replaced .dates() by .datetimes() for DateTimeFields.
    Replaced dates with datetimes in the expected output for DateFields.

commit 50fb7a5246
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 21:40:09 2013 +0100

    Updated and added tests for QuerySet.datetimes.

commit a8451a5004
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 22:34:46 2013 +0100

    Documented the new time lookups and updated the date lookups.

commit 29413eab2b
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date:   Sun Feb 10 16:15:49 2013 +0100

    Documented QuerySet.datetimes and updated QuerySet.dates.
2013-02-16 09:19:04 +01:00
Claude Paroz b19d83fc12 Improved input sanitizing with thousand separators
For languages with non-breaking space as thousand separator,
standard space input should also be allowed, as few people know
how to enter non-breaking space on keyboards. Refs #17217.
Thanks Alexey Boriskin for the report and initial patch.
2013-02-15 16:37:52 +01:00
Claude Paroz dcf8cd30ae Updated FormattingTests test case to use settings contexts 2013-02-15 09:37:12 +01:00
Julien Phalip 7d5e35cdb4 Fixed #19829 -- Fixed index lookups for NumPy arrays in templates. 2013-02-14 23:29:15 -08:00
Michael van Tellingen 138de533ff Fixed #19819 - Improved template filter errors handling.
Wrap the Parser.compile_filter method call with a try/except and call the
newly added Parser.compile_filter_error(). Overwrite this method in the
DebugParser to throw the correct error.

Since this error was otherwise catched by the compile_function try/except
block the debugger highlighted the wrong line.
2013-02-14 10:22:59 +01:00
Claude Paroz ac4faa6dc3 Fixed #19693 -- Made truncatewords_html handle self-closing tags
Thanks sneawo for the report and Jonathan Loy for the patch.
2013-02-13 18:24:49 +01:00
Hiroki Kiyohara e94f405d94 Fixed #18558 -- Added url property to HttpResponseRedirect*
Thanks coolRR for the report.
2013-02-13 10:29:32 +01:00
Anssi Kääriäinen fafee74306 Removed try-except in django.db.close_connection()
The reason was that the except clause needed to remove a connection
from the django.db.connections dict, but other parts of Django do not
expect this to happen. In addition the except clause was silently
swallowing the exception messages.

Refs #19707, special thanks to Carl Meyer for pointing out that this
approach should be taken.
2013-02-13 00:25:09 +02:00
Simon Charette a10f390804 Fixed #19044 -- Made `DeletionMixin` interpolate its `success_url`.
Thanks to nxvl and slurms for the initial patch, ptone for the review
and timo for the documentation tweaks.
2013-02-11 02:39:14 -05:00
Anssi Kääriäinen 604d8763dc Fixed #19112 -- Reduced the amount of query params in a test 2013-02-10 21:08:19 +02:00
Anssi Kääriäinen 8ef3235034 Fixed #19720 -- Oracle ordering related delete regression
When a query had a complex where condition (a condition targeting more
than the base table) a subquery was used for deletion. However, the
query had default ordering from the model's meta and Oracle doesn't
work with ordered subqueries.

The regression was caused by fast-path deletion code introduced in
1cd6e04cd4 for fixing #18676.

Thanks to Dylan Klomparens for the report.
2013-02-10 19:54:02 +02:00
Anssi Kääriäinen a4e97cf315 Fixed #19707 -- Reset transaction state after requests 2013-02-10 13:55:54 +02:00
Claude Paroz 718afcafc2 Added tests for some sql_* management commands 2013-02-09 16:34:22 +01:00
Claude Paroz f44922c795 Fixed #18906 -- Ignored to-be-deleted forms in formset validate_unique
Thanks c.pollock at bangor.ac.uk for the report.
2013-02-08 21:35:19 +01:00
Julien Phalip db09a2de6e Cleaned up some lingering signals in the test suite that were causing spurious failures with Pypy and Postgres. 2013-02-08 12:12:03 -08:00
Ramiro Morales b5391515cd Changed test assertion strategy used in 04d9730. 2013-02-07 16:51:27 -03:00
Ramiro Morales 04d9730b12 Fixed #13085 -- Don't fail on creation of model with GFK to a model with __len__() returning zero.
Also, according to the comments on the ticket and its duplicates, added
tests execising saving an instance of a model with a GFK to:

* An unsaved object -- This actually doesn't generate the same failure
  but another ORM-level exception. The test verifies it's the case.

