2012-10-30 13:02:54 +00:00
|
|
|
============================================
|
|
|
|
Django 1.6 release notes - UNDER DEVELOPMENT
|
|
|
|
============================================
|
|
|
|
|
2013-03-26 00:11:23 +00:00
|
|
|
.. note::
|
|
|
|
|
|
|
|
Dedicated to Malcolm Tredinnick
|
|
|
|
|
|
|
|
On March 17, 2013, the Django project and the free software community lost
|
|
|
|
a very dear friend and developer.
|
|
|
|
|
|
|
|
Malcolm was a long-time contributor to Django, a model community member, a
|
|
|
|
brilliant mind, and a friend. His contributions to Django — and to many other
|
|
|
|
open source projects — are nearly impossible to enumerate. Many on the core
|
|
|
|
Django team had their first patches reviewed by him; his mentorship enriched
|
|
|
|
us. His consideration, patience, and dedication will always be an inspiration
|
|
|
|
to us.
|
|
|
|
|
|
|
|
This release of Django is for Malcolm.
|
|
|
|
|
|
|
|
-- The Django Developers
|
|
|
|
|
2012-10-30 13:02:54 +00:00
|
|
|
Welcome to Django 1.6!
|
|
|
|
|
|
|
|
These release notes cover the `new features`_, as well as some `backwards
|
|
|
|
incompatible changes`_ you'll want to be aware of when upgrading from Django
|
|
|
|
1.5 or older versions. We've also dropped some features, which are detailed in
|
|
|
|
:doc:`our deprecation plan </internals/deprecation>`, and we've `begun the
|
|
|
|
deprecation process for some features`_.
|
|
|
|
|
|
|
|
.. _`new features`: `What's new in Django 1.6`_
|
|
|
|
.. _`backwards incompatible changes`: `Backwards incompatible changes in 1.6`_
|
|
|
|
.. _`begun the deprecation process for some features`: `Features deprecated in 1.6`_
|
|
|
|
|
|
|
|
What's new in Django 1.6
|
|
|
|
========================
|
|
|
|
|
Simplified default project template.
Squashed commit of:
commit 508ec9144b35c50794708225b496bde1eb5e60aa
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 22:50:55 2013 +0100
Tweaked default settings file.
* Explained why BASE_DIR exists.
* Added a link to the database configuration options, and put it in its
own section.
* Moved sensitive settings that must be changed for production at the
top.
commit 6515fd2f1aa73a86dc8dbd2ccf512ddb6b140d57
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 14:35:21 2013 +0100
Documented the simplified app & project templates in the changelog.
commit 2c5b576c2ea91d84273a019b3d0b3b8b4da72f23
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 13:59:27 2013 +0100
Minor fixes in tutorials 5 and 6.
commit 55a51531be8104f21b3cca3f6bf70b0a7139a041
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 13:51:11 2013 +0100
Updated tutorial 2 for the new project template.
commit 29ddae87bdaecff12dd31b16b000c01efbde9e20
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 11:58:54 2013 +0100
Updated tutorial 1 for the new project template.
commit 0ecb9f6e2514cfd26a678a280d471433375101a3
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 11:29:13 2013 +0100
Adjusted the default URLconf detection to account for the admin.
It's now enabled by default.
commit 5fb4da0d3d09dac28dd94e3fde92b9d4335c0565
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 10:36:55 2013 +0100
Added security warnings for the most sensitive settings.
commit 718d84bd8ac4a42fb4b28ec93965de32680f091e
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 23:24:06 2013 +0100
Used an absolute path for the SQLite database.
This ensures the settings file works regardless of which directory
django-admin.py / manage.py is invoked from.
BASE_DIR got a +1 from a BDFL and another core dev. It doesn't involve
the concept of a "Django project"; it's just a convenient way to express
relative paths within the source code repository for non-Python files.
Thanks Jacob Kaplan-Moss for the suggestion.
commit 1b559b4bcda622e10909b68fe5cab90db6727dd9
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 23:22:40 2013 +0100
Removed STATIC_ROOT from the default settings template.
It isn't necessary in development, and it confuses beginners to no end.
Thanks Carl Meyer for the suggestion.
commit a55f141a500bb7c9a1bc259bbe1954c13b199671
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 23:21:43 2013 +0100
Removed MEDIA_ROOT/URL from default settings template.
Many sites will never deal with user-uploaded files, and MEDIA_ROOT is
complicated to explain.
Thanks Carl Meyer for the suggestion.
commit 44bf2f2441420fd9429ee9fe1f7207f92dd87e70
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 22:22:09 2013 +0100
Removed logging config.
This configuration is applied regardless of the value of LOGGING;
duplicating it in LOGGING is confusing.
commit eac747e848eaed65fd5f6f254f0a7559d856f88f
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 22:05:31 2013 +0100
Enabled the locale middleware by default.
USE_I18N is True by default, and doesn't work well without
LocaleMiddleware.
commit d806c62b2d00826dc2688c84b092627b8d571cab
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 22:03:16 2013 +0100
Enabled clickjacking protection by default.
commit 99152c30e6a15003f0b6737dc78e87adf462aacb
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 22:01:48 2013 +0100
Reorganized settings in logical sections, and trimmed comments.
commit d37ffdfcb24b7e0ec7cc113d07190f65fb12fb8a
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:54:11 2013 +0100
Avoided misleading TEMPLATE_DEBUG = DEBUG.
According to the docs TEMPLATE_DEBUG works only when DEBUG = True.
commit 15d9478d3a9850e85841e7cf09cf83050371c6bf
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:46:25 2013 +0100
Removed STATICFILES_FINDERS/TEMPLATE_LOADERS from default settings file.
Only developers with special needs ever need to change these settings.
commit 574da0eb5bfb4570883756914b4dbd7e20e1f61e
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:45:01 2013 +0100
Removed STATICFILES/TEMPLATES_DIRS from default settings file.
The current best practice is to put static files and templates in
applications, for easier testing and deployment.
commit 8cb18dbe56629aa1be74718a07e7cc66b4f9c9f0
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:24:16 2013 +0100
Removed settings related to email reporting from default settings file.
