Commit Graph

2194 Commits

Author SHA1 Message Date
Tim Graham 24fc935218 Added CVE-2016-2512/2513 to security release archive. 2016-03-01 12:32:42 -05:00
Florian Apolloner 67b46ba701 Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login.
This is a security fix.
2016-03-01 11:25:28 -05:00
Mark Striemer c5544d2892 Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
2016-03-01 11:25:28 -05:00
Tim Graham f43291639b Added stub release notes for security issues. 2016-03-01 11:25:28 -05:00
Simon Charette 0223e213dd Fixed #26186 -- Documented how app relative relationships of abstract models behave.
This partially reverts commit bc7d201bdb.

Thanks Tim for the review.

Refs #25858.
2016-02-29 22:07:05 -05:00
chenesan b84f5ab4ec Fixed #26230 -- Made default_related_name affect related_query_name. 2016-02-27 08:48:32 -05:00
Simon Charette 3938b3ccaa Fixed #26286 -- Prevented content type managers from sharing their cache.
This should prevent managers methods from returning content type instances
registered to foreign apps now that these managers are also attached to models
created during migration phases.

Thanks Tim for the review.

Refs #23822.
2016-02-26 16:18:16 -05:00
Adam Chainz ef33bc2d4d Fixed #25279 -- Made prefetch_related_objects() public. 2016-02-26 14:55:01 -05:00
Simon Charette 766afc22a1 Fixed #24793 -- Unified temporal difference support. 2016-02-26 12:25:12 -05:00
Ivan Tsouvarev 8890c533e0 Fixed #26280 -- Fixed cached template loader crash when loading nonexistent template. 2016-02-26 08:02:10 -05:00
Sjoerd Job Postmus bbe136e1a2 Fixed #26231 -- Used .get_username in admin login template. 2016-02-25 19:29:53 -05:00
Olivier Le Thanh Duong 10781b4c6f Fixed #12233 -- Allowed redirecting authenticated users away from the login view.
contrib.auth.views.login() has a new parameter `redirect_authenticated_user`
to automatically redirect authenticated users visiting the login page.