* An instance of a model with a __nonzero__() method thant returns False
  for it. This doesn't fail because that code path isn't executed.

* An instance of a model with a CharField PK and an empty value for it.
  This doesn't fail.
2013-02-07 16:05:54 -03:00
Aymeric Augustin 720888a146 Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.
Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2013-02-07 09:48:08 +01:00
Julien Phalip 6afc85af47 Fixed a typo in the test suite that was causing some spurious failures with pypy. 2013-02-06 22:10:13 -08:00
Alexey Boriskin d18f796a48 Fixed #19704 -- Make use of new ungettext_lazy function at appropriate places 2013-02-06 22:01:55 +01:00
Claude Paroz d7504a3d7b Improved regex in strip_tags
Thanks Pablo Recio for the report. Refs #19237.
2013-02-06 21:20:43 +01:00
Simon Charette 5449240c54 Fixed #9800 -- Allow "isPermaLink" attribute in <guid> element of an RSS item.
Thanks @rtnpro for the patch!
2013-02-06 05:28:05 -05:00
Simon Charette a097ee32d8 Fixed #17683 -- Make sure `BaseModelFormSet` respects defined widgets. 2013-02-05 05:39:35 -05:00
Simon Charette ec469ade2b Fixed #19689 -- Renamed `Model._meta.module_name` to `model_name`. 2013-02-05 04:16:07 -05:00
Claude Paroz 40260bc30b Fixed error message test assertions under Python 3.3
Thanks Florian Apolloner for testing.
2013-02-04 18:00:19 +01:00
Claude Paroz 7c5b244826 Fixed #17061 -- Factored out importing object from a dotted path
Thanks Carl Meyer for the report.
2013-02-04 16:38:25 +01:00
Ramiro Morales 869c9ba306 Fixed #19730 -- Don't validate importability of settings by using i18n in management commands.
They are handled independently now and the latter can be influenced by
the new BaseCommand.leave_locale_alone internal option.

Thanks chrischambers for the report, Claude, lpiatek, neaf and gabooo for
their work on a patch, originally on refs. #17379.
2013-02-03 23:40:38 -03:00
Anssi Kääriäinen f556df90be Fixed #19645 -- Added tests for TransactionMiddleware 2013-02-03 16:26:46 +02:00
Julien Phalip bc7a219b1e Fixed Python 3.2 compatibility for a test. 2013-02-02 20:57:38 -08:00
Julien Phalip 293f7a2114 Fixed #17797 -- Enabled support for PATCH requests in the dummy test client. Thanks to pfarmer for the suggestion and initial patch. 2013-02-02 18:22:40 -08:00
Ramiro Morales 08dc90bccf Fixed #14305 -- Switched inspectdb to create unmanaged models.
Thanks Ian Kelly for the report and initial patch.
2013-02-02 21:11:32 -03:00
Nick Sandford 0694d2196f Fixed #19445 -- Skip admin fieldsets validation when the ModelAdmin.get_form() method is overridden. 2013-02-02 14:53:46 -08:00
Aymeric Augustin ace9d4efc3 Made ungettext_lazy usable for messages that do not contain the count.
Fixed #19160 (again). Thanks Alexey Boriskin.
2013-02-02 10:58:31 +01:00
Aymeric Augustin db5049c9f7 Fixed the test introduced in 2ca37af6 under Python 3. 2013-02-02 10:42:01 +01:00
Ramiro Morales 2ca37af621 Added test to demonstrate issue 11387 isn't there anymore.
Thanks adurdin for the report and patch. Fixes #11387.
2013-02-01 23:30:50 -03:00
Ramiro Morales c4b6659269 Added test to demonstrate issue 11263 isn't there anymore.
Thanks veena for the report and jaklaassen for the patch. Fixes #11263.
2013-02-01 23:30:50 -03:00
Claude Paroz 04141c525d Fixed #19663 -- Allowed None in colorize() text parameter
Thanks Jonathan Liuti for the report and the initial patch, and
Simon Charette for the review.
2013-02-01 22:53:18 +01:00
Matt Robenolt 393c268e72 Fixed #19715 -- Simplified findstatic output when verbosity set to 0 2013-02-01 11:55:05 +01:00
Simon Charette 339944491c Renamed inspectdb field names for clarity 2013-02-01 09:16:29 +01:00