While handy for small scale projects, it isn't exactly a best practice.
commit 8ecbfcb3638058f0c49922540f874a7d802d864f
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 18:54:43 2013 +0100
Documented how to enable the sites framework.
commit 23fc91a6fa67d91ddd9d71b1c3e0dc26bdad9841
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:28:59 2013 +0100
Disabled the sites framework by default.
RequestSite does the job for single-domain websites.
commit c4d82eb8afc0eb8568bf9c4d12644272415e3960
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Jan 29 00:08:33 2013 +0100
Added a default admin.py to the application template.
Thanks Ryan D Hiebert for the suggestion.
commit 4071dc771e5c44b1c5ebb9beecefb164ae465e22
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 10:59:49 2013 +0100
Enabled the admin by default.
Everyone uses the admin.
commit c807a31f8d89e7e7fd97380e3023f7983a8b6fcb
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 10:57:05 2013 +0100
Removed admindocs from default project template.
commit 09e4ce0e652a97da1a9e285046a91c8ad7a9189c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:32:52 2013 +0100
Added links to the settings documentation.
commit 5b8f5eaef364eb790fcde6f9e86f7d266074cca8
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 11:06:54 2013 +0100
Used a significant example for URLconf includes.
commit 908e91d6fcee2a3cb51ca26ecdf12a6a24e69ef8
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 16:22:31 2013 +0100
Moved code comments about WSGI to docs, and rewrote said docs.
commit 50417e51996146f891d08ca8b74dcc736a581932
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Mon Jan 28 15:51:50 2013 +0100
Normalized the default application template.
Removed the default test that 1 + 1 = 2, because it's been committed
way too many times, in too many projects.
Added an import of `render` for views, because the first view will
often be:
def home(request):
return render(request, "mysite/home.html")
2013-01-28 14:51:50 +00:00
|
|
|
Simplified default project and app templates
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The default templates used by :djadmin:`startproject` and :djadmin:`startapp`
|
|
|
|
have been simplified and modernized. The :doc:`admin
|
|
|
|
</ref/contrib/admin/index>` is now enabled by default in new projects; the
|
|
|
|
:doc:`sites </ref/contrib/sites>` framework no longer is. :ref:`Language
|
|
|
|
detection <how-django-discovers-language-preference>` and :ref:`clickjacking
|
|
|
|
prevention <clickjacking-prevention>` are turned on.
|
|
|
|
|
|
|
|
If the default templates don't suit your tastes, you can use :ref:`custom
|
|
|
|
project and app templates <custom-app-and-project-templates>`.
|
|
|
|
|
2013-03-03 14:55:11 +00:00
|
|
|
Improved transaction management
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django's transaction management was overhauled. Database-level autocommit is
|
|
|
|
now turned on by default. This makes transaction handling more explicit and
|
|
|
|
should improve performance. The existing APIs were deprecated, and new APIs
|
2013-03-13 13:47:48 +00:00
|
|
|
were introduced, as described in the :doc:`transaction management docs
|
|
|
|
</topics/db/transactions>`.
|
2013-03-03 14:55:11 +00:00
|
|
|
|
|
|
|
Please review carefully the list of :ref:`known backwards-incompatibilities
|
2013-03-04 22:26:31 +00:00
|
|
|
<transactions-upgrading-from-1.5>` to determine if you need to make changes in
|
2013-03-03 14:55:11 +00:00
|
|
|
your code.
|
|
|
|
|
2013-02-18 10:37:26 +00:00
|
|
|
Persistent database connections
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django now supports reusing the same database connection for several requests.
|
|
|
|
This avoids the overhead of re-establishing a connection at the beginning of
|
2013-05-09 13:42:14 +00:00
|
|
|
each request. For backwards compatibility, this feature is disabled by
|
|
|
|
default. See :ref:`persistent-database-connections` for details.
|
2013-02-18 10:37:26 +00:00
|
|
|
|
2013-05-11 03:08:45 +00:00
|
|
|
Discovery of tests in any test module
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django 1.6 ships with a new test runner that allows more flexibility in the
|
|
|
|
location of tests. The previous runner
|
|
|
|
(``django.test.simple.DjangoTestSuiteRunner``) found tests only in the
|
|
|
|
``models.py`` and ``tests.py`` modules of a Python package in
|
|
|
|
:setting:`INSTALLED_APPS`.
|
|
|
|
|
|
|
|
The new runner (``django.test.runner.DjangoTestDiscoverRunner``) uses the test
|
|
|
|
discovery features built into unittest2 (the version of unittest in the Python
|
|
|
|
2.7+ standard library, and bundled with Django). With test discovery, tests can
|
|
|
|
be located in any module whose name matches the pattern ``test*.py``.
|
|
|
|
|
|
|
|
In addition, the test labels provided to ``./manage.py test`` to nominate
|
|
|
|
specific tests to run must now be full Python dotted paths (or directory
|
|
|
|
paths), rather than ``applabel.TestCase.test_method_name`` pseudo-paths. This
|
|
|
|
allows running tests located anywhere in your codebase, rather than only in
|
|
|
|
:setting:`INSTALLED_APPS`. For more details, see :doc:`/topics/testing/index`.
|
|
|
|
|
|
|
|
This change is backwards-incompatible; see the :ref:`backwards-incompatibility
|
|
|
|
notes<new-test-runner>`.
|
|
|
|
|
2013-02-10 15:15:49 +00:00
|
|
|
Time zone aware aggregation
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The support for :doc:`time zones </topics/i18n/timezones>` introduced in
|
|
|
|
Django 1.4 didn't work well with :meth:`QuerySet.dates()
|
|
|
|
<django.db.models.query.QuerySet.dates>`: aggregation was always performed in
|
|
|
|
UTC. This limitation was lifted in Django 1.6. Use :meth:`QuerySet.datetimes()
|
|
|
|
<django.db.models.query.QuerySet.datetimes>` to perform time zone aware
|
|
|
|
aggregation on a :class:`~django.db.models.DateTimeField`.
|
|
|
|
|
2013-03-24 12:08:29 +00:00
|
|
|
Support for savepoints in SQLite
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django 1.6 adds support for savepoints in SQLite, with some :ref:`limitations
|
|
|
|
<savepoints-in-sqlite>`.