Thanks to dmathieu and Alex Buchanan for the original code and to Carl Meyer
for the help and review.
2016-02-25 07:18:33 -05:00
Claude Paroz c5517b9e74 Fixed #26266 -- Output the primary key in the GeoJSON serializer properties
Thanks Tim Graham for the review.
2016-02-24 16:10:46 +01:00
Jon Dufresne b412681359 Fixed #26267 -- Fixed BoundField to reallow slices of subwidgets. 2016-02-24 07:02:51 -05:00
James Aylett 1ff6e37de4 Fixed #23832 -- Added timezone aware Storage API.
New Storage.get_{accessed,created,modified}_time() methods convert the
naive time from now-deprecated {accessed,created_modified}_time()
methods into aware objects in UTC if USE_TZ=True.
2016-02-23 18:51:43 -05:00
Andrew Kuchev e81d1c995c Fixed #25670 -- Allowed dictsort to sort a list of lists.
Thanks Tim Graham for the review.
2016-02-23 12:15:08 -05:00
Tim Graham cdbd8745f6 Fixed #26263 -- Deprecated Context.has_key() 2016-02-23 08:08:55 -05:00
Claude Paroz b46c0ea6c8 Fixed #26190 -- Returned handle() result from call_command
Thanks Tim Graham for the review.
2016-02-23 09:12:12 +01:00
Tim Graham 47b5a6a43c Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS. 2016-02-22 18:59:23 -05:00
Tim Graham 33a4040d07 Refs #26253 -- Forwardported release note. 2016-02-22 17:19:08 -05:00
Tim Graham b1afebf882 Fixed #26204 -- Reallowed dashes in top-level domains for URLValidator.
Thanks Shai Berger for the review.
2016-02-18 19:06:49 -05:00
Akshesh d58aaa24e3 Fixed #26107 -- Added option to int_list_validator() to allow negative integers. 2016-02-18 18:58:18 -05:00
Akshesh fdccc02576 Fixed #26219 -- Fixed crash when filtering by Decimal in RawQuery. 2016-02-17 13:56:42 -05:00
Jakub Paczkowski d4dc775620 Fixed #25735 -- Added support for test tags to DiscoverRunner.
Thanks Carl Meyer, Claude Paroz, and Simon Charette for review.
2016-02-17 09:44:18 -05:00
Claude Paroz 928c12eb1a Fixed #26215 -- Fixed RangeField/ArrayField serialization with None values
Also added tests for HStoreField and JSONField.
Thanks Aleksey Bukin for the report and Tim Graham for the initial patch and
the review.
2016-02-16 21:07:05 +01:00
Alexey Kotlyarov b59f963ad2 Fixed #26212 -- Made forms.FileField and translation.lazy_number() picklable. 2016-02-15 11:44:29 -05:00
Jon Dufresne fcd08c1757 Fixed #11665 -- Made TestCase check deferrable constraints after each test. 2016-02-13 06:53:39 -05:00
Mounir Messelmeni 50931dfa53 Fixed #25304 -- Allowed management commands to check if migrations are applied. 2016-02-12 13:34:56 -05:00
Anssi Kääriäinen 46ecfb9b3a Fixed #26196 -- Made sure __in lookups use to_field as default.
Thanks Simon Charette for the test.
2016-02-11 11:09:08 -05:00
ZachLiuGIS 04e13c8913 Fixed #26179 -- Removed null assignment check for non-nullable foreign key fields. 2016-02-11 10:07:39 -05:00
Anssi Kääriäinen 353aecbf8c Fixed #26153 -- Reallowed Q-objects in ForeignObject.get_extra_descriptor_filter(). 2016-02-11 08:59:43 -05:00
Curtis Maloney 6f1318734f Fixed #26014 -- Added WSGIRequest content_type and content_params attributes.
Parsed the CONTENT_TYPE header once and recorded it on the request.
2016-02-10 18:19:23 -05:00
Brobin dca8b916ff Fixed #26154 -- Deprecated CommaSeparatedIntegerField 2016-02-10 17:57:43 -05:00
Shai Berger bb51dc902d Refs #26112 -- Fixed aggregate GIS test on Oracle.
Made sure the test doesn't try to aggregate over MultiPolygonField and made
AreaField turn decimals into floats on the way from the DB.

Thanks Daniel Wiesmann, Jani Tiainen, and Tim Graham for review and discussion.
2016-02-09 10:04:54 -05:00
Simon Charette a325fb1f9b Fixed #26162 -- Checked query name clashes of hidden relationships.
Although reverse accessor clashes should be skipped query name can't be hidden.