|
|
|
|
|
2012-12-13 21:11:06 +00:00
|
|
|
``BinaryField`` model field
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
A new :class:`django.db.models.BinaryField` model field allows to store raw
|
|
|
|
binary data in the database.
|
|
|
|
|
2013-03-16 10:39:18 +00:00
|
|
|
GeoDjango form widgets
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
GeoDjango now provides :ref:`form fields and widgets <ref-gis-forms-api>` for
|
|
|
|
its geo-specialized fields. They are OpenLayers-based by default, but they can
|
|
|
|
be customized to use any other JS framework.
|
|
|
|
|
2012-11-17 19:24:54 +00:00
|
|
|
Minor features
|
|
|
|
~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
* Authentication backends can raise ``PermissionDenied`` to immediately fail
|
|
|
|
the authentication chain.
|
|
|
|
|
2013-02-07 08:48:08 +00:00
|
|
|
* The HttpOnly flag can be set on the CSRF cookie with
|
|
|
|
:setting:`CSRF_COOKIE_HTTPONLY`.
|
|
|
|
|
2012-12-13 11:33:11 +00:00
|
|
|
* The ``assertQuerysetEqual()`` now checks for undefined order and raises
|
|
|
|
``ValueError`` if undefined order is spotted. The order is seen as
|
|
|
|
undefined if the given ``QuerySet`` isn't ordered and there are more than
|
|
|
|
one ordered values to compare against.
|
|
|
|
|
2013-01-12 08:37:19 +00:00
|
|
|
* Added :meth:`~django.db.models.query.QuerySet.earliest` for symmetry with
|
|
|
|
:meth:`~django.db.models.query.QuerySet.latest`.
|
|
|
|
|
2013-02-10 15:15:49 +00:00
|
|
|
* In addition to :lookup:`year`, :lookup:`month` and :lookup:`day`, the ORM
|
|
|
|
now supports :lookup:`hour`, :lookup:`minute` and :lookup:`second` lookups.
|
|
|
|
|
Refactored database exceptions wrapping.
Squashed commit of the following:
commit 2181d833ed1a2e422494738dcef311164c4e097e
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Wed Feb 27 14:28:39 2013 +0100
Fixed #15901 -- Wrapped all PEP-249 exceptions.
commit 5476a5d93c19aa2f928c497d39ce6e33f52694e2
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Feb 26 17:26:52 2013 +0100
Added PEP 3134 exception chaining.
Thanks Jacob Kaplan-Moss for the suggestion.
commit 9365fad0a650328002fb424457d675a273c95802
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Feb 26 17:13:49 2013 +0100
Improved API for wrapping database errors.
Thanks Alex Gaynor for the proposal.
commit 1b463b765f2826f73a8d9266795cd5da4f8d5e9e
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Feb 26 15:00:39 2013 +0100
Removed redundant exception wrapping.
This is now taken care of by the cursor wrapper.
commit 524bc7345a724bf526bdd2dd1bcf5ede67d6bb5c
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Feb 26 14:55:10 2013 +0100
Wrapped database exceptions in the base backend.
This covers the most common PEP-249 APIs:
- Connection APIs: close(), commit(), rollback(), cursor()
- Cursor APIs: callproc(), close(), execute(), executemany(),
fetchone(), fetchmany(), fetchall(), nextset().
Fixed #19920.
commit a66746bb5f0839f35543222787fce3b6a0d0a3ea
Author: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Tue Feb 26 14:53:34 2013 +0100
Added a wrap_database_exception context manager and decorator.
It re-throws backend-specific exceptions using Django's common wrappers.
2013-02-26 13:53:34 +00:00
|
|
|
* Django now wraps all PEP-249 exceptions.
|
|
|
|
|
2013-02-23 08:45:56 +00:00
|
|
|
* The default widgets for :class:`~django.forms.EmailField`,
|
|
|
|
:class:`~django.forms.URLField`, :class:`~django.forms.IntegerField`,
|
|
|
|
:class:`~django.forms.FloatField` and :class:`~django.forms.DecimalField` use
|
|
|
|
the new type attributes available in HTML5 (type='email', type='url',
|
|
|
|
type='number'). Note that due to erratic support of the ``number`` input type
|
|
|
|
with localized numbers in current browsers, Django only uses it when numeric
|
|
|
|
fields are not localized.
|
2013-01-28 13:12:56 +00:00
|
|
|
|
2013-01-30 19:28:16 +00:00
|
|
|
* The ``number`` argument for :ref:`lazy plural translations
|
|
|
|
<lazy-plural-translations>` can be provided at translation time rather than
|
|
|
|
at definition time.
|
|
|
|
|
2013-02-04 11:55:45 +00:00
|
|
|
* For custom management commands: Verification of the presence of valid
|
|
|
|
settings in commands that ask for it by using the
|
2013-02-03 23:53:48 +00:00
|
|
|
:attr:`~django.core.management.BaseCommand.can_import_settings` internal
|
2013-02-04 11:55:45 +00:00
|
|
|
option is now performed independently from handling of the locale that
|
|
|
|
should be active during the execution of the command. The latter can now be
|
|
|
|
influenced by the new
|
|
|
|
:attr:`~django.core.management.BaseCommand.leave_locale_alone` internal
|
|
|
|
option. See :ref:`management-commands-and-locales` for more details.
|
2013-02-03 23:53:48 +00:00
|
|
|
|
2013-02-11 07:39:14 +00:00
|
|
|
* The :attr:`~django.views.generic.edit.DeletionMixin.success_url` of
|
|
|
|
:class:`~django.views.generic.edit.DeletionMixin` is now interpolated with
|
|
|
|
its ``object``\'s ``__dict__``.
|
|
|
|
|
2013-02-13 08:55:43 +00:00
|
|
|
* :class:`~django.http.HttpResponseRedirect` and
|
|
|
|
:class:`~django.http.HttpResponsePermanentRedirect` now provide an ``url``
|
|
|
|
attribute (equivalent to the URL the response will redirect to).
|
|
|
|
|
2013-02-24 12:36:04 +00:00
|
|
|
* The ``MemcachedCache`` cache backend now uses the latest :mod:`pickle`
|
|
|
|
protocol available.