Thanks to Ian Foote and Tim Graham for the review.
2016-02-08 09:59:27 -05:00
Tim Graham 10a162809f Refs #24007 -- Removed an apps.populate() call in model unpickling that can cause deadlocks. 2016-02-08 08:28:48 -05:00
Tim Graham 97eb3356b2 Fixed #26177 -- Fixed a PostgreSQL crash with TIME_ZONE=None and USE_TZ=False. 2016-02-08 07:21:54 -05:00
Shai Berger 28f60ef3b8 Fixed title formatting in backwards-incompat section of 1.10 release notes 2016-02-06 21:10:36 +02:00
Tim Graham d6337e65ed Added stub release notes for 1.8.10. 2016-02-06 09:24:20 -05:00
Pankrat f91a04621e Fixed #25833 -- Added support for non-atomic migrations.
Added the Migration.atomic attribute which can be set to False
for non-atomic migrations.
2016-02-05 09:09:05 -05:00
Yoong Kang Lim 0edb8a146f Fixed #26144 -- Warned when dumping proxy model without concrete parent. 2016-02-04 19:40:12 -05:00
Simon Charette 6eb3ce11e4 Fixed #26089 -- Removed custom user test models from public API.
Thanks to Tim Graham for the review.
2016-02-04 12:30:34 -05:00
Hugo Osvaldo Barrera dcee1dfc79 Fixed #12405 -- Added LOGOUT_REDIRECT_URL setting.
After a user logs out via auth.views.logout(), they're redirected
to LOGOUT_REDIRECT_URL if no `next_page` argument is provided.
2016-02-04 10:35:37 -05:00
Carl Meyer a0ce4c09ff Fix typos in 1.8 release notes. 2016-02-03 13:05:35 -07:00
jpic 926e90132d Fixed #25731 -- Removed unused choices kwarg for Select.render() 2016-02-02 18:03:19 -05:00
rynomster 468d8211df Fixed #23971 -- Added "Has date"/"No date" choices for DateFieldListFilter. 2016-02-02 12:04:14 -05:00
Tim Graham 1e9150443e Refs #26089 -- Removed obsolete docs about custom user model testing. 2016-02-02 08:12:08 -05:00
Buddy Lindsey, Jr 731bdfe68a Fixed #26155 -- Skipped URL checks if no ROOTURL_CONF setting. 2016-02-01 13:51:38 -05:00
Tim Graham ecd502cfdb Added CVE-2016-2048 to the security archive. 2016-02-01 12:42:37 -05:00
Tim Graham 59654d5efe Added stub release notes for 1.9.3. 2016-02-01 12:39:18 -05:00
Tim Graham 11fae7c9e4 Added release dates for 1.9.2 and 1.8.9. 2016-02-01 12:02:16 -05:00
Myk Willis 62f3acc70a Fixed incorrect permissions check for admin's "Save as new".
This is a security fix.
2016-02-01 11:57:00 -05:00
Tim Graham 8ce8beb3f2 Unified some doc links to OneToOneField and ManyToManyField. 2016-02-01 11:02:26 -05:00
Hugo Osvaldo Barrera 8bf8d0e0ec Fixed #7923 -- Added links to objects displayed by ModelAdmin.raw_id_fields. 2016-02-01 07:36:10 -05:00
Greg Chapple 8dea9f089d Fixed #26120 -- Made HStoreField cast keys and values to strings.
HStoreField now converts all keys and values to string before they're
saved to the database.
2016-01-29 09:51:23 -05:00
Tim Graham 04564eb74d Fixed #26129 -- Made invalid forms display initial values of disabled fields. 2016-01-28 18:43:48 -05:00
Tim Graham 19d1cb1451 Fixed #20415 -- Ensured srid isn't localized in OpenLayers JavaScript. 2016-01-28 17:46:55 -05:00
James Pulec f05722a08a Fixed #25354 -- Added class/app_label interpolation for related_query_name. 2016-01-28 11:10:47 -05:00
Claude Paroz 54236a2c1c Fixed #26138 -- Ensured geometry_field's geometry is always serialized
Thanks Bernd Schlapsi for the report.
2016-01-28 08:50:38 +01:00
Ben Kraft 13023ba867 Fixed #26122 -- Fixed copying a LazyObject
Shallow copying of `django.utils.functional.LazyObject` or its subclasses has
been broken in a couple of different ways in the past, most recently due to
35355a4.
2016-01-26 06:56:21 -05:00
Preston Timmons cfda1fa3f8 Fixed #25848 -- Set template origin on each node.
Prior to 55f12f8709, the template origin was available on each node via
`self.token.source[0]`. This behavior was removed when debug handling was
simplified, but 3rd-party debugging tools still depend on its presence.
This updates the Parser to set origin on individual nodes. This enables the
source template to be determined even when template extending or including is
used.
2016-01-26 06:23:27 -05:00
Simon Charette 4dcaa5871b Fixed #26135 -- Adjusted the migration questioner's handling of disabled apps.
This was causing an issue when calling the `migrate` command in a test case with
the `available_apps` attribute pointing to an application with migrations
disabled using the `MIGRATION_MODULES` setting.