|
|
|
|
|
2013-03-18 22:48:47 +00:00
|
|
|
* Added :class:`~django.contrib.messages.views.SuccessMessageMixin` which
|
|
|
|
provides a ``success_message`` attribute for
|
2013-03-24 17:49:31 +00:00
|
|
|
:class:`~django.views.generic.edit.FormView` based classes.
|
2013-03-18 22:48:47 +00:00
|
|
|
|
2013-03-07 19:24:51 +00:00
|
|
|
* Added the :attr:`django.db.models.ForeignKey.db_constraint` and
|
|
|
|
:attr:`django.db.models.ManyToManyField.db_constraint` options.
|
2013-02-20 19:27:32 +00:00
|
|
|
|
2013-02-22 20:52:20 +00:00
|
|
|
* The jQuery library embedded in the admin has been upgraded to version 1.9.1.
|
|
|
|
|
2013-02-24 16:02:10 +00:00
|
|
|
* Syndication feeds (:mod:`django.contrib.syndication`) can now pass extra
|
2013-02-24 14:32:52 +00:00
|
|
|
context through to feed templates using a new `Feed.get_context_data()`
|
|
|
|
callback.
|
|
|
|
|
2013-02-24 16:31:26 +00:00
|
|
|
* The admin list columns have a ``column-<field_name>`` class in the HTML
|
|
|
|
so the columns header can be styled with CSS, e.g. to set a column width.
|
|
|
|
|
2013-03-02 14:00:28 +00:00
|
|
|
* The isolation level can be customized under PostgreSQL.
|
|
|
|
|
2013-03-03 19:44:44 +00:00
|
|
|
* The :ttag:`blocktrans` template tag now respects
|
|
|
|
:setting:`TEMPLATE_STRING_IF_INVALID` for variables not present in the
|
|
|
|
context, just like other template constructs.
|
|
|
|
|
2013-03-07 00:00:05 +00:00
|
|
|
* SimpleLazyObjects will now present more helpful representations in shell
|
|
|
|
debugging situations.
|
|
|
|
|
2013-03-09 15:01:33 +00:00
|
|
|
* Generic :class:`~django.contrib.gis.db.models.GeometryField` is now editable
|
|
|
|
with the OpenLayers widget in the admin.
|
|
|
|
|
2012-11-29 10:10:31 +00:00
|
|
|
* The :meth:`Model.save() <django.db.models.Model.save()>` will do
|
|
|
|
``UPDATE`` - if not updated - ``INSERT`` instead of ``SELECT`` - if not
|
|
|
|
found ``INSERT`` else ``UPDATE`` in case the model's primary key is set.
|
|
|
|
|
2013-03-17 17:21:05 +00:00
|
|
|
* The documentation contains a :doc:`deployment checklist
|
|
|
|
</howto/deployment/checklist>`.
|
|
|
|
|
2013-03-17 19:48:30 +00:00
|
|
|
* The :djadmin:`diffsettings` comand gained a ``--all`` option.
|
|
|
|
|
2013-03-24 17:49:31 +00:00
|
|
|
* ``django.forms.fields.Field.__init__`` now calls ``super()``, allowing
|
2013-03-18 21:22:26 +00:00
|
|
|
field mixins to implement ``__init__()`` methods that will reliably be
|
|
|
|
called.
|
|
|
|
|
Fixed #20084 -- Provided option to validate formset max_num on server.
This is provided as a new "validate_max" formset_factory option defaulting to
False, since the non-validating behavior of max_num is longstanding, and there
is certainly code relying on it. (In fact, even the Django admin relies on it
for the case where there are more existing inlines than the given max_num). It
may be that at some point we want to deprecate validate_max=False and
eventually remove the option, but this commit takes no steps in that direction.
This also fixes the DoS-prevention absolute_max enforcement so that it causes a
form validation error rather than an IndexError, and ensures that absolute_max
is always 1000 more than max_num, to prevent surprising changes in behavior
with max_num close to absolute_max.
Lastly, this commit fixes the previous inconsistency between a regular formset
and a model formset in the precedence of max_num and initial data. Previously
in a regular formset, if the provided initial data was longer than max_num, it
was truncated; in a model formset, all initial forms would be displayed
regardless of max_num. Now regular formsets are the same as model formsets; all
initial forms are displayed, even if more than max_num. (But if validate_max is
True, submitting these forms will result in a "too many forms" validation
error!) This combination of behaviors was chosen to keep the max_num validation
simple and consistent, and avoid silent data loss due to truncation of initial
data.
Thanks to Preston for discussion of the design choices.
2013-03-21 06:27:06 +00:00
|
|
|
* The ``validate_max`` parameter was added to ``BaseFormSet`` and
|
|
|
|
:func:`~django.forms.formsets.formset_factory`, and ``ModelForm`` and inline
|
|
|
|
versions of the same. The behavior of validation for formsets with
|
|
|
|
``max_num`` was clarified. The previously undocumented behavior that
|
|
|
|
hardened formsets against memory exhaustion attacks was documented,
|
|
|
|
and the undocumented limit of the higher of 1000 or ``max_num`` forms
|
|
|
|
was changed so it is always 1000 more than ``max_num``.
|
|
|
|
|
2013-03-26 15:44:26 +00:00
|
|
|
* Added ``BCryptSHA256PasswordHasher`` to resolve the password truncation issue
|
|
|
|
with bcrypt.
|
|
|
|
|
2013-05-15 02:31:16 +00:00
|
|
|
* `Pillow`_ is now the preferred image manipulation library to use with Django.
|
|
|
|
`PIL`_ is pending deprecation (support to be removed in Django 1.8).
|
|
|
|
To upgrade, you should **first** uninstall PIL, **then** install Pillow.
|
|
|
|
|
|
|
|
.. _`Pillow`: https://pypi.python.org/pypi/Pillow
|
|
|
|
.. _`PIL`: https://pypi.python.org/pypi/PIL
|
|
|
|
|
2013-05-18 12:13:00 +00:00
|
|
|
* :doc:`ModelForm </topics/forms/modelforms/>` accepts a new
|
|
|
|
Meta option: ``localized_fields``. Fields included in this list will be localized
|
|
|
|
(by setting ``localize`` on the form field).
|
|
|
|
|
2012-10-30 13:02:54 +00:00
|
|
|
Backwards incompatible changes in 1.6
|
|
|
|
=====================================
|
|
|
|
|
2013-03-11 11:04:29 +00:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
In addition to the changes outlined in this section, be sure to review the
|
|
|
|
:doc:`deprecation plan </internals/deprecation>` for any features that
|
|
|
|
have been removed. If you haven't updated your code within the
|
|
|
|
deprecation timeline for a given feature, its removal may appear as a
|
|
|
|
backwards incompatible change.