Thanks to Tim Graham for the review.

Refs #24919
2016-01-25 21:38:36 -05:00
Chris Lamb abc0777b63 Fixed #25968 -- Changed project/app templates to use a "py-tpl" suffix.
Debian packages unconditionally byte-compile .py files on installation and
do not silence errors by design. Therefore, we need a way of shipping these
invalid .py files without a .py extension but ensuring that when we
template them, they end up as .py.

We don't special-case .py files so that the all the TemplateCommand
command-line options (eg. extra_files and extensions) still work entirely
as expected and it may even be useful for other formats too.
2016-01-25 12:39:06 -05:00
Tim Graham 5e8685c1b1 Refs #26034 -- Added another case fixed by this ticket to release notes. 2016-01-25 08:35:58 -05:00
Tim Graham 497b5d6fee Refs #26034 -- Added another case fixed by this ticket to release notes.
Thanks Shai Berger for the report.
2016-01-25 08:33:02 -05:00
Simon Charette 729e0b086d Fixed #24109 -- Allowed RunSQL and RunPython operations to be elided.
Thanks to Markus Holtermann and Tim Graham for their review.
2016-01-23 14:19:03 -05:00
Preston Timmons c00ae7f58c Fixed #26118 -- Added 'is' operator to if template tag. 2016-01-22 15:35:28 -05:00
Elif T. Kus bca9faae95 Fixed #26020 -- Normalized header stylings in docs. 2016-01-22 12:12:17 -05:00
Alexander Gaevsky 9a33d3d764 Fixed #26060 -- Fixed crash with reverse OneToOneField in ModelAdmin.readonly_fields. 2016-01-21 13:21:28 -05:00
Aymeric Augustin f91b5a7e4b Fixed #26063 -- Crash when passing > 2000 params.
If SQLITE_MAX_VARIABLE_NUMBER (default = 999) is changed at compile time
to be greater than SQLITE_MAX_COLUMN (default = 2000), which Debian does
by setting the former to 250000, Django raised an exception on queries
containing more than 2000 parameters when DEBUG = True.
2016-01-21 10:47:15 +01:00
Anssi Kääriäinen ee596888e1 Fixed #26092 -- Fixed QuerySet.order_by() regression with an M2M through model. 2016-01-20 19:13:05 -05:00
chemary 2d28144c95 Fixed #26094 -- Fixed CSRF behind a proxy (settings.USE_X_FORWARDED_PORT=True). 2016-01-20 18:19:24 -05:00
Tim Graham 073dd4ce79 Refs #26096 -- Forwardported 1.9.2 release note. 2016-01-19 07:35:48 -05:00
Tim Graham e519aab43a Fixed #23868 -- Added support for non-unique django-admin-options in docs.
Also documented missing short command line options to fix #24134. This bumps
the minimum sphinx version required to build the docs to 1.3.4.