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
New transaction management model
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
2013-03-24 12:08:29 +00:00
|
|
|
Behavior changes
|
|
|
|
^^^^^^^^^^^^^^^^
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
Database-level autocommit is enabled by default in Django 1.6. While this
|
|
|
|
doesn't change the general spirit of Django's transaction management, there
|
|
|
|
are a few known backwards-incompatibities, described in the :ref:`transaction
|
|
|
|
management docs <transactions-upgrading-from-1.5>`. You should review your
|
|
|
|
code to determine if you're affected.
|
|
|
|
|
2013-03-24 12:08:29 +00:00
|
|
|
Savepoints and ``assertNumQueries``
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
The changes in transaction management may result in additional statements to
|
|
|
|
create, release or rollback savepoints. This is more likely to happen with
|
|
|
|
SQLite, since it didn't support savepoints until this release.
|
|
|
|
|
|
|
|
If tests using :meth:`~django.test.TestCase.assertNumQueries` fail because of
|
|
|
|
a higher number of queries than expected, check that the extra queries are
|
|
|
|
related to savepoints, and adjust the expected number of queries accordingly.
|
|
|
|
|
|
|
|
Autocommit option for PostgreSQL
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
In previous versions, database-level autocommit was only an option for
|
|
|
|
PostgreSQL, and it was disabled by default. This option is now :ref:`ignored
|
|
|
|
<postgresql-autocommit-mode>` and can be removed.
|
|
|
|
|
2013-05-11 03:08:45 +00:00
|
|
|
.. _new-test-runner:
|
|
|
|
|
|
|
|
New test runner
|
|
|
|
~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
In order to maintain greater consistency with Python's unittest module, the new
|
|
|
|
test runner (``django.test.runner.DiscoverRunner``) does not automatically
|
|
|
|
support some types of tests that were supported by the previous runner:
|
|
|
|
|
|
|
|
* Tests in ``models.py`` and ``tests/__init__.py`` files will no longer be
|
|
|
|
found and run. Move them to a file whose name begins with ``test``.
|
|
|
|
|
|
|
|
* Doctests will no longer be automatically discovered. To integrate doctests in
|
|
|
|
your test suite, follow the `recommendations in the Python documentation`_.
|
|
|
|
|
|
|
|
Django bundles a modified version of the :mod:`doctest` module from the Python
|
|
|
|
standard library (in ``django.test._doctest``) in order to allow passing in a
|
|
|
|
custom ``DocTestRunner`` when instantiating a ``DocTestSuite``, and includes
|
|
|
|
some additional doctest utilities (``django.test.testcases.DocTestRunner``
|
|
|
|
turns on the ``ELLIPSIS`` option by default, and
|
|
|
|
``django.test.testcases.OutputChecker`` provides better matching of XML, JSON,
|
|
|
|
and numeric data types).
|
|
|
|
|
|
|
|
These utilities are deprecated and will be removed in Django 1.8; doctest
|
|
|
|
suites should be updated to work with the standard library's doctest module (or
|
|
|
|
converted to unittest-compatible tests).
|
|
|
|
|
|
|
|
If you wish to delay updates to your test suite, you can set your
|
|
|
|
:setting:`TEST_RUNNER` setting to ``django.test.simple.DjangoTestSuiteRunner``
|
|
|
|
to fully restore the old test behavior. ``DjangoTestSuiteRunner`` is
|
|
|
|
deprecated but will not be removed from Django until version 1.8.
|
|
|
|
|
|
|
|
.. _recommendations in the Python documentation: http://docs.python.org/2/library/doctest.html#unittest-api
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
Addition of ``QuerySet.datetimes()``
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
When the :doc:`time zone support </topics/i18n/timezones>` added in Django 1.4
|
|
|
|
was active, :meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>`
|
|
|
|
lookups returned unexpected results, because the aggregation was performed in
|
|
|
|
UTC. To fix this, Django 1.6 introduces a new API, :meth:`QuerySet.datetimes()
|
|
|
|
<django.db.models.query.QuerySet.datetimes>`. This requires a few changes in
|
|
|
|
your code.
|
2013-03-03 14:55:11 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
``QuerySet.dates()`` returns ``date`` objects
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2013-03-03 14:55:11 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
:meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` now returns a
|
|
|
|
list of :class:`~datetime.date`. It used to return a list of
|
|
|
|
:class:`~datetime.datetime`.
|
2012-10-23 21:04:37 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
:meth:`QuerySet.datetimes() <django.db.models.query.QuerySet.datetimes>`
|
|
|
|
returns a list of :class:`~datetime.datetime`.
|
2013-02-10 15:15:49 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
``QuerySet.dates()`` no longer usable on ``DateTimeField``
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2013-02-10 15:15:49 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
:meth:`QuerySet.dates() <django.db.models.query.QuerySet.dates>` raises an
|
|
|
|
error if it's used on :class:`~django.db.models.DateTimeField` when time
|
|
|
|
zone support is active. Use :meth:`QuerySet.datetimes()
|
|
|
|
<django.db.models.query.QuerySet.datetimes>` instead.
|
2013-02-10 15:15:49 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
``date_hierarchy`` requires time zone definitions
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2013-02-10 15:15:49 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
The :attr:`~django.contrib.admin.ModelAdmin.date_hierarchy` feature of the
|
|
|
|
admin now relies on :meth:`QuerySet.datetimes()
|
|
|
|
<django.db.models.query.QuerySet.datetimes>` when it's used on a
|
|
|
|
:class:`~django.db.models.DateTimeField`.