Thanks Simon Charette for review.
2016-01-14 18:21:33 -05:00
Simon Charette fd1c5bb041 Fixed a typo in the 1.9.2 release notes. 2016-01-14 17:46:48 -05:00
Iacopo Spalletti 21bf685f5e Fixed #25697 -- Made default error views error when passed a nonexistent template_name. 2016-01-14 07:05:38 -05:00
Alberto Avila cca151d196 Refs #26071 -- Added test for __in lookup in a Case expression.
Forwardport of 5b3c66d8b6 from stable/1.8.x
2016-01-13 08:56:36 -05:00
Tim Graham a7752780d9 Removed an unncessary docs cross-reference for call_command(). 2016-01-12 18:01:29 -05:00
Tim Graham 555f8e9d5c Made CommandError use the exception directive in docs. 2016-01-12 12:28:55 -05:00
pp b34ff66e5b Added missing period to "etc.". 2016-01-11 18:05:15 -05:00
Simon Charette bc7d201bdb Fixed #25858 -- Bound abstract model application relative relationships.
Thanks to Karl Hobley for the report and Markus, Shai, Aymeric for their input
and Tim for the review.
2016-01-11 12:23:23 -05:00
Varun Sharma 3d6474e1a5 Fixed #25385 -- Allowed importing views.generic.View from views.View. 2016-01-11 08:18:44 -05:00
Flavio Curella 0bc5cd6280 Fixed #25684 -- Made runserver use logging for request/response output.
Thanks andreif for the contributing to the patch.
2016-01-11 07:35:17 -05:00
Collin Anderson 780bddf75b Fixed #20846 -- Decreased User.username max_length to 150 characters. 2016-01-08 18:06:44 -05:00
Claude Paroz cf7894be88 Fixed #21113 -- Made LogEntry.change_message language independent
Thanks Tim Graham for the review.
2016-01-08 20:34:59 +01:00
Tim Graham 56aaae58a7 Fixed #26034 -- Fixed incorrect index handling on PostgreSQL on Char/TextField with unique=True and db_index=True.
Thanks Simon Charette for review.
2016-01-08 12:47:05 -05:00
Alexander Gaevsky ade54ffa34 Refs #25165 -- Fixed JSON serialization for add/edit popup in the admin.
Forwardport of test in o839d71d8562abe0b245024e55ca1d02a45e58fd from stable/1.9.x
(refs #25997).
2016-01-08 12:28:32 -05:00
Alasdair Nicol 6ea7b6776c Refs #24855 -- fixed typo in 1.10 release notes 2016-01-07 11:38:47 -05:00
Alexander Gaevsky 44930cc466 Fixed #24980 -- Fixed day determination in admin calendar widget. 2016-01-07 11:13:05 -05:00
Paulo Poiati b643386668 Fixed #24855 -- Allowed using contrib.auth.login() without credentials.
Added an optional `backend` argument to login().
2016-01-07 08:56:07 -05:00
Niels Van Och 7f7553dd30 Fixed #25680 -- Added django-admin shell --command option.
Add a -c option to the shell command to execute a command passed as a
string as Django.
2016-01-06 18:43:41 -05:00
Claude Paroz 632a9f21bc Fixed #26046 -- Fixed a crash with translations and Django-unknown language code
Thanks Jens Lundstrom for the report and Tim Graham for the review.
2016-01-06 20:30:56 +01:00
Scott Pashley 7cc2efc2d6 Fixed #26035 -- Prevented user-tools from appearing on admin logout page. 2016-01-06 13:48:02 -05:00
Tim Graham 1e57dccb31 Added stub release notes for 1.8.9. 2016-01-05 13:19:20 -05:00
Tim Graham 49eeb0f570 Fixed #25878 -- Documented requirement that handler404 return a 404 response. 2016-01-05 11:23:13 -05:00
Denis Cornehl 186b6c61bf Fixed #26024 -- Fixed regression in ConditionalGetMiddleware ETag support.
Thanks Denis Cornehl for help with the patch.
2016-01-05 09:37:11 -05:00
Andrew Kuchev d5b90c8e12 Fixed #21549 -- Made loaddata's 'fixture not found' warning an exception.
Thanks to mpasternak for the report and Tim Graham for the review.
2016-01-04 19:39:35 -05:00
Tim Graham 3432f5d659 Added stub release notes for 1.9.2. 2016-01-02 09:06:26 -05:00
Tim Graham 24c1713e2e Added release date for 1.9.1/1.8.8 releases. 2016-01-02 08:35:54 -05:00
varunnaganathan 3eba9638ee Fixed #25316 -- Fixed a crash with order_by() and values() after annotate(). 2016-01-02 07:06:54 -05:00