|
2013-02-10 15:15:49 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
This requires time zone definitions in the database when :setting:`USE_TZ` is
|
|
|
|
``True``. :ref:`Learn more <database-time-zone-definitions>`.
|
2013-02-18 10:37:26 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
``date_list`` in generic views requires time zone definitions
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2013-01-28 13:12:56 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
For the same reason, accessing ``date_list`` in the context of a date-based
|
|
|
|
generic view requires time zone definitions in the database when the view is
|
|
|
|
based on a :class:`~django.db.models.DateTimeField` and :setting:`USE_TZ` is
|
|
|
|
``True``. :ref:`Learn more <database-time-zone-definitions>`.
|
2013-01-20 18:07:10 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
New lookups may clash with model fields
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django 1.6 introduces ``hour``, ``minute``, and ``second`` lookups on
|
|
|
|
:class:`~django.db.models.DateTimeField`. If you had model fields called
|
|
|
|
``hour``, ``minute``, or ``second``, the new lookups will clash with you field
|
|
|
|
names. Append an explicit :lookup:`exact` lookup if this is an issue.
|
|
|
|
|
2013-03-24 12:47:01 +00:00
|
|
|
``BooleanField`` no longer defaults to ``False``
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
When a :class:`~django.db.models.BooleanField` doesn't have an explicit
|
|
|
|
:attr:`~django.db.models.Field.default`, the implicit default value is
|
|
|
|
``None``. In previous version of Django, it was ``False``, but that didn't
|
2013-03-24 13:30:04 +00:00
|
|
|
represent accurately the lack of a value.
|
2013-03-24 12:47:01 +00:00
|
|
|
|
|
|
|
Code that relies on the default value being ``False`` may raise an exception
|
|
|
|
when saving new model instances to the database, because ``None`` isn't an
|
|
|
|
acceptable value for a :class:`~django.db.models.BooleanField`. You should
|
2013-03-24 13:30:04 +00:00
|
|
|
either specify ``default=False`` in the field definition, or ensure the field
|
|
|
|
is set to ``True`` or ``False`` before saving the object.
|
2013-03-24 12:47:01 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
Translations and comments in templates
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Extraction of translations after comments
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
Extraction of translatable literals from templates with the
|
|
|
|
:djadmin:`makemessages` command now correctly detects i18n constructs when
|
|
|
|
they are located after a ``{#`` / ``#}``-type comment on the same line. E.g.:
|
|
|
|
|
|
|
|
.. code-block:: html+django
|
2013-01-20 18:07:10 +00:00
|
|
|
|
|
|
|
{# A comment #}{% trans "This literal was incorrectly ignored. Not anymore" %}
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
Location of translator comments
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
Validation of the placement of :ref:`translator-comments-in-templates`
|
|
|
|
specified using ``{#`` / ``#}`` is now stricter. All translator comments not
|
|
|
|
located at the end of their respective lines in a template are ignored and a
|
|
|
|
warning is generated by :djadmin:`makemessages` when it finds them. E.g.:
|
2013-01-20 18:07:10 +00:00
|
|
|
|
2013-03-24 13:30:04 +00:00
|
|
|
.. code-block:: html+django
|
2013-01-20 18:07:10 +00:00
|
|
|
|
|
|
|
{# Translators: This is ignored #}{% trans "Translate me" %}
|
|
|
|
{{ title }}{# Translators: Extracted and associated with 'Welcome' below #}
|
|
|
|
<h1>{% trans "Welcome" %}</h1>
|
|
|
|
|
2013-03-18 20:52:16 +00:00
|
|
|
Quoting in :func:`~django.core.urlresolvers.reverse`
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
When reversing URLs, Django didn't apply :func:`~django.utils.http.urlquote`
|
|
|
|
to arguments before interpolating them in URL patterns. This bug is fixed in
|
|
|
|
Django 1.6. If you worked around this bug by applying URL quoting before
|
|
|
|
passing arguments to :func:`~django.core.urlresolvers.reverse`, this may
|
|
|
|
result in double-quoting. If this happens, simply remove the URL quoting from
|
|
|
|
your code.
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
Storage of IP addresses in the comments app
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
2013-02-24 12:20:41 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
The :doc:`comments </ref/contrib/comments/index>` app now uses a
|
|
|
|
``GenericIPAddressField`` for storing commenters' IP addresses, to support
|
|
|
|
comments submitted from IPv6 addresses. Until now, it stored them in an
|
|
|
|
``IPAddressField``, which is only meant to support IPv4. When saving a comment
|
|
|
|
made from an IPv6 address, the address would be silently truncated on MySQL
|
|
|
|
databases, and raise an exception on Oracle. You will need to change the
|
|
|
|
column type in your database to benefit from this change.
|
2013-02-24 12:20:41 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
For MySQL, execute this query on your project's database:
|
|
|
|
|
|
|
|
.. code-block:: sql
|
2013-02-24 12:20:41 +00:00
|
|
|
|
|
|
|
ALTER TABLE django_comments MODIFY ip_address VARCHAR(39);
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
For Oracle, execute this query:
|
2013-02-24 12:20:41 +00:00
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
.. code-block:: sql
|
2013-02-24 12:20:41 +00:00
|
|
|
|
|
|
|
ALTER TABLE DJANGO_COMMENTS MODIFY (ip_address VARCHAR2(39));
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
If you do not apply this change, the behaviour is unchanged: on MySQL, IPv6
|
|
|
|
addresses are silently truncated; on Oracle, an exception is generated. No
|
|
|
|
database change is needed for SQLite or PostgreSQL databases.
|
|
|
|
|
2013-04-05 12:15:30 +00:00
|
|
|
Percent literals in ``cursor.execute`` queries
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
When you are running raw SQL queries through the
|
|
|
|
:ref:`cursor.execute <executing-custom-sql>` method, the rule about doubling
|
|
|
|
percent literals (``%``) inside the query has been unified. Past behavior
|
|
|
|
depended on the database backend. Now, across all backends, you only need to
|
|
|
|
double literal percent characters if you are also providing replacement
|
|
|
|
parameters. For example::
|
|
|
|
|
|
|
|
# No parameters, no percent doubling
|
|
|
|
cursor.execute("SELECT foo FROM bar WHERE baz = '30%'")
|
|
|
|
|
|
|
|
# Parameters passed, non-placeholders have to be doubled
|
|
|
|
cursor.execute("SELECT foo FROM bar WHERE baz = '30%%' and id = %s", [self.id])
|
|
|
|
|
|
|
|
``SQLite`` users need to check and update such queries.
|
|
|
|
|
2013-03-17 10:05:41 +00:00
|
|
|
Miscellaneous
|
|
|
|
~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
* The ``django.db.models.query.EmptyQuerySet`` can't be instantiated any more -
|
|
|
|
it is only usable as a marker class for checking if
|
|
|
|
:meth:`~django.db.models.query.QuerySet.none` has been called:
|
|
|
|
``isinstance(qs.none(), EmptyQuerySet)``
|
|
|
|
|
|
|
|
* If your CSS/Javascript code used to access HTML input widgets by type, you
|
|
|
|
should review it as ``type='text'`` widgets might be now output as
|
|
|
|
``type='email'``, ``type='url'`` or ``type='number'`` depending on their
|
|
|
|
corresponding field type.
|
2013-02-24 12:20:41 +00:00
|
|
|
|
2013-04-18 18:38:07 +00:00
|
|
|
* Form field's :attr:`~django.forms.Field.error_messages` that contain a
|
|
|
|
placeholder should now always use a named placeholder (``"Value '%(value)s' is
|
|
|
|
too big"`` instead of ``"Value '%s' is too big"``). See the corresponding
|
|
|
|
field documentation for details about the names of the placeholders. The
|
|
|
|
changes in 1.6 particularly affect :class:`~django.forms.DecimalField` and
|
|
|
|
:class:`~django.forms.ModelMultipleChoiceField`.
|
|
|
|
|
2013-05-18 10:54:59 +00:00
|
|
|
* There have been changes in the way timeouts are handled in cache backends.
|
|
|
|
Explicitly passing in ``timeout=None`` no longer results in using the
|
|
|
|
default timeout. It will now set a non-expiring timeout. Passing 0 into the
|
|
|
|
memcache backend no longer uses the default timeout, and now will
|
|
|
|
set-and-expire-immediately the value.
|
|
|
|
|
2012-10-30 13:02:54 +00:00
|
|
|
Features deprecated in 1.6
|
|
|
|
==========================
|
2013-01-01 21:28:48 +00:00
|
|
|
|
2013-03-04 22:26:31 +00:00
|
|
|
Transaction management APIs
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Transaction management was completely overhauled in Django 1.6, and the
|
|
|
|
current APIs are deprecated:
|
|
|
|
|
2013-03-06 10:12:24 +00:00
|
|
|
- ``django.middleware.transaction.TransactionMiddleware``
|
|
|
|
- ``django.db.transaction.autocommit``
|
|
|
|
- ``django.db.transaction.commit_on_success``
|
|
|
|
- ``django.db.transaction.commit_manually``
|
|
|
|
- the ``TRANSACTIONS_MANAGED`` setting
|
2013-03-04 22:26:31 +00:00
|
|
|
|
|
|
|
The reasons for this change and the upgrade path are described in the
|
|
|
|
:ref:`transactions documentation <transactions-upgrading-from-1.5>`.
|
|
|
|
|
2013-03-09 14:49:37 +00:00
|
|
|
``django.contrib.comments``
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Django's comment framework has been deprecated and is no longer supported. It
|
|
|
|
will be available in Django 1.6 and 1.7, and removed in Django 1.8. Most users
|
|
|
|
will be better served with a custom solution, or a hosted product like Disqus__.
|
|
|
|
|
|
|
|
The code formerly known as ``django.contrib.comments`` is `still available
|
|
|
|
in an external repository`__.
|
|
|
|
|
|
|
|
__ https://disqus.com/
|
|
|
|
__ https://github.com/django/django-contrib-comments
|
|
|
|
|
2013-03-17 10:45:45 +00:00
|
|
|
Support for PostgreSQL versions older than 8.4
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The end of upstream support periods was reached in December 2011 for
|
|
|
|
PostgreSQL 8.2 and in February 2013 for 8.3. As a consequence, Django 1.6 sets
|
|
|
|
8.4 as the minimum PostgreSQL version it officially supports.
|
|
|
|
|
|
|
|
You're strongly encouraged to use the most recent version of PostgreSQL
|
|
|
|
available, because of performance improvements and to take advantage of the
|
|
|
|
native streaming replication available in PostgreSQL 9.x.
|
|
|
|
|
2013-02-23 14:07:21 +00:00
|
|
|
Changes to :ttag:`cycle` and :ttag:`firstof`
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The template system generally escapes all variables to avoid XSS attacks.
|
|
|
|
However, due to an accident of history, the :ttag:`cycle` and :ttag:`firstof`
|
|
|
|
tags render their arguments as-is.
|
|
|
|
|
|
|
|
Django 1.6 starts a process to correct this inconsistency. The ``future``
|
|
|
|
template library provides alternate implementations of :ttag:`cycle` and
|
|
|
|
:ttag:`firstof` that autoescape their inputs. If you're using these tags,
|
|
|
|
you're encourage to include the following line at the top of your templates to
|
|
|
|
enable the new behavior::
|
|
|
|
|
|
|
|
{% load cycle from future %}
|
|
|
|
|
|
|
|
or::
|
|
|
|
|
|
|
|
{% load firstof from future %}
|
|
|
|
|
|
|
|
The tags implementing the old behavior have been deprecated, and in Django
|
|
|
|
1.8, the old behavior will be replaced with the new behavior. To ensure
|
|
|
|
compatibility with future versions of Django, existing templates should be
|
|
|
|
modified to use the ``future`` versions.
|
|
|
|
|
|
|
|
If necessary, you can temporarily disable auto-escaping with
|
|
|
|
:func:`~django.utils.safestring.mark_safe` or :ttag:`{% autoescape off %}
|
|
|
|
<autoescape>`.
|
|
|
|
|
2013-01-01 21:28:48 +00:00
|
|
|
``SEND_BROKEN_LINK_EMAILS`` setting
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
:class:`~django.middleware.common.CommonMiddleware` used to provide basic
|
|
|
|
reporting of broken links by email when ``SEND_BROKEN_LINK_EMAILS`` is set to
|
|
|
|
``True``.
|
|
|
|
|
|
|
|
Because of intractable ordering problems between
|
|
|
|
:class:`~django.middleware.common.CommonMiddleware` and
|
|
|
|
:class:`~django.middleware.locale.LocaleMiddleware`, this feature was split
|
|
|
|
out into a new middleware:
|
|
|
|
:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`.
|
|
|
|
|
|
|
|
If you're relying on this feature, you should add
|
|
|
|
``'django.middleware.common.BrokenLinkEmailsMiddleware'`` to your
|
|
|
|
:setting:`MIDDLEWARE_CLASSES` setting and remove ``SEND_BROKEN_LINK_EMAILS``
|
|
|
|
from your settings.
|
2013-01-25 19:50:46 +00:00
|
|
|
|
|
|
|
``_has_changed`` method on widgets
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
If you defined your own form widgets and defined the ``_has_changed`` method
|
|
|
|
on a widget, you should now define this method on the form field itself.
|
2013-02-05 09:16:07 +00:00
|
|
|
|
|
|
|
``module_name`` model meta attribute
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
``Model._meta.module_name`` was renamed to ``model_name``. Despite being a
|
|
|
|
private API, it will go through a regular deprecation path.
|
2013-03-08 14:15:23 +00:00
|
|
|
|
|
|
|
``get_query_set`` and similar methods renamed to ``get_queryset``
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Methods that return a ``QuerySet`` such as ``Manager.get_query_set`` or
|
|
|
|
``ModelAdmin.queryset`` have been renamed to ``get_queryset``.
|
2013-03-14 19:28:24 +00:00
|
|
|
|
|
|
|
``shortcut`` view and URLconf
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The ``shortcut`` view was moved from ``django.views.defaults`` to
|
2013-03-15 08:15:30 +00:00
|
|
|
``django.contrib.contenttypes.views`` shortly after the 1.0 release, but the
|
2013-03-14 19:28:24 +00:00
|
|
|
old location was never deprecated. This oversight was corrected in Django 1.6
|
|
|
|
and you should now use the new location.
|
|
|
|
|
|
|
|
The URLconf ``django.conf.urls.shortcut`` was also deprecated. If you're
|
|
|
|
including it in an URLconf, simply replace::
|
|
|
|
|
|
|
|
(r'^prefix/', include('django.conf.urls.shortcut')),
|
|
|
|
|
|
|
|
with::
|
|
|
|
|
2013-03-15 08:15:30 +00:00
|
|
|
(r'^prefix/(?P<content_type_id>\d+)/(?P<object_id>.*)/$', 'django.contrib.contenttypes.views.shortcut'),
|
2013-02-21 21:56:55 +00:00
|
|
|
|
|
|
|
``ModelForm`` without ``fields`` or ``exclude``
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Previously, if you wanted a :class:`~django.forms.ModelForm` to use all fields on
|
|
|
|
the model, you could simply omit the ``Meta.fields`` attribute, and all fields
|
|
|
|
would be used.
|
|
|
|
|
|
|
|
This can lead to security problems where fields are added to the model and,
|
|
|
|
unintentionally, automatically become editable by end users. In some cases,
|
|
|
|
particular with boolean fields, it is possible for this problem to be completely
|
|
|
|
invisible. This is a form of `Mass assignment vulnerability
|
|
|
|
<http://en.wikipedia.org/wiki/Mass_assignment_vulnerability>`_.
|
|
|
|
|
|
|
|
For this reason, this behaviour is deprecated, and using the ``Meta.exclude``
|
|
|
|
option is strongly discouraged. Instead, all fields that are intended for
|
|
|
|
inclusion in the form should be listed explicitly in the ``fields`` attribute.
|
|
|
|
|
|
|
|
If this security concern really does not apply in your case, there is a shortcut
|
|
|
|
to explicitly indicate that all fields should be used - use the special value
|
|
|
|
``"__all__"`` for the fields attribute::
|
|
|
|
|
|
|
|
class MyModelForm(ModelForm):
|
|
|
|
class Meta:
|
|
|
|
fields = "__all__"
|
|
|
|
model = MyModel
|
|
|
|
|
|
|
|
If you have custom ``ModelForms`` that only need to be used in the admin, there
|
|
|
|
is another option. The admin has its own methods for defining fields
|
|
|
|
(``fieldsets`` etc.), and so adding a list of fields to the ``ModelForm`` is
|
|
|
|
redundant. Instead, simply omit the ``Meta`` inner class of the ``ModelForm``,
|
|
|
|
or omit the ``Meta.model`` attribute. Since the ``ModelAdmin`` subclass knows
|
|
|
|
which model it is for, it can add the necessary attributes to derive a
|
|
|
|
functioning ``ModelForm``. This behaviour also works for earlier Django
|
|
|
|
versions.
|
|
|
|
|
|
|
|
``UpdateView`` and ``CreateView`` without explicit fields
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
The generic views :class:`~django.views.generic.edit.CreateView` and
|
|
|
|
:class:`~django.views.generic.edit.UpdateView`, and anything else derived from
|
|
|
|
:class:`~django.views.generic.edit.ModelFormMixin`, are vulnerable to the
|
|
|
|
security problem described in the section above, because they can automatically
|
|
|
|
create a ``ModelForm`` that uses all fields for a model.
|
|
|
|
|
|
|
|
For this reason, if you use these views for editing models, you must also supply
|
|
|
|
the ``fields`` attribute, which is a list of model fields and works in the same
|
|
|
|
way as the :class:`~django.forms.ModelForm` ``Meta.fields`` attribute. Alternatively,
|
|
|
|
you can set set the ``form_class`` attribute to a ``ModelForm`` that explicitly
|
|
|
|
defines the fields to be used. Defining an ``UpdateView`` or ``CreateView``
|
|
|
|
subclass to be used with a model but without an explicit list of fields is
|
|
|
|
deprecated.